New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 680462 link

Starred by 1 user

Issue metadata

Status: Started
Owner:
Buried. Ping if important.
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 680418
issue 680969
issue 738849



Sign in to add a comment

Consider restricting form submissions containing unclosed `<textarea>` and `<select>` elements.

Project Member Reported by mkwst@chromium.org, Jan 12 2017

Issue description

From https://github.com/whatwg/html/issues/2253:

"""
HTML's parsing mechanism will automatically close <form>, <textarea>, <option>, <button> elements at the end of a file. This is fine from a parsing perspective, but the behavior does enable dangling markup attacks, such as those described in http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/ and section 2 of http://lcamtuf.coredump.cx/postxss/.

I haven't added metrics to Chrome yet, and regexing this kind of data out of HTTPArchive is difficult, but my intuition is that we wouldn't break legitimate form submissions if we added a flag to elements noting whether they were in the stack of open elements during step 2 of https://html.spec.whatwg.org/#the-end, and prevented form submission (in the same way we decide on for #2252) if that flag was present on any of the form's submittable elements.

This change seems relatively low-risk, and would address a subset of dangling markup attacks that don't rely on a closing tag being present somewhere in the document.
"""
 
Project Member

Comment 1 by bugdroid1@chromium.org, Jan 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98

commit ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98
Author: mkwst <mkwst@chromium.org>
Date: Fri Jan 13 13:30:41 2017

Experiment with restricting form submission with open elements.

HTML's parsing mechanism will automatically close form controls at the
end of a file. This is fine from a parsing perspective, but the behavior
does enable dangling markup attacks, such as those described in
http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/ and
section 2 of http://lcamtuf.coredump.cx/postxss/.

Based on some discussion at https://github.com/whatwg/html/issues/2253,
this patch adds metrics to measure how often this happens in the wild
for `<textarea>` and `<select>` elements, and an experimental flag which
prevents form submission in the presence of those elements if they're
closed by reaching the end-of-file.

BUG=680462

Review-Url: https://codereview.chromium.org/2628723004
Cr-Commit-Position: refs/heads/master@{#443544}

[add] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/option.html
[add] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/resources/helper.js
[add] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/textarea.html
[add] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/third_party/WebKit/LayoutTests/http/tests/security/resources/postmessage-post.php
[modify] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/third_party/WebKit/Source/core/html/HTMLFormControlElement.h
[modify] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/third_party/WebKit/Source/core/html/HTMLFormElement.cpp
[modify] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/third_party/WebKit/Source/core/html/parser/HTMLElementStack.cpp
[modify] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp
[modify] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in
[modify] https://crrev.com/ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98/tools/metrics/histograms/histograms.xml

Comment 2 by mkwst@chromium.org, Jan 13 2017

Blocking: 680969

Comment 3 by mkwst@chromium.org, Jul 3 2017

Blocking: 738849

Comment 4 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 5 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment