Bug 24421

Summary: CSS from STYLE tag is applied to page even when STYLE element is not in the document
Product: WebKit Reporter: Andrew Kulinich <b30r4>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: annevk
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   
URL: http://ua.zapatec.net/~vanger/webkit-css-innerhtml-bug.html
Attachments:
Description Flags
example to reproduce an error
none
XSS none

Description Andrew Kulinich 2009-03-06 02:33:59 PST
I'm doing pre-parsing of HTML strings before dispaying them to page to cut off forbidden tags. To do this I'm creating element in the DOM but do not add it into main page to not affect page layout, assigning innerHTML to this string and after that processing new DOM tree to delete forbidden elements. After that I'm compressing element content into HTML string and inserting it into page.
This works ok with all the browsers but in Webkit I got an error - if HTML string contains <STYLE> tag - CSS rules from that element are applied to main page even if temporary element is not in the main page DOM.
See attached example.
Comment 1 Andrew Kulinich 2009-03-06 02:35:30 PST
Created attachment 28354 [details]
example to reproduce an error
Comment 2 Andrew Kulinich 2009-03-06 03:52:44 PST
Workaround - use createElementNS to create element in different namespace - in this case STYLE won't affect local document.
Comment 3 Andrew Kulinich 2009-03-06 04:32:53 PST
same problem with <LINK> element - for LINK rel="stylesheet" corresponding CSS file is loaded and applied to the page
Comment 4 Andrew Kulinich 2009-03-06 06:07:47 PST
Created attachment 28357 [details]
XSS
Comment 5 Andrew Kulinich 2009-03-06 06:16:08 PST
attached new file - XSS attack using this bug.
Comment 6 Anne van Kesteren 2023-12-29 02:50:41 PST
This seems to be working fine today.