Skip to content
Permalink
Browse files
REGRESSION(r256715): XSLTProcessor does not parse script when transfo…
…rming to document

https://bugs.webkit.org/show_bug.cgi?id=226087

Reviewed by Darin Adler.

Source/WebCore:

Allow JavaScript if context document is null to match old behavior before r256715.

Test: fast/xsl/xslt-transform-script.html

* dom/Document.cpp:
(WebCore::Document::allowsContentJavaScript const):

LayoutTests:

* fast/xsl/xslt-transform-script.html: Added.
* fast/xsl/xslt-transform-script-expected.txt: Added.


Canonical link: https://commits.webkit.org/238078@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277951 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
szewai committed May 24, 2021
1 parent b49f5ca commit d67ac4c62e52c64f5be83cddc7bf2c41c5348c52
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 1 deletion.
@@ -1,3 +1,13 @@
2021-05-24 Sihui Liu <sihui_liu@apple.com>

REGRESSION(r256715): XSLTProcessor does not parse script when transforming to document
https://bugs.webkit.org/show_bug.cgi?id=226087

Reviewed by Darin Adler.

* fast/xsl/xslt-transform-script.html: Added.
* fast/xsl/xslt-transform-script-expected.txt: Added.

2021-05-21 Jonathan Bedard <jbedard@apple.com>

[LayoutTests] Delete unused LayoutTests/http resources
@@ -0,0 +1 @@
<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body><a href="javascript:alert(1)">test word</a></body></html>
@@ -0,0 +1,35 @@
<!DOCTYPE html>
<html>
<body>
<div id="result"></div>
<script>
if (window.testRunner)
testRunner.dumpAsText();

var xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><test>test word</test>";
var xmlParser = new DOMParser();
var parsedXML = xmlParser.parseFromString(xml, "text/xml");

var xsl = "<?xml version=\"1.0\" encoding=\"UTF-8\"?> \
<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"> \
<xsl:template match=\"/\"> \
<html> \
<body> \
<a href=\"javascript:alert(1)\"><xsl:value-of select=\"test\"/></a> \
</body> \
</html> \
</xsl:template> \
</xsl:stylesheet>";
var xslParser = new DOMParser();
var parsedXSL = xslParser.parseFromString(xsl, "text/xml");

var xslt = new XSLTProcessor();
xslt.importStylesheet(parsedXSL);

var transformedXML = xslt.transformToDocument(parsedXML);
var string = new XMLSerializer().serializeToString(transformedXML);
var textNode = document.createTextNode(string);
document.getElementById('result').appendChild(textNode);
</script>
</body>
</html>
@@ -1,3 +1,17 @@
2021-05-24 Sihui Liu <sihui_liu@apple.com>

REGRESSION(r256715): XSLTProcessor does not parse script when transforming to document
https://bugs.webkit.org/show_bug.cgi?id=226087

Reviewed by Darin Adler.

Allow JavaScript if context document is null to match old behavior before r256715.

Test: fast/xsl/xslt-transform-script.html

* dom/Document.cpp:
(WebCore::Document::allowsContentJavaScript const):

2021-05-24 Tim Nguyen <ntim@apple.com>

Clean up handling of `-webkit-inline-flex`/`-webkit-flex` CSS display values
@@ -7072,7 +7072,7 @@ bool Document::allowsContentJavaScript() const
if (!m_frame || m_frame->document() != this) {
// If this Document is frameless or in the wrong frame, its context document
// must allow for it to run content JavaScript.
return m_contextDocument && m_contextDocument->allowsContentJavaScript();
return !m_contextDocument || m_contextDocument->allowsContentJavaScript();
}

return m_frame->loader().client().allowsContentJavaScriptFromMostRecentNavigation() == AllowsContentJavaScript::Yes;

0 comments on commit d67ac4c

Please sign in to comment.