Bug 44209

Summary: write from <iframe onload> hits ASSERT
Product: WebKit Reporter: Eric Seidel (no email) <eric>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: abarth, ap, ian, tonyg, yong.li.webkit
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   

Eric Seidel (no email)
Reported 2010-08-18 15:42:47 PDT
write from <iframe onload> hits ASSERT This passes in minefield: FAIL<script>document.write('<iframe onload="document.write(\'PASS\')">');</script> but ASSERTs in TOT. We try to buffer a character token while we're still inside the StartTag state? I don't believe this is security sensitive, but marking so for the moment just in case I'm missing something.
Attachments
Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2010-08-18 15:44:18 PDT
Well, that's silly. You can mark it as security sensitive, but webkit-unassigned still gets a mail about it. This creates the wrong DOM, but does not cause any crashes in release. Removing the restriction.
Eric Seidel (no email)
Comment 2 2010-08-18 18:50:52 PDT
I'm not really sure how to fix this. It's evil that parsing an attribute can cause synchronous execution of javascript. I'm not sure what cases HTML5 expects to allow synchronous execution of javascript from an attribute parse (if any). I guess I'll have to check where the "insertion point" should be during attribute parse. I assume it should be exactly at the character we last tokenized.
Eric Seidel (no email)
Comment 3 2010-08-18 18:54:00 PDT
<iframe onload="document.write('PASS')"> is actually all that's required to reproduce this ASSERT.
Eric Seidel (no email)
Comment 4 2010-08-18 18:56:40 PDT
<iframe onload="document.write('PASS')"> shows nothing in minefield, btw. But the original test case still shows PASS.
Adam Barth
Comment 5 2010-08-18 21:43:11 PDT
It probably should blow away the document. It's run synchronously, but without a current insertion point. The script isn't write-neutralized, so the document should get blown away. However, I'd rather ignore the write.
Adam Barth
Comment 6 2010-08-18 21:43:53 PDT
Related test case (untested): <iframe src="javascript:parent.document.write('PASS')">
Eric Seidel (no email)
Comment 7 2010-08-18 22:27:54 PDT
(In reply to comment #6) > Related test case (untested): > > <iframe src="javascript:parent.document.write('PASS')"> That "works" in minefield (shows PASS) but doesn't work in either the new or old parser.
Eric Seidel (no email)
Comment 8 2010-08-18 22:33:42 PDT
(In reply to comment #7) > (In reply to comment #6) > > Related test case (untested): > > > > <iframe src="javascript:parent.document.write('PASS')"> > > That "works" in minefield (shows PASS) but doesn't work in either the new or old parser. Nevermind. It ASSERts as expected in the new parser. I was just running the test wrong.
Eric Seidel (no email)
Comment 9 2010-08-21 09:49:07 PDT
*** Bug 44381 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 10 2011-01-05 10:59:04 PST
Does this still happen?
Note You need to log in before you can comment on or make changes to this bug.