Merge r241608 - [WebVTT] Inline WebVTT styles should start with '::cue'

https://bugs.webkit.org/show_bug.cgi?id=194227 Reviewed by Eric Carlson. Source/WebCore: The original fix in r241203 is not sufficient, since it only checks if the CSS string starts with '::cue'. Before accepting a CSS string from a WebVTT file, it should be checked that all selectors starts with '::cue'. Test: media/track/track-cue-css.html * html/track/WebVTTParser.cpp: (WebCore::WebVTTParser::checkAndStoreStyleSheet): LayoutTests: Add invalid 'STYLE' blocks which the WebVTT parser should reject. * media/track/captions-webvtt/css-styling.vtt:
WebKit · Feb 18, 2019 · 15c36ce · 15c36ce
1 parent 6d6b3d0
commit 15c36ce
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 10 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2019-02-15  Per Arne Vollan  <pvollan@apple.com>
+
+        [WebVTT] Inline WebVTT styles should start with '::cue'
+        https://bugs.webkit.org/show_bug.cgi?id=194227
+
+        Reviewed by Eric Carlson.
+
+        Add invalid 'STYLE' blocks which the WebVTT parser should reject.
+
+        * media/track/captions-webvtt/css-styling.vtt:
+
 2019-02-15  Zalan Bujtas  <zalan@apple.com>
 
         [LFC] Out-of-flow box is never a float box

diff --git a/LayoutTests/media/track/captions-webvtt/css-styling.vtt b/LayoutTests/media/track/captions-webvtt/css-styling.vtt
@@ -31,6 +31,39 @@ color: blue;
 font-size: 25px;
 }
 
+NOTE the following style block should be discarded since it has a 'video::cue' selector.
+
+STYLE
+::cue {
+color: blue
+font-size: 25px;
+}
+video::cue {
+color: blue;
+font-size: 25px;
+}
+
+NOTE the following style blocks should be discarded since they are invalid in WebVTT files.
+
+STYLE
+::cue,video::cue {
+color: blue;
+font-size: 25px;
+}
+
+STYLE
+color: yellow;
+
+NOTE @import and @namespace CSS rules should not be allowed in WebVTT files.
+NOTE TODO: create a proper testcase for this, see https://bugs.webkit.org/show_bug.cgi?id=194708.
+
+STYLE
+@import url('test.css');
+
+STYLE
+@namespace Foo "test";
+
+
 hello
 00:00:00.000 --> 00:00:10.000
 <b>Hello</b> first cue.
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2019-02-15  Per Arne Vollan  <pvollan@apple.com>
+
+        [WebVTT] Inline WebVTT styles should start with '::cue'
+        https://bugs.webkit.org/show_bug.cgi?id=194227
+
+        Reviewed by Eric Carlson.
+
+        The original fix in r241203 is not sufficient, since it only checks if the CSS string starts
+        with '::cue'. Before accepting a CSS string from a WebVTT file, it should be checked that
+        all selectors starts with '::cue'.
+
+        Test: media/track/track-cue-css.html
+
+        * html/track/WebVTTParser.cpp:
+        (WebCore::WebVTTParser::checkAndStoreStyleSheet):
+
 2019-02-15  Youenn Fablet  <youenn@apple.com>
 
         Make ServiceWorkerClientFetch closer to WebResourceLoader

diff --git a/Source/WebCore/html/track/WebVTTParser.cpp b/Source/WebCore/html/track/WebVTTParser.cpp
@@ -39,6 +39,8 @@
 #include "HTMLParserIdioms.h"
 #include "ISOVTTCue.h"
 #include "ProcessingInstruction.h"
+#include "StyleRule.h"
+#include "StyleRuleImport.h"
 #include "StyleSheetContents.h"
 #include "Text.h"
 #include "VTTScanner.h"
@@ -369,21 +371,38 @@ bool WebVTTParser::checkAndStoreStyleSheet(const String& line)
     if (!line.isEmpty() && !line.contains("-->"))
         return false;
 
-    auto styleSheet = m_currentStyleSheet.stripWhiteSpace();
+    auto styleSheet = WTFMove(m_currentStyleSheet);
 
-    // Inline VTT styles must start with ::cue.
-    if (!styleSheet.startsWith("::cue")) {
-        m_currentStyleSheet = emptyString();
+    auto contents = StyleSheetContents::create();
+    if (!contents->parseString(styleSheet))
         return true;
-    }
 
-    auto contents = StyleSheetContents::create();
-    if (!contents->parseString(styleSheet)) {
-        m_currentStyleSheet = emptyString();
+    auto& namespaceRules = contents->namespaceRules();
+    if (namespaceRules.size())
+        return true;
+
+    auto& importRules = contents->importRules();
+    if (importRules.size())
+        return true;
+
+    auto& childRules = contents->childRules();
+    if (!childRules.size())
         return true;
-    }
 
-    m_styleSheets.append(WTFMove(m_currentStyleSheet));
+    for (auto rule : childRules) {
+        if (!rule->isStyleRule())
+            return true;
+        const auto& styleRule = downcast<StyleRule>(rule.get());
+
+        const auto& selectorList = styleRule->selectorList();
+        if (selectorList.listSize() != 1)
+            return true;
+        auto selector = selectorList.selectorAt(0);
+        if (selector->selectorText() != "::cue")
+            return true;
+    }
+
+    m_styleSheets.append(styleSheet);
     return true;
 }