Changeset 34722 in webkit

Timestamp:

Jun 21, 2008 4:49:34 PM (16 years ago)

Author:

ddkilzer@apple.com

Message:

WebCore:

Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely

<​https://bugs.webkit.org/show_bug.cgi?id=7931>

Reviewed by Darin.

Tests: fast/parser/entity-end-iframe-tag.html

fast/parser/entity-end-script-tag.html
fast/parser/entity-end-style-tag.html
fast/parser/entity-end-textarea-tag.html
fast/parser/entity-end-title-tag.html
fast/parser/entity-end-xmp-tag.html

Previously the parser accepted end tags for textarea, title and
iframe elements that contained entity-escaped characters such as
'&lt;'. The fix is to save the position of the last entity-escaped
character converted and to use that to make sure the end tag does
not contain an escaped character.

Note that this was not an issue for script, style and xmp elements
since they already ignored entity-escaped characters.

• html/HTMLTokenizer.cpp: (WebCore::HTMLTokenizer::parseSpecial): When looking for a closing tag, ignore any text with entity-escaped characters by making sure lastDecodedEntityPosition is less than the first character of the end tag.

LayoutTests:

Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely

<​https://bugs.webkit.org/show_bug.cgi?id=7931>

Reviewed by Darin.

The entity-end-textarea-tag.html contains 11 test cases: one
for each character in '</textarea>'. The rest of the tests
only test one encoding: '<' as '&lt;'.

• fast/parser/entity-end-iframe-tag-expected.txt: Added.
• fast/parser/entity-end-iframe-tag.html: Added.
• fast/parser/entity-end-script-tag-expected.txt: Added.
• fast/parser/entity-end-script-tag.html: Added.
• fast/parser/entity-end-style-tag-expected.txt: Added.
• fast/parser/entity-end-style-tag.html: Added.
• fast/parser/entity-end-textarea-tag-expected.txt: Added.
• fast/parser/entity-end-textarea-tag.html: Added.
• fast/parser/entity-end-title-tag-expected.txt: Added.
• fast/parser/entity-end-title-tag.html: Added.
• fast/parser/entity-end-xmp-tag-expected.txt: Added.
• fast/parser/entity-end-xmp-tag.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/parser/entity-end-iframe-tag-expected.txt (added)
• LayoutTests/fast/parser/entity-end-iframe-tag.html (added)
• LayoutTests/fast/parser/entity-end-script-tag-expected.txt (added)
• LayoutTests/fast/parser/entity-end-script-tag.html (added)
• LayoutTests/fast/parser/entity-end-style-tag-expected.txt (added)
• LayoutTests/fast/parser/entity-end-style-tag.html (added)
• LayoutTests/fast/parser/entity-end-textarea-tag-expected.txt (added)
• LayoutTests/fast/parser/entity-end-textarea-tag.html (added)
• LayoutTests/fast/parser/entity-end-title-tag-expected.txt (added)
• LayoutTests/fast/parser/entity-end-title-tag.html (added)
• LayoutTests/fast/parser/entity-end-xmp-tag-expected.txt (added)
• LayoutTests/fast/parser/entity-end-xmp-tag.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/html/HTMLTokenizer.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2008-06-21  David Kilzer  <ddkilzer@apple.com>
+
+        Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely
+
+        <https://bugs.webkit.org/show_bug.cgi?id=7931>
+
+        Reviewed by Darin.
+
+        The entity-end-textarea-tag.html contains 11 test cases:  one
+        for each character in '</textarea>'.  The rest of the tests
+        only test one encoding:  '<' as '&lt;'.
+
+        * fast/parser/entity-end-iframe-tag-expected.txt: Added.
+        * fast/parser/entity-end-iframe-tag.html: Added.
+        * fast/parser/entity-end-script-tag-expected.txt: Added.
+        * fast/parser/entity-end-script-tag.html: Added.
+        * fast/parser/entity-end-style-tag-expected.txt: Added.
+        * fast/parser/entity-end-style-tag.html: Added.
+        * fast/parser/entity-end-textarea-tag-expected.txt: Added.
+        * fast/parser/entity-end-textarea-tag.html: Added.
+        * fast/parser/entity-end-title-tag-expected.txt: Added.
+        * fast/parser/entity-end-title-tag.html: Added.
+        * fast/parser/entity-end-xmp-tag-expected.txt: Added.
+        * fast/parser/entity-end-xmp-tag.html: Added.
+
 2008-06-21  Sam Weinig  <sam@webkit.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-06-21  David Kilzer  <ddkilzer@apple.com>
+
+        Bug 7931: Escaped elements within a textarea block can cause the textarea box to be closed prematurely
+
+        <https://bugs.webkit.org/show_bug.cgi?id=7931>
+
+        Reviewed by Darin.
+
+        Tests: fast/parser/entity-end-iframe-tag.html
+               fast/parser/entity-end-script-tag.html
+               fast/parser/entity-end-style-tag.html
+               fast/parser/entity-end-textarea-tag.html
+               fast/parser/entity-end-title-tag.html
+               fast/parser/entity-end-xmp-tag.html
+
+        Previously the parser accepted end tags for textarea, title and
+        iframe elements that contained entity-escaped characters such as
+        '&lt;'.  The fix is to save the position of the last entity-escaped
+        character converted and to use that to make sure the end tag does
+        not contain an escaped character.
+
+        Note that this was not an issue for script, style and xmp elements
+        since they already ignored entity-escaped characters.
+
+        * html/HTMLTokenizer.cpp:
+        (WebCore::HTMLTokenizer::parseSpecial): When looking for a closing
+        tag, ignore any text with entity-escaped characters by making sure
+        lastDecodedEntityPosition is less than the first character of the
+        end tag.
+
 2008-06-21  Sam Weinig  <sam@webkit.org>
 

trunk/WebCore/html/HTMLTokenizer.cpp

@@ -313 +313 @@
         state = parseComment(src, state);
 
+    int lastDecodedEntityPosition = -1;
     while ( !src.isEmpty() ) {
         checkScriptBuffer();
@@ -363 +364 @@
         if (!scriptCodeResync && !state.escaped() && !src.escaped() && (ch == '>' || ch == '/' || isASCIISpace(ch)) &&
              scriptCodeSize >= searchStopperLen &&
-             tagMatch( searchStopper, scriptCode+scriptCodeSize-searchStopperLen, searchStopperLen )) {
+             tagMatch(searchStopper, scriptCode + scriptCodeSize - searchStopperLen, searchStopperLen) &&
+             (lastDecodedEntityPosition < scriptCodeSize - searchStopperLen)) {
             scriptCodeResync = scriptCodeSize-searchStopperLen+1;
             tquote = NoQuote;
@@ -382 +384 @@
             state = parseEntity(src, scriptCodeDest, state, m_cBufferPos, true, false);
             scriptCodeSize = scriptCodeDest - scriptCode;
+            lastDecodedEntityPosition = scriptCodeSize;
         } else {
             scriptCode[scriptCodeSize++] = ch;