Bug 37024 - Implement value sanitization algorithms
Summary: Implement value sanitization algorithms
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Forms (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL: http://www.whatwg.org/specs/web-apps/...
Keywords: InRadar
Depends on: 43973 57737 59951 61273 62061 76893
Blocks: HTML5Forms
  Show dependency treegraph
 
Reported: 2010-04-02 08:16 PDT by Kent Tamura
Modified: 2012-10-18 21:47 PDT (History)
8 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kent Tamura 2010-04-02 08:16:39 PDT
Quotes from the spec:

* text, search, tel, url, email, password
The value sanitization algorithm is as follows: Strip line breaks from the value.

* datetime
The value sanitization algorithm is as follows: If the value of the element is a valid global date and time string, then adjust the time so that the value represents the same point in time but expressed in the UTC time zone, otherwise, set it to the empty string instead.

* date
The value sanitization algorithm is as follows: If the value of the element is not a valid date string, then set it to the empty string instead.
* month
The value sanitization algorithm is as follows: If the value of the element is not a valid month string, then set it to the empty string instead.
* week
The value sanitization algorithm is as follows: If the value of the element is not a valid week string, then set it to the empty string instead.
* time
The value sanitization algorithm is as follows: If the value of the element is not a valid time string, then set it to the empty string instead.
* datetime-local
The value sanitization algorithm is as follows: If the value of the element is not a valid local date and time string, then set it to the empty string instead.
* number
The value sanitization algorithm is as follows: If the value of the element is not a valid floating point number, then set it to the empty string instead.

* range
The value sanitization algorithm is as follows: If the value of the element is not a valid floating point number, then set it to a valid floating point number that represents the default value.

* color
The value sanitization algorithm is as follows: If the value of the element is a valid simple color, then set it to the value of the element converted to ASCII lowercase; otherwise, set it to the string "#000000".
Comment 1 Joseph Pecoraro 2011-05-02 10:03:39 PDT
If we add value sanitization for date types, for example:

  input.type = "date";
  input.value = "test";
  assert(input.value === "")

Then all of the ValidityState tests for the date types will
need to be updated as well. Would there a way for users
to get into an invalid state?
Comment 2 Andy Estes 2011-05-17 15:12:20 PDT
<rdar://problem/9456107>
Comment 3 Alexey Proskuryakov 2011-05-21 23:39:57 PDT
HTML5 parser relies on value sanitization for correct behavior in this case:

<input type="text" placeholder="foo" value="
">

In Safari 5, the placeholder is displayed, and that's correct per HTML5. But it doesn't work in ToT - and besides, the linefeed appears as whitespace in initial value, which users are unlikely to notice when typing.
Comment 4 Eric Seidel (no email) 2011-05-23 21:34:05 PDT
(In reply to comment #3)
> HTML5 parser relies on value sanitization for correct behavior in this case:
> 
> <input type="text" placeholder="foo" value="
> ">
> 
> In Safari 5, the placeholder is displayed, and that's correct per HTML5. But it doesn't work in ToT - and besides, the linefeed appears as whitespace in initial value, which users are unlikely to notice when typing.

InputStreamPreprocessor is responsible for dealing with whitespace:
http://trac.webkit.org/browser/trunk/Source/WebCore/html/parser/HTMLTokenizer.h#L176

But may not apply to this case.  This may simply be bugs in HTMLInputElement::parseMappedAttribute
Comment 5 Alexey Proskuryakov 2011-06-03 14:53:16 PDT
In Firefox 4, input.value is empty in my example, while input.getAttribute("value") is LF. So if it is to be trusted, it's not the job of InputStreamPreprocessor.
Comment 6 Alexey Proskuryakov 2011-06-03 15:47:18 PDT
Filed bug 62061 for the issue with inputs.
Comment 7 Eric Seidel (no email) 2012-01-20 19:27:05 PST
It seems we have most of these, but some of these elements are disabled on trunk.   Curious if we still want this bug open?
Comment 8 Kent Tamura 2012-01-23 20:44:09 PST
It seems sanitization of type=datetime is still incorrect.
Comment 9 Kent Tamura 2012-10-18 21:47:47 PDT
Completed.