Bug 24421 - CSS from STYLE tag is applied to page even when STYLE element is not in the document
Summary: CSS from STYLE tag is applied to page even when STYLE element is not in the d...
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows XP
: P2 Normal
Assignee: Nobody
URL: http://ua.zapatec.net/~vanger/webkit-...
Depends on:
Reported: 2009-03-06 02:33 PST by Andrew Kulinich
Modified: 2009-03-06 06:16 PST (History)
0 users

See Also:

example to reproduce an error (376 bytes, text/html)
2009-03-06 02:35 PST, Andrew Kulinich
no flags Details
XSS (392 bytes, text/html)
2009-03-06 06:07 PST, Andrew Kulinich
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Kulinich 2009-03-06 02:33:59 PST
I'm doing pre-parsing of HTML strings before dispaying them to page to cut off forbidden tags. To do this I'm creating element in the DOM but do not add it into main page to not affect page layout, assigning innerHTML to this string and after that processing new DOM tree to delete forbidden elements. After that I'm compressing element content into HTML string and inserting it into page.
This works ok with all the browsers but in Webkit I got an error - if HTML string contains <STYLE> tag - CSS rules from that element are applied to main page even if temporary element is not in the main page DOM.
See attached example.
Comment 1 Andrew Kulinich 2009-03-06 02:35:30 PST
Created attachment 28354 [details]
example to reproduce an error
Comment 2 Andrew Kulinich 2009-03-06 03:52:44 PST
Workaround - use createElementNS to create element in different namespace - in this case STYLE won't affect local document.
Comment 3 Andrew Kulinich 2009-03-06 04:32:53 PST
same problem with <LINK> element - for LINK rel="stylesheet" corresponding CSS file is loaded and applied to the page
Comment 4 Andrew Kulinich 2009-03-06 06:07:47 PST
Created attachment 28357 [details]
Comment 5 Andrew Kulinich 2009-03-06 06:16:08 PST
attached new file - XSS attack using this bug.