RESOLVED FIXED 45565
URIs in styles created via innerHTML are not resolved against the document's base URI 
https://bugs.webkit.org/show_bug.cgi?id=45565
Summary URIs in styles created via innerHTML are not resolved against the document's ...
Mihai Parparita
Reported 2010-09-10 14:24:32 PDT
URIs in styles created via innerHTML are not resolved against the document's base URI
Attachments
Patch (4.49 KB, patch)
2010-09-10 14:27 PDT, Mihai Parparita 		no flags
DetailsFormatted DiffDiff
Patch (10.20 KB, patch)
2010-09-10 16:13 PDT, Mihai Parparita 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mihai Parparita
Comment 1 2010-09-10 14:27:03 PDT
Created attachment 67241 [details] Patch
Mihai Parparita
Comment 2 2010-09-10 14:29:38 PDT
Note that this only affects Chromium right now since GoogleURL canonicalizes after resolving (previously against an empty URL), while KURL leaves the partial URL alone, so it would get re-resolved correctly once the nodes were moved from the fragment's dummy document into the real document.
Mihai Parparita
Comment 3 2010-09-10 14:32:03 PDT
Adam, can you review this?
Adam Barth
Comment 4 2010-09-10 14:40:39 PDT
Comment on attachment 67241 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=67241&action=prettypatch > WebCore/html/parser/HTMLTreeBuilder.cpp:405 > - : m_dummyDocumentForFragmentParsing(HTMLDocument::create(0, KURL())) > + : m_dummyDocumentForFragmentParsing(HTMLDocument::create(0, fragment->document()->baseURI())) You don't want to set the URL of the dummy document to the baseURL. That's a potential security vulnerability (since the base URL can be anything the document wants). It's probably harmless right now, but it's pretty dangerous. Instead, we want set the baseURL of the m_dummyDocumentForFragmentParsing after we construct it.
Mihai Parparita
Comment 5 2010-09-10 16:13:32 PDT
Created attachment 67256 [details] Patch
Mihai Parparita
Comment 6 2010-09-10 16:14:36 PDT
(In reply to comment #4) > You don't want to set the URL of the dummy document to the baseURL. That's a potential security vulnerability (since the base URL can be anything the document wants). It's probably harmless right now, but it's pretty dangerous. Instead, we want set the baseURL of the m_dummyDocumentForFragmentParsing after we construct it. As discussed over IRC, no setter for the baseURI is exposed (and we probably don't want to have one). Added a basURI constructor parameter to (HTML)Document instead.
Adam Barth
Comment 7 2010-09-10 16:16:38 PDT
Comment on attachment 67256 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=67256&action=prettypatch > WebCore/html/HTMLElement.cpp:-272 > -static bool useLegacyTreeBuilder(Document*) > -{ > - return false; > -} This patch is good, but it should be separate.
WebKit Commit Bot
Comment 8 2010-09-11 02:00:20 PDT
Comment on attachment 67256 [details] Patch Clearing flags on attachment: 67256 Committed r67292: <http://trac.webkit.org/changeset/67292>
WebKit Commit Bot
Comment 9 2010-09-11 02:00:25 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.