Commit 82f9f10c authored by ddkilzer@apple.com's avatar ddkilzer@apple.com

WebCore:

        Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely

        <https://bugs.webkit.org/show_bug.cgi?id=7931>

        Reviewed by Darin.

        Tests: fast/parser/entity-end-iframe-tag.html
               fast/parser/entity-end-script-tag.html
               fast/parser/entity-end-style-tag.html
               fast/parser/entity-end-textarea-tag.html
               fast/parser/entity-end-title-tag.html
               fast/parser/entity-end-xmp-tag.html

        Previously the parser accepted end tags for textarea, title and
        iframe elements that contained entity-escaped characters such as
        '&lt;'.  The fix is to save the position of the last entity-escaped
        character converted and to use that to make sure the end tag does
        not contain an escaped character.

        Note that this was not an issue for script, style and xmp elements
        since they already ignored entity-escaped characters.

        * html/HTMLTokenizer.cpp:
        (WebCore::HTMLTokenizer::parseSpecial): When looking for a closing
        tag, ignore any text with entity-escaped characters by making sure
        lastDecodedEntityPosition is less than the first character of the
        end tag.

LayoutTests:

        Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely

        <https://bugs.webkit.org/show_bug.cgi?id=7931>

        Reviewed by Darin.

        The entity-end-textarea-tag.html contains 11 test cases:  one
        for each character in '</textarea>'.  The rest of the tests
        only test one encoding:  '<' as '&lt;'.

        * fast/parser/entity-end-iframe-tag-expected.txt: Added.
        * fast/parser/entity-end-iframe-tag.html: Added.
        * fast/parser/entity-end-script-tag-expected.txt: Added.
        * fast/parser/entity-end-script-tag.html: Added.
        * fast/parser/entity-end-style-tag-expected.txt: Added.
        * fast/parser/entity-end-style-tag.html: Added.
        * fast/parser/entity-end-textarea-tag-expected.txt: Added.
        * fast/parser/entity-end-textarea-tag.html: Added.
        * fast/parser/entity-end-title-tag-expected.txt: Added.
        * fast/parser/entity-end-title-tag.html: Added.
        * fast/parser/entity-end-xmp-tag-expected.txt: Added.
        * fast/parser/entity-end-xmp-tag.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@34722 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 9caae932
2008-06-21 David Kilzer <ddkilzer@apple.com>
Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely
<https://bugs.webkit.org/show_bug.cgi?id=7931>
Reviewed by Darin.
The entity-end-textarea-tag.html contains 11 test cases: one
for each character in '</textarea>'. The rest of the tests
only test one encoding: '<' as '&lt;'.
* fast/parser/entity-end-iframe-tag-expected.txt: Added.
* fast/parser/entity-end-iframe-tag.html: Added.
* fast/parser/entity-end-script-tag-expected.txt: Added.
* fast/parser/entity-end-script-tag.html: Added.
* fast/parser/entity-end-style-tag-expected.txt: Added.
* fast/parser/entity-end-style-tag.html: Added.
* fast/parser/entity-end-textarea-tag-expected.txt: Added.
* fast/parser/entity-end-textarea-tag.html: Added.
* fast/parser/entity-end-title-tag-expected.txt: Added.
* fast/parser/entity-end-title-tag.html: Added.
* fast/parser/entity-end-xmp-tag-expected.txt: Added.
* fast/parser/entity-end-xmp-tag.html: Added.
2008-06-21 Sam Weinig <sam@webkit.org>
Reviewed by Dan Bernstein.
Test parsing of entity-escaped </iframe> tag for Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS document.getElementById("myiframe").textContent is expectedResult
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<link rel="stylesheet" href="../js/resources/js-test-style.css">
<script src="../js/resources/js-test-pre.js"></script>
</head>
<body>
<iframe id="myiframe">&lt;/iframe></iframe>
<p id="description"></p>
<div id="console"></div>
<script>
description("Test parsing of entity-escaped &lt;/iframe&gt; tag for <a href=\"https://bugs.webkit.org/show_bug.cgi?id=7931\">Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely</a>");
var expectedResult = '<' + '/iframe>';
shouldBe('document.getElementById("myiframe").textContent', 'expectedResult');
successfullyParsed = true;
</script>
<script src="../js/resources/js-test-post.js"></script>
</body>
</html>
CONSOLE MESSAGE: line 8: SyntaxError: Parse error
Test parsing of entity-escaped </script> tag for Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS document.getElementById("myscript").textContent is expectedResult
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<link rel="stylesheet" href="../js/resources/js-test-style.css">
<script src="../js/resources/js-test-pre.js"></script>
</head>
<body>
<script id="myscript">&lt;/script></script>
<p id="description"></p>
<div id="console"></div>
<script>
description("Test parsing of entity-escaped &lt;/script&gt; tag for <a href=\"https://bugs.webkit.org/show_bug.cgi?id=7931\">Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely</a>");
var expectedResult = '&lt;' + '/script>';
shouldBe('document.getElementById("myscript").textContent', 'expectedResult');
successfullyParsed = true;
</script>
<script src="../js/resources/js-test-post.js"></script>
</body>
</html>
Test parsing of entity-escaped </style> tag for Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS document.getElementById("mystyle").textContent is expectedResult
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<link rel="stylesheet" href="../js/resources/js-test-style.css">
<script src="../js/resources/js-test-pre.js"></script>
<style id="mystyle">&lt;/style></style>
</head>
<body>
<p id="description"></p>
<div id="console"></div>
<script>
description("Test parsing of entity-escaped &lt;/style&gt; tag for <a href=\"https://bugs.webkit.org/show_bug.cgi?id=7931\">Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely</a>");
var expectedResult = '&lt;' + '/style>';
shouldBe('document.getElementById("mystyle").textContent', 'expectedResult');
successfullyParsed = true;
</script>
<script src="../js/resources/js-test-post.js"></script>
</body>
</html>
Test parsing of entity-escaped </textarea> tag for Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS document.getElementById("mytextarea01").textContent is expectedResult
PASS document.getElementById("mytextarea02").textContent is expectedResult
PASS document.getElementById("mytextarea03").textContent is expectedResult
PASS document.getElementById("mytextarea04").textContent is expectedResult
PASS document.getElementById("mytextarea05").textContent is expectedResult
PASS document.getElementById("mytextarea06").textContent is expectedResult
PASS document.getElementById("mytextarea07").textContent is expectedResult
PASS document.getElementById("mytextarea08").textContent is expectedResult
PASS document.getElementById("mytextarea09").textContent is expectedResult
PASS document.getElementById("mytextarea10").textContent is expectedResult
PASS document.getElementById("mytextarea11").textContent is expectedResult
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<link rel="stylesheet" href="../js/resources/js-test-style.css">
<script src="../js/resources/js-test-pre.js"></script>
</head>
<body>
<textarea id="mytextarea01">&lt;/textarea></textarea><br>
<textarea id="mytextarea02"><&#x2f;textarea></textarea><br>
<textarea id="mytextarea03"></&#x74;extarea></textarea><br>
<textarea id="mytextarea04"></t&#x65;xtarea></textarea><br>
<textarea id="mytextarea05"></te&#x78;tarea></textarea><br>
<textarea id="mytextarea06"></tex&#x74;area></textarea><br>
<textarea id="mytextarea07"></text&#x61;rea></textarea><br>
<textarea id="mytextarea08"></texta&#x72;ea></textarea><br>
<textarea id="mytextarea09"></textar&#x65;a></textarea><br>
<textarea id="mytextarea10"></textare&#x61;></textarea><br>
<textarea id="mytextarea11"></textarea&gt;</textarea><br>
<p id="description"></p>
<div id="console"></div>
<script>
description("Test parsing of entity-escaped &lt;/textarea&gt; tag for <a href=\"https://bugs.webkit.org/show_bug.cgi?id=7931\">Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely</a>");
var expectedResult = '<' + '/textarea>';
shouldBe('document.getElementById("mytextarea01").textContent', 'expectedResult');
shouldBe('document.getElementById("mytextarea02").textContent', 'expectedResult');
shouldBe('document.getElementById("mytextarea03").textContent', 'expectedResult');
shouldBe('document.getElementById("mytextarea04").textContent', 'expectedResult');
shouldBe('document.getElementById("mytextarea05").textContent', 'expectedResult');
shouldBe('document.getElementById("mytextarea06").textContent', 'expectedResult');
shouldBe('document.getElementById("mytextarea07").textContent', 'expectedResult');
shouldBe('document.getElementById("mytextarea08").textContent', 'expectedResult');
shouldBe('document.getElementById("mytextarea09").textContent', 'expectedResult');
shouldBe('document.getElementById("mytextarea10").textContent', 'expectedResult');
shouldBe('document.getElementById("mytextarea11").textContent', 'expectedResult');
successfullyParsed = true;
</script>
<script src="../js/resources/js-test-post.js"></script>
</body>
</html>
Test parsing of entity-escaped </title> tag for Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS document.getElementById("mytitle").textContent is expectedResult
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<title id="mytitle">&lt;/title></title>
<link rel="stylesheet" href="../js/resources/js-test-style.css">
<script src="../js/resources/js-test-pre.js"></script>
</head>
<body>
<p id="description"></p>
<div id="console"></div>
<script>
description("Test parsing of entity-escaped &lt;/title&gt; tag for <a href=\"https://bugs.webkit.org/show_bug.cgi?id=7931\">Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely</a>");
var expectedResult = '<' + '/title>';
shouldBe('document.getElementById("mytitle").textContent', 'expectedResult');
successfullyParsed = true;
</script>
<script src="../js/resources/js-test-post.js"></script>
</body>
</html>
&lt;/xmp>
Test parsing of entity-escaped </xmp> tag for Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS document.getElementById("myxmp").textContent is expectedResult
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<link rel="stylesheet" href="../js/resources/js-test-style.css">
<script src="../js/resources/js-test-pre.js"></script>
</head>
<body>
<xmp id="myxmp">&lt;/xmp></xmp>
<p id="description"></p>
<div id="console"></div>
<script>
description("Test parsing of entity-escaped &lt;/xmp&gt; tag for <a href=\"https://bugs.webkit.org/show_bug.cgi?id=7931\">Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely</a>");
var expectedResult = '&lt;' + '/xmp>';
shouldBe('document.getElementById("myxmp").textContent', 'expectedResult');
successfullyParsed = true;
</script>
<script src="../js/resources/js-test-post.js"></script>
</body>
</html>
2008-06-21 David Kilzer <ddkilzer@apple.com>
Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely
<https://bugs.webkit.org/show_bug.cgi?id=7931>
Reviewed by Darin.
Tests: fast/parser/entity-end-iframe-tag.html
fast/parser/entity-end-script-tag.html
fast/parser/entity-end-style-tag.html
fast/parser/entity-end-textarea-tag.html
fast/parser/entity-end-title-tag.html
fast/parser/entity-end-xmp-tag.html
Previously the parser accepted end tags for textarea, title and
iframe elements that contained entity-escaped characters such as
'&lt;'. The fix is to save the position of the last entity-escaped
character converted and to use that to make sure the end tag does
not contain an escaped character.
Note that this was not an issue for script, style and xmp elements
since they already ignored entity-escaped characters.
* html/HTMLTokenizer.cpp:
(WebCore::HTMLTokenizer::parseSpecial): When looking for a closing
tag, ignore any text with entity-escaped characters by making sure
lastDecodedEntityPosition is less than the first character of the
end tag.
2008-06-21 Sam Weinig <sam@webkit.org>
Reviewed by Dan Bernstein.
......@@ -312,6 +312,7 @@ HTMLTokenizer::State HTMLTokenizer::parseSpecial(SegmentedString &src, State sta
if (state.inComment())
state = parseComment(src, state);
int lastDecodedEntityPosition = -1;
while ( !src.isEmpty() ) {
checkScriptBuffer();
UChar ch = *src;
......@@ -362,7 +363,8 @@ HTMLTokenizer::State HTMLTokenizer::parseSpecial(SegmentedString &src, State sta
// possible end of tagname, lets check.
if (!scriptCodeResync && !state.escaped() && !src.escaped() && (ch == '>' || ch == '/' || isASCIISpace(ch)) &&
scriptCodeSize >= searchStopperLen &&
tagMatch( searchStopper, scriptCode+scriptCodeSize-searchStopperLen, searchStopperLen )) {
tagMatch(searchStopper, scriptCode + scriptCodeSize - searchStopperLen, searchStopperLen) &&
(lastDecodedEntityPosition < scriptCodeSize - searchStopperLen)) {
scriptCodeResync = scriptCodeSize-searchStopperLen+1;
tquote = NoQuote;
continue;
......@@ -381,6 +383,7 @@ HTMLTokenizer::State HTMLTokenizer::parseSpecial(SegmentedString &src, State sta
src.advancePastNonNewline();
state = parseEntity(src, scriptCodeDest, state, m_cBufferPos, true, false);
scriptCodeSize = scriptCodeDest - scriptCode;
lastDecodedEntityPosition = scriptCodeSize;
} else {
scriptCode[scriptCodeSize++] = ch;
src.advance(m_lineNumber);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment