30982 – createHTMLDocument doesn't escape ampersand and less-than in title

Bug 30982 - createHTMLDocument doesn't escape ampersand and less-than in title

Summary: createHTMLDocument doesn't escape ampersand and less-than in title

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC All

Importance:	P2 Normal
Assignee:	Alexey Proskuryakov

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-10-31 14:23 PDT by nanto_vi (TOYAMA Nao)
Modified:	2009-11-01 12:05 PST (History)
CC List:	0 users

See Also:

Attachments
proposed fix (3.57 KB, patch) 2009-10-31 21:43 PDT, Alexey Proskuryakov	sullivan: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description nanto_vi (TOYAMA Nao) 2009-10-31 14:23:51 PDT

|document.implementation.createHTMLDocument(title)| wrongly parses the value of the title parameter as a part of HTML source, violating both old DOM2 HTML CR [1] and HTML5 [2].

[1] http://www.w3.org/TR/2002/CR-DOM-Level-2-HTML-20020605/html.html#HTML-DOM-createHTMLDocument
[2] http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#dom-domhtmlimplementation-createhtmldocument

Steps to reproduce: Execute the following JavaScript code:
javascript:alert(document.implementation.createHTMLDocument('foo</title>').title);

Expected result: foo</title>
Actual result: foo

Confirmed on WebKit-r50095.

Comment 1 Alexey Proskuryakov 2009-10-31 21:43:56 PDT

Created attachment 42269 [details]
proposed fix

Comment 2 Alexey Proskuryakov 2009-11-01 12:05:30 PST

Committed <http://trac.webkit.org/changeset/50389>.