272678 – Handling stale index value in Element setAttribute() API due to the call of getTrustedTypesCompliantAttributeValue()

RESOLVED FIXED Bug 272678

Handling stale index value in Element setAttribute() API due to the call of getTrustedTypesCompliantAttributeValue()

https://bugs.webkit.org/show_bug.cgi?id=272678

Summary Handling stale index value in Element setAttribute() API due to the call of g...

zsun

Reported 2024-04-15 07:44:09 PDT

With the change at https://github.com/WebKit/WebKit/pull/26519, it calls getTrustedTypesCompliantAttributeValue in Element setAttribute() API. The getTrustedTypesCompliantAttributeValue can result in JS execution which may mutate the attributes of the element and make the index value used in this function stale.

Attachments
bug.html (424 bytes, text/html) 2024-04-15 07:47 PDT, zsun	no flags	Details
View All Add attachment proposed patch, testcase, etc.

zsun

Comment 1 2024-04-15 07:47:28 PDT

Created attachment 470925 [details] bug.html The attached test file should result in the "srcdoc" being the string "alert(1)". It results in onmouseover="alert(1)" instead.

Radar WebKit Bug Importer

Comment 2 2024-04-22 08:53:38 PDT

<rdar://problem/126863617>

zsun

Comment 3 2024-05-16 06:05:46 PDT

This has been addressed at https://github.com/WebKit/WebKit/pull/26519

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Safari 17

Hardware Unspecified

OS Unspecified

Product WebKit

Component DOM

Assignee

Nobody

Reported

2024-04-15 07:44 PDT

Modified

2024-05-16 06:05 PDT History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks

266630 271823

Dependancies

tree graph