Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 4 users
Status: Fixed
Owner:
Closed: Feb 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug

Blocking:
issue 680418
issue 680969



Sign in to add a comment
`<plaintext>` inside `<select><option>` eats the page.
Project Member Reported by mkwst@chromium.org, Jan 11 2017 Back to list
`<plaintext>` inside `<select><option>` eats the page. It shouldn't. It doesn't in other browsers.
 
Comment 1 by mkwst@chromium.org, Jan 12 2017
Blocking: 680418
Comment 2 by mkwst@chromium.org, Jan 13 2017
Blocking: 680969
Project Member Comment 3 by bugdroid1@chromium.org, Jan 13 2017
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8150200aff6ad60b092fd2ddb7eddcb6d0cc13df

commit 8150200aff6ad60b092fd2ddb7eddcb6d0cc13df
Author: mkwst <mkwst@chromium.org>
Date: Fri Jan 13 16:33:30 2017

Teach the background parser to ignore certain elements inside '<select>'.

'HTMLTreeBuilderSimulator' doesn't currently understand that we shouldn't
hop into PLAINTEXTState or RAWTEXTState inside '<select>' elements. This
has the unfortunate side-effect of enabling dangling markup injection
attacks that exfiltrate data via '<select><option><plaintext>' and etc.

This patch ensures that `<select>` behaves as specified, matching Safari,
Firefox, and Edge's behavior.

Thanks to @zcorpan for pointing out Blink's error in the thread ad
https://github.com/whatwg/html/issues/2252.

BUG= 680072 

Review-Url: https://codereview.chromium.org/2625103002
Cr-Commit-Position: refs/heads/master@{#443573}

[add] https://crrev.com/8150200aff6ad60b092fd2ddb7eddcb6d0cc13df/third_party/WebKit/LayoutTests/fast/parser/inselect-tokenization.html
[modify] https://crrev.com/8150200aff6ad60b092fd2ddb7eddcb6d0cc13df/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilderSimulator.cpp
[modify] https://crrev.com/8150200aff6ad60b092fd2ddb7eddcb6d0cc13df/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilderSimulator.h

Comment 4 by mkwst@chromium.org, Jan 14 2017
Labels: Security_Severity-Low Security_Impact-Stable Merge-Request-56
Hello, excellent release managers. I'd like to merge this back to 56 to fix an issue that has minor security implications. WDYT?
Project Member Comment 6 by sheriffbot@chromium.org, Jan 14 2017
Labels: -Merge-Request-56 Hotlist-Merge-Approved Merge-Approved-56
Your change meets the bar and is auto-approved for M56. Please go ahead and merge the CL to branch 2924 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 7 by bugdroid1@chromium.org, Jan 16 2017
Labels: -merge-approved-56 merge-merged-2924
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c5fd9d8eda10d0a69c0bb90fd179695f9c403f46

commit c5fd9d8eda10d0a69c0bb90fd179695f9c403f46
Author: Mike West <mkwst@google.com>
Date: Mon Jan 16 08:52:40 2017

Teach the background parser to ignore certain elements inside '<select>'.

'HTMLTreeBuilderSimulator' doesn't currently understand that we shouldn't
hop into PLAINTEXTState or RAWTEXTState inside '<select>' elements. This
has the unfortunate side-effect of enabling dangling markup injection
attacks that exfiltrate data via '<select><option><plaintext>' and etc.

This patch ensures that `<select>` behaves as specified, matching Safari,
Firefox, and Edge's behavior.

Thanks to @zcorpan for pointing out Blink's error in the thread ad
https://github.com/whatwg/html/issues/2252.

BUG= 680072 

Review-Url: https://codereview.chromium.org/2625103002
Cr-Commit-Position: refs/heads/master@{#443573}
(cherry picked from commit 8150200aff6ad60b092fd2ddb7eddcb6d0cc13df)

Review-Url: https://codereview.chromium.org/2630253002 .
Cr-Commit-Position: refs/branch-heads/2924@{#770}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[add] https://crrev.com/c5fd9d8eda10d0a69c0bb90fd179695f9c403f46/third_party/WebKit/LayoutTests/fast/parser/inselect-tokenization.html
[modify] https://crrev.com/c5fd9d8eda10d0a69c0bb90fd179695f9c403f46/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilderSimulator.cpp
[modify] https://crrev.com/c5fd9d8eda10d0a69c0bb90fd179695f9c403f46/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilderSimulator.h

Comment 8 by mkwst@chromium.org, Feb 8 2017
Status: Fixed
Sign in to add a comment