RESOLVED FIXED 62412
<script> inside <svg> should be executed
https://bugs.webkit.org/show_bug.cgi?id=62412
Summary <script> inside <svg> should be executed
James Simonsen
Reported 2011-06-09 16:41:28 PDT
According to the HTML5 spec, SVG <script> elements inside foreign content mode should be executed. Right now, we just have a notImplemented() in HTMLTreeBuilder there. We should fix that. Here's an example that doesn't work: <svg> <g> <rect id="test"> <script> alert(1); document.body.innerHTML = "PASS"; </script> </rect> </g> </svg>
Attachments
Patch (6.66 KB, patch)
2011-06-10 15:16 PDT, James Simonsen
no flags
Patch (8.50 KB, patch)
2011-06-10 15:26 PDT, James Simonsen
no flags
Patch (10.24 KB, patch)
2011-06-10 15:37 PDT, James Simonsen
no flags
Patch (10.24 KB, patch)
2011-06-10 15:58 PDT, James Simonsen
no flags
Archive of layout-test-results from ec2-cr-linux-03 (1.25 MB, application/zip)
2011-06-10 16:18 PDT, WebKit Review Bot
no flags
Patch (12.50 KB, patch)
2011-06-10 17:52 PDT, James Simonsen
no flags
Eric Seidel (no email)
Comment 1 2011-06-09 22:48:01 PDT
Doh! Seems like it should be a pretty easy fix.
Tony Gentilcore
Comment 2 2011-06-10 10:19:02 PDT
There are 7 other notImplemented()s in HTMLTreeBuilder, we should probably go through and assess whether any need to be taken care of.
James Simonsen
Comment 3 2011-06-10 15:16:11 PDT
Abhishek Arya
Comment 4 2011-06-10 15:23:12 PDT
you might have to rebaseline the test that i added - svg/dom/use-style-recalc-script-execute-crash.html
James Simonsen
Comment 5 2011-06-10 15:26:10 PDT
James Simonsen
Comment 6 2011-06-10 15:27:54 PDT
(In reply to comment #4) > you might have to rebaseline the test that i added - svg/dom/use-style-recalc-script-execute-crash.html Good point. I was running out of a chrome tree and we haven't rolled to the revision that has that. I'll sync with head, rebaseline, and upload a third patch.
Adam Barth
Comment 7 2011-06-10 15:34:34 PDT
Comment on attachment 96804 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=96804&action=review > Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2319 > + m_tree.openElements()->pop(); > + m_isPaused = true; > + m_scriptToProcess = m_tree.currentElement(); I would have expected the m_tree.openElements()->pop() to come after m_scriptToProcess = m_tree.currentElement()...
Eric Seidel (no email)
Comment 8 2011-06-10 15:37:44 PDT
The relevant spec: http://www.whatwg.org/specs/web-apps/current-work/multipage/tokenization.html#scriptForeignEndTag An end tag whose tag name is "script", if the current node is a script element in the SVG namespace Pop the current node off the stack of open elements. Let the old insertion point have the same value as the current insertion point. Let the insertion point be just before the next input character. Increment the parser's script nesting level by one. Set the parser pause flag to true. Process the script element according to the SVG rules, if the user agent supports SVG. [SVG] Even if this causes new characters to be inserted into the tokenizer, the parser will not be executed reentrantly, since the parser pause flag is true. Decrement the parser's script nesting level by one. If the parser's script nesting level is zero, then set the parser pause flag to false. Let the insertion point have the value of the old insertion point. (In other words, restore the insertion point to its previous value. This value might be the "undefined" value.)
James Simonsen
Comment 9 2011-06-10 15:37:51 PDT
Eric Seidel (no email)
Comment 10 2011-06-10 15:39:45 PDT
Comment on attachment 96804 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=96804&action=review >> Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2319 >> + m_scriptToProcess = m_tree.currentElement(); > > I would have expected the m_tree.openElements()->pop() to come after m_scriptToProcess = m_tree.currentElement()... I'm surprised this works, actually...
Eric Seidel (no email)
Comment 11 2011-06-10 15:40:42 PDT
Comment on attachment 96807 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=96807&action=review > Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2319 > + m_scriptToProcess = m_tree.currentElement(); Are we sure this ends up as the script tag?
James Simonsen
Comment 12 2011-06-10 15:45:12 PDT
(In reply to comment #7) > (From update of attachment 96804 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=96804&action=review > > > Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2319 > > + m_tree.openElements()->pop(); > > + m_isPaused = true; > > + m_scriptToProcess = m_tree.currentElement(); > > I would have expected the m_tree.openElements()->pop() to come after m_scriptToProcess = m_tree.currentElement()... Hrm. Yeah. I wonder how it worked while baselining these tests. Anyway, once my build is done, I'll upload a new one (and include an ASSERT). (In reply to comment #8) > The relevant spec: > http://www.whatwg.org/specs/web-apps/current-work/multipage/tokenization.html#scriptForeignEndTag > > An end tag whose tag name is "script", if the current node is a script element in the SVG namespace > Pop the current node off the stack of open elements. > > Let the old insertion point have the same value as the current insertion point. Let the insertion point be just before the next input character. > > Increment the parser's script nesting level by one. Set the parser pause flag to true. > > Process the script element according to the SVG rules, if the user agent supports SVG. [SVG] > > Even if this causes new characters to be inserted into the tokenizer, the parser will not be executed reentrantly, since the parser pause flag is true. > > Decrement the parser's script nesting level by one. If the parser's script nesting level is zero, then set the parser pause flag to false. > > Let the insertion point have the value of the old insertion point. (In other words, restore the insertion point to its previous value. This value might be the "undefined" value.) FYI, most of this is done by HTMLDocumentParser and HTMLScriptRunner.
James Simonsen
Comment 13 2011-06-10 15:58:09 PDT
James Simonsen
Comment 14 2011-06-10 16:00:13 PDT
I guess the asserts are already covered if you follow the existing code paths, so this patch just fixes the order.
WebKit Review Bot
Comment 15 2011-06-10 16:18:42 PDT
Comment on attachment 96814 [details] Patch Attachment 96814 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/8826538 New failing tests: svg/dom/range-delete.html html5lib/runner.html
WebKit Review Bot
Comment 16 2011-06-10 16:18:47 PDT
Created attachment 96820 [details] Archive of layout-test-results from ec2-cr-linux-03 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: ec2-cr-linux-03 Port: Chromium Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
James Simonsen
Comment 17 2011-06-10 16:35:32 PDT
(In reply to comment #15) > (From update of attachment 96814 [details]) > Attachment 96814 [details] did not pass chromium-ews (chromium-xvfb): > Output: http://queues.webkit.org/results/8826538 > > New failing tests: > svg/dom/range-delete.html This test wasn't doing what was expected. It was the cloned node that executed and deleted everything. Now the original executes and destroys everything before it can be cloned. Do you think it's still relevant? If so, I can rewrite it without SVG <script> and (hopefully) have it exercise the same code path. > html5lib/runner.html This just needs to be rebaselined. We pass another test. Yay.
Eric Seidel (no email)
Comment 18 2011-06-10 17:46:00 PDT
Tom wrote the test.
Eric Seidel (no email)
Comment 19 2011-06-10 17:47:31 PDT
I suspect we can just delete the test from the security bug, as invalid. And update the html-parser test results. Please upload a new patch. :)
James Simonsen
Comment 20 2011-06-10 17:52:49 PDT
Eric Seidel (no email)
Comment 21 2011-06-10 17:54:06 PDT
Comment on attachment 96829 [details] Patch LGTM.
WebKit Review Bot
Comment 22 2011-06-10 18:08:21 PDT
Comment on attachment 96829 [details] Patch Clearing flags on attachment: 96829 Committed r88584: <http://trac.webkit.org/changeset/88584>
WebKit Review Bot
Comment 23 2011-06-10 18:08:29 PDT
All reviewed patches have been landed. Closing bug.
James Simonsen
Comment 24 2011-06-10 18:56:42 PDT
Ryosuke Niwa
Comment 25 2011-06-10 23:02:33 PDT
This patch may have caused crashes on Snow Leopard Debug builds: http://build.webkit.org/results/SnowLeopard%20Intel%20Debug%20(Tests)/r88585%20(583)/results.html
Tony Gentilcore
Comment 26 2011-06-12 09:23:17 PDT
I thought this patch was going to let us remove the new branch in ScriptElement::prepareScript added here: http://trac.webkit.org/changeset/88549
James Simonsen
Comment 27 2011-06-13 11:50:41 PDT
(In reply to comment #25) > This patch may have caused crashes on Snow Leopard Debug builds: > http://build.webkit.org/results/SnowLeopard%20Intel%20Debug%20(Tests)/r88585%20(583)/results.html It's not crashing, it just failed that one test. I already submitted the new baseline on Friday. It's passing now. (In reply to comment #26) > I thought this patch was going to let us remove the new branch in ScriptElement::prepareScript added here: > http://trac.webkit.org/changeset/88549 Yeah, I'll upload a separate patch for that. I wanted this one to bake for a bit.
David Kilzer (:ddkilzer)
Comment 28 2011-06-27 09:04:02 PDT
David Kilzer (:ddkilzer)
Comment 29 2011-07-08 13:29:57 PDT
(In reply to comment #27) > (In reply to comment #25) > > This patch may have caused crashes on Snow Leopard Debug builds: > > http://build.webkit.org/results/SnowLeopard%20Intel%20Debug%20(Tests)/r88585%20(583)/results.html > > It's not crashing, it just failed that one test. I already submitted the new baseline on Friday. It's passing now. > > (In reply to comment #26) > > I thought this patch was going to let us remove the new branch in ScriptElement::prepareScript added here: > > http://trac.webkit.org/changeset/88549 > > Yeah, I'll upload a separate patch for that. I wanted this one to bake for a bit. Is it done baking yet? :)
James Simonsen
Comment 30 2011-07-12 18:49:03 PDT
(In reply to comment #29) > (In reply to comment #27) > > (In reply to comment #25) > > > This patch may have caused crashes on Snow Leopard Debug builds: > > > http://build.webkit.org/results/SnowLeopard%20Intel%20Debug%20(Tests)/r88585%20(583)/results.html > > > > It's not crashing, it just failed that one test. I already submitted the new baseline on Friday. It's passing now. > > > > (In reply to comment #26) > > > I thought this patch was going to let us remove the new branch in ScriptElement::prepareScript added here: > > > http://trac.webkit.org/changeset/88549 > > > > Yeah, I'll upload a separate patch for that. I wanted this one to bake for a bit. > > Is it done baking yet? :) Yep. Thanks for the reminder. :)
Note You need to log in before you can comment on or make changes to this bug.