Bug 24421

Summary: CSS from STYLE tag is applied to page even when STYLE element is not in the document
Product: WebKit Reporter: Andrew Kulinich <b30r4>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: annevk
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   
URL: http://ua.zapatec.net/~vanger/webkit-css-innerhtml-bug.html
Attachments:
Description Flags
example to reproduce an error
none
XSS none

Andrew Kulinich
Reported 2009-03-06 02:33:59 PST
I'm doing pre-parsing of HTML strings before dispaying them to page to cut off forbidden tags. To do this I'm creating element in the DOM but do not add it into main page to not affect page layout, assigning innerHTML to this string and after that processing new DOM tree to delete forbidden elements. After that I'm compressing element content into HTML string and inserting it into page. This works ok with all the browsers but in Webkit I got an error - if HTML string contains <STYLE> tag - CSS rules from that element are applied to main page even if temporary element is not in the main page DOM. See attached example.
Attachments
example to reproduce an error (376 bytes, text/html)
2009-03-06 02:35 PST, Andrew Kulinich 		no flags
Details
XSS (392 bytes, text/html)
2009-03-06 06:07 PST, Andrew Kulinich 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Andrew Kulinich
Comment 1 2009-03-06 02:35:30 PST
Created attachment 28354 [details] example to reproduce an error
Andrew Kulinich
Comment 2 2009-03-06 03:52:44 PST
Workaround - use createElementNS to create element in different namespace - in this case STYLE won't affect local document.
Andrew Kulinich
Comment 3 2009-03-06 04:32:53 PST
same problem with <LINK> element - for LINK rel="stylesheet" corresponding CSS file is loaded and applied to the page
Andrew Kulinich
Comment 4 2009-03-06 06:07:47 PST
Created attachment 28357 [details] XSS
Andrew Kulinich
Comment 5 2009-03-06 06:16:08 PST
attached new file - XSS attack using this bug.
Anne van Kesteren
Comment 6 2023-12-29 02:50:41 PST
This seems to be working fine today.
Note You need to log in before you can comment on or make changes to this bug.