Submitting a form can cause HTMLFormElement's associated elements vector to be mutated during iteration
https://bugs.webkit.org/show_bug.cgi?id=176368
<rdar://problem/34254998>
Reviewed by Ryosuke Niwa.
Source/WebCore:
In the process of iterating over form.associatedElements() during form submission in FormSubmission::create, the
page may cause us to clobber the vector of FormAssociatedElements* we're currently iterating over by inserting
new form controls beneath the form element we're in the process of submitting. This happens because
FormSubmission::create calls HTMLTextAreaElement::appendFormData, which requires layout to be up to date, which
in turn makes us updateLayout() and set focus, which fires a `change` event, upon which the page's JavaScript
inserts additonal DOM nodes into the form, modifying the vector of associated elements.
To mitigate this, instead of iterating over HTMLFormElement::associatedElements(), which returns a reference to
the HTMLFormElement's actual m_associatedElements vector, we iterate over a new vector of
Ref<FormAssociatedElement>s created from m_associatedElements.
This patch also removes an event dispatch assertion added in r212026. This assertion was added to catch any
other events dispatched in this scope, since dispatching events there would have had security implications, but
after making iteration over associated elements robust, this NoEventDispatchAssertion is no longer useful.
Test: fast/forms/append-children-during-form-submission.html
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):
LayoutTests:
Adds a new test to make sure we don't crash when mutating a form's associated elements during form submission.
* fast/forms/append-children-during-form-submission-expected.txt: Added.
* fast/forms/append-children-during-form-submission.html: Added.
Canonical link: https://commits.webkit.org/193339@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@222005 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-09-14 01:49:05 +00:00
|
|
|
<!DOCTYPE html>
|
|
|
|
|
<html>
|
|
|
|
|
<script>
|
|
|
|
|
function loaded() {
|
|
|
|
|
if (window.testRunner)
|
|
|
|
|
testRunner.dumpAsText();
|
|
|
|
|
|
|
|
|
|
area1.setRangeText("foo");
|
|
|
|
|
area1.name = "foo";
|
|
|
|
|
area2.autofocus = true;
|
|
|
|
|
form.insertBefore(area2, form.firstChild);
|
|
|
|
|
form.submit();
|
2017-09-14 19:55:02 +00:00
|
|
|
document.write("<code>PASS</code>");
|
Submitting a form can cause HTMLFormElement's associated elements vector to be mutated during iteration
https://bugs.webkit.org/show_bug.cgi?id=176368
<rdar://problem/34254998>
Reviewed by Ryosuke Niwa.
Source/WebCore:
In the process of iterating over form.associatedElements() during form submission in FormSubmission::create, the
page may cause us to clobber the vector of FormAssociatedElements* we're currently iterating over by inserting
new form controls beneath the form element we're in the process of submitting. This happens because
FormSubmission::create calls HTMLTextAreaElement::appendFormData, which requires layout to be up to date, which
in turn makes us updateLayout() and set focus, which fires a `change` event, upon which the page's JavaScript
inserts additonal DOM nodes into the form, modifying the vector of associated elements.
To mitigate this, instead of iterating over HTMLFormElement::associatedElements(), which returns a reference to
the HTMLFormElement's actual m_associatedElements vector, we iterate over a new vector of
Ref<FormAssociatedElement>s created from m_associatedElements.
This patch also removes an event dispatch assertion added in r212026. This assertion was added to catch any
other events dispatched in this scope, since dispatching events there would have had security implications, but
after making iteration over associated elements robust, this NoEventDispatchAssertion is no longer useful.
Test: fast/forms/append-children-during-form-submission.html
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):
LayoutTests:
Adds a new test to make sure we don't crash when mutating a form's associated elements during form submission.
* fast/forms/append-children-during-form-submission-expected.txt: Added.
* fast/forms/append-children-during-form-submission.html: Added.
Canonical link: https://commits.webkit.org/193339@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@222005 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-09-14 01:49:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function changed() {
|
|
|
|
|
for (let i = 0; i < 100; i++)
|
|
|
|
|
form.appendChild(document.createElement("input"));
|
|
|
|
|
}
|
|
|
|
|
</script>
|
|
|
|
|
|
|
|
|
|
<body onload=loaded()>
|
|
|
|
|
<form id="form" onchange=changed()>
|
|
|
|
|
<textarea id="area1">a</textarea>
|
|
|
|
|
<object></object>
|
|
|
|
|
<textarea id="area2">b</textarea>
|
|
|
|
|
</form>
|
2017-09-14 19:55:02 +00:00
|
|
|
<p>To manually test, load this page. The document should show <code>PASS</code> after loading.</p>
|
Submitting a form can cause HTMLFormElement's associated elements vector to be mutated during iteration
https://bugs.webkit.org/show_bug.cgi?id=176368
<rdar://problem/34254998>
Reviewed by Ryosuke Niwa.
Source/WebCore:
In the process of iterating over form.associatedElements() during form submission in FormSubmission::create, the
page may cause us to clobber the vector of FormAssociatedElements* we're currently iterating over by inserting
new form controls beneath the form element we're in the process of submitting. This happens because
FormSubmission::create calls HTMLTextAreaElement::appendFormData, which requires layout to be up to date, which
in turn makes us updateLayout() and set focus, which fires a `change` event, upon which the page's JavaScript
inserts additonal DOM nodes into the form, modifying the vector of associated elements.
To mitigate this, instead of iterating over HTMLFormElement::associatedElements(), which returns a reference to
the HTMLFormElement's actual m_associatedElements vector, we iterate over a new vector of
Ref<FormAssociatedElement>s created from m_associatedElements.
This patch also removes an event dispatch assertion added in r212026. This assertion was added to catch any
other events dispatched in this scope, since dispatching events there would have had security implications, but
after making iteration over associated elements robust, this NoEventDispatchAssertion is no longer useful.
Test: fast/forms/append-children-during-form-submission.html
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):
LayoutTests:
Adds a new test to make sure we don't crash when mutating a form's associated elements during form submission.
* fast/forms/append-children-during-form-submission-expected.txt: Added.
* fast/forms/append-children-during-form-submission.html: Added.
Canonical link: https://commits.webkit.org/193339@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@222005 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-09-14 01:49:05 +00:00
|
|
|
</body>
|
|
|
|
|
</html>
|