WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
62412
<script> inside <svg> should be executed
https://bugs.webkit.org/show_bug.cgi?id=62412
Summary
<script> inside <svg> should be executed
James Simonsen
Reported
2011-06-09 16:41:28 PDT
According to the HTML5 spec, SVG <script> elements inside foreign content mode should be executed. Right now, we just have a notImplemented() in HTMLTreeBuilder there. We should fix that. Here's an example that doesn't work: <svg> <g> <rect id="test"> <script> alert(1); document.body.innerHTML = "PASS"; </script> </rect> </g> </svg>
Attachments
Patch
(6.66 KB, patch)
2011-06-10 15:16 PDT
,
James Simonsen
no flags
Details
Formatted Diff
Diff
Patch
(8.50 KB, patch)
2011-06-10 15:26 PDT
,
James Simonsen
no flags
Details
Formatted Diff
Diff
Patch
(10.24 KB, patch)
2011-06-10 15:37 PDT
,
James Simonsen
no flags
Details
Formatted Diff
Diff
Patch
(10.24 KB, patch)
2011-06-10 15:58 PDT
,
James Simonsen
no flags
Details
Formatted Diff
Diff
Archive of layout-test-results from ec2-cr-linux-03
(1.25 MB, application/zip)
2011-06-10 16:18 PDT
,
WebKit Review Bot
no flags
Details
Patch
(12.50 KB, patch)
2011-06-10 17:52 PDT
,
James Simonsen
no flags
Details
Formatted Diff
Diff
Show Obsolete
(4)
View All
Add attachment
proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1
2011-06-09 22:48:01 PDT
Doh! Seems like it should be a pretty easy fix.
Tony Gentilcore
Comment 2
2011-06-10 10:19:02 PDT
There are 7 other notImplemented()s in HTMLTreeBuilder, we should probably go through and assess whether any need to be taken care of.
James Simonsen
Comment 3
2011-06-10 15:16:11 PDT
Created
attachment 96799
[details]
Patch
Abhishek Arya
Comment 4
2011-06-10 15:23:12 PDT
you might have to rebaseline the test that i added - svg/dom/use-style-recalc-script-execute-crash.html
James Simonsen
Comment 5
2011-06-10 15:26:10 PDT
Created
attachment 96804
[details]
Patch
James Simonsen
Comment 6
2011-06-10 15:27:54 PDT
(In reply to
comment #4
)
> you might have to rebaseline the test that i added - svg/dom/use-style-recalc-script-execute-crash.html
Good point. I was running out of a chrome tree and we haven't rolled to the revision that has that. I'll sync with head, rebaseline, and upload a third patch.
Adam Barth
Comment 7
2011-06-10 15:34:34 PDT
Comment on
attachment 96804
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=96804&action=review
> Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2319 > + m_tree.openElements()->pop(); > + m_isPaused = true; > + m_scriptToProcess = m_tree.currentElement();
I would have expected the m_tree.openElements()->pop() to come after m_scriptToProcess = m_tree.currentElement()...
Eric Seidel (no email)
Comment 8
2011-06-10 15:37:44 PDT
The relevant spec:
http://www.whatwg.org/specs/web-apps/current-work/multipage/tokenization.html#scriptForeignEndTag
An end tag whose tag name is "script", if the current node is a script element in the SVG namespace Pop the current node off the stack of open elements. Let the old insertion point have the same value as the current insertion point. Let the insertion point be just before the next input character. Increment the parser's script nesting level by one. Set the parser pause flag to true. Process the script element according to the SVG rules, if the user agent supports SVG. [SVG] Even if this causes new characters to be inserted into the tokenizer, the parser will not be executed reentrantly, since the parser pause flag is true. Decrement the parser's script nesting level by one. If the parser's script nesting level is zero, then set the parser pause flag to false. Let the insertion point have the value of the old insertion point. (In other words, restore the insertion point to its previous value. This value might be the "undefined" value.)
James Simonsen
Comment 9
2011-06-10 15:37:51 PDT
Created
attachment 96807
[details]
Patch
Eric Seidel (no email)
Comment 10
2011-06-10 15:39:45 PDT
Comment on
attachment 96804
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=96804&action=review
>> Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2319 >> + m_scriptToProcess = m_tree.currentElement(); > > I would have expected the m_tree.openElements()->pop() to come after m_scriptToProcess = m_tree.currentElement()...
I'm surprised this works, actually...
Eric Seidel (no email)
Comment 11
2011-06-10 15:40:42 PDT
Comment on
attachment 96807
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=96807&action=review
> Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2319 > + m_scriptToProcess = m_tree.currentElement();
Are we sure this ends up as the script tag?
James Simonsen
Comment 12
2011-06-10 15:45:12 PDT
(In reply to
comment #7
)
> (From update of
attachment 96804
[details]
) > View in context:
https://bugs.webkit.org/attachment.cgi?id=96804&action=review
> > > Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2319 > > + m_tree.openElements()->pop(); > > + m_isPaused = true; > > + m_scriptToProcess = m_tree.currentElement(); > > I would have expected the m_tree.openElements()->pop() to come after m_scriptToProcess = m_tree.currentElement()...
Hrm. Yeah. I wonder how it worked while baselining these tests. Anyway, once my build is done, I'll upload a new one (and include an ASSERT). (In reply to
comment #8
)
> The relevant spec: >
http://www.whatwg.org/specs/web-apps/current-work/multipage/tokenization.html#scriptForeignEndTag
> > An end tag whose tag name is "script", if the current node is a script element in the SVG namespace > Pop the current node off the stack of open elements. > > Let the old insertion point have the same value as the current insertion point. Let the insertion point be just before the next input character. > > Increment the parser's script nesting level by one. Set the parser pause flag to true. > > Process the script element according to the SVG rules, if the user agent supports SVG. [SVG] > > Even if this causes new characters to be inserted into the tokenizer, the parser will not be executed reentrantly, since the parser pause flag is true. > > Decrement the parser's script nesting level by one. If the parser's script nesting level is zero, then set the parser pause flag to false. > > Let the insertion point have the value of the old insertion point. (In other words, restore the insertion point to its previous value. This value might be the "undefined" value.)
FYI, most of this is done by HTMLDocumentParser and HTMLScriptRunner.
James Simonsen
Comment 13
2011-06-10 15:58:09 PDT
Created
attachment 96814
[details]
Patch
James Simonsen
Comment 14
2011-06-10 16:00:13 PDT
I guess the asserts are already covered if you follow the existing code paths, so this patch just fixes the order.
WebKit Review Bot
Comment 15
2011-06-10 16:18:42 PDT
Comment on
attachment 96814
[details]
Patch
Attachment 96814
[details]
did not pass chromium-ews (chromium-xvfb): Output:
http://queues.webkit.org/results/8826538
New failing tests: svg/dom/range-delete.html html5lib/runner.html
WebKit Review Bot
Comment 16
2011-06-10 16:18:47 PDT
Created
attachment 96820
[details]
Archive of layout-test-results from ec2-cr-linux-03 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: ec2-cr-linux-03 Port: Chromium Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
James Simonsen
Comment 17
2011-06-10 16:35:32 PDT
(In reply to
comment #15
)
> (From update of
attachment 96814
[details]
) >
Attachment 96814
[details]
did not pass chromium-ews (chromium-xvfb): > Output:
http://queues.webkit.org/results/8826538
> > New failing tests: > svg/dom/range-delete.html
This test wasn't doing what was expected. It was the cloned node that executed and deleted everything. Now the original executes and destroys everything before it can be cloned. Do you think it's still relevant? If so, I can rewrite it without SVG <script> and (hopefully) have it exercise the same code path.
> html5lib/runner.html
This just needs to be rebaselined. We pass another test. Yay.
Eric Seidel (no email)
Comment 18
2011-06-10 17:46:00 PDT
Tom wrote the test.
Eric Seidel (no email)
Comment 19
2011-06-10 17:47:31 PDT
I suspect we can just delete the test from the security bug, as invalid. And update the html-parser test results. Please upload a new patch. :)
James Simonsen
Comment 20
2011-06-10 17:52:49 PDT
Created
attachment 96829
[details]
Patch
Eric Seidel (no email)
Comment 21
2011-06-10 17:54:06 PDT
Comment on
attachment 96829
[details]
Patch LGTM.
WebKit Review Bot
Comment 22
2011-06-10 18:08:21 PDT
Comment on
attachment 96829
[details]
Patch Clearing flags on attachment: 96829 Committed
r88584
: <
http://trac.webkit.org/changeset/88584
>
WebKit Review Bot
Comment 23
2011-06-10 18:08:29 PDT
All reviewed patches have been landed. Closing bug.
James Simonsen
Comment 24
2011-06-10 18:56:42 PDT
Committed
r88586
: <
http://trac.webkit.org/changeset/88586
>
Ryosuke Niwa
Comment 25
2011-06-10 23:02:33 PDT
This patch may have caused crashes on Snow Leopard Debug builds:
http://build.webkit.org/results/SnowLeopard%20Intel%20Debug%20(Tests)/r88585%20(583)/results.html
Tony Gentilcore
Comment 26
2011-06-12 09:23:17 PDT
I thought this patch was going to let us remove the new branch in ScriptElement::prepareScript added here:
http://trac.webkit.org/changeset/88549
James Simonsen
Comment 27
2011-06-13 11:50:41 PDT
(In reply to
comment #25
)
> This patch may have caused crashes on Snow Leopard Debug builds: >
http://build.webkit.org/results/SnowLeopard%20Intel%20Debug%20(Tests)/r88585%20(583)/results.html
It's not crashing, it just failed that one test. I already submitted the new baseline on Friday. It's passing now. (In reply to
comment #26
)
> I thought this patch was going to let us remove the new branch in ScriptElement::prepareScript added here: >
http://trac.webkit.org/changeset/88549
Yeah, I'll upload a separate patch for that. I wanted this one to bake for a bit.
David Kilzer (:ddkilzer)
Comment 28
2011-06-27 09:04:02 PDT
<
rdar://problem/9681133
>
David Kilzer (:ddkilzer)
Comment 29
2011-07-08 13:29:57 PDT
(In reply to
comment #27
)
> (In reply to
comment #25
) > > This patch may have caused crashes on Snow Leopard Debug builds: > >
http://build.webkit.org/results/SnowLeopard%20Intel%20Debug%20(Tests)/r88585%20(583)/results.html
> > It's not crashing, it just failed that one test. I already submitted the new baseline on Friday. It's passing now. > > (In reply to
comment #26
) > > I thought this patch was going to let us remove the new branch in ScriptElement::prepareScript added here: > >
http://trac.webkit.org/changeset/88549
> > Yeah, I'll upload a separate patch for that. I wanted this one to bake for a bit.
Is it done baking yet? :)
James Simonsen
Comment 30
2011-07-12 18:49:03 PDT
(In reply to
comment #29
)
> (In reply to
comment #27
) > > (In reply to
comment #25
) > > > This patch may have caused crashes on Snow Leopard Debug builds: > > >
http://build.webkit.org/results/SnowLeopard%20Intel%20Debug%20(Tests)/r88585%20(583)/results.html
> > > > It's not crashing, it just failed that one test. I already submitted the new baseline on Friday. It's passing now. > > > > (In reply to
comment #26
) > > > I thought this patch was going to let us remove the new branch in ScriptElement::prepareScript added here: > > >
http://trac.webkit.org/changeset/88549
> > > > Yeah, I'll upload a separate patch for that. I wanted this one to bake for a bit. > > Is it done baking yet? :)
Yep. Thanks for the reminder. :)
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug