REGRESSION(r256715): XSLTProcessor does not parse script when transfo…

…rming to document

https://bugs.webkit.org/show_bug.cgi?id=226087

Reviewed by Darin Adler.

Source/WebCore:

Allow JavaScript if context document is null to match old behavior before r256715.

Test: fast/xsl/xslt-transform-script.html

* dom/Document.cpp:
(WebCore::Document::allowsContentJavaScript const):

LayoutTests:

* fast/xsl/xslt-transform-script.html: Added.
* fast/xsl/xslt-transform-script-expected.txt: Added.


Canonical link: https://commits.webkit.org/238078@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277951 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog

@@ -1,3 +1,13 @@
+2021-05-24  Sihui Liu  <sihui_liu@apple.com>
+
+        REGRESSION(r256715): XSLTProcessor does not parse script when transforming to document
+        https://bugs.webkit.org/show_bug.cgi?id=226087
+
+        Reviewed by Darin Adler.
+
+        * fast/xsl/xslt-transform-script.html: Added.
+        * fast/xsl/xslt-transform-script-expected.txt: Added.
+
 2021-05-21  Jonathan Bedard  <jbedard@apple.com>
 
         [LayoutTests] Delete unused LayoutTests/http resources

LayoutTests/fast/xsl/xslt-transform-script-expected.txt

@@ -0,0 +1 @@
+<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body><a href="javascript:alert(1)">test word</a></body></html>

LayoutTests/fast/xsl/xslt-transform-script.html

@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<body>
+<div id="result"></div>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    var xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><test>test word</test>";
+    var xmlParser = new DOMParser();
+    var parsedXML = xmlParser.parseFromString(xml, "text/xml");
+
+    var xsl = "<?xml version=\"1.0\" encoding=\"UTF-8\"?> \
+        <xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"> \
+        <xsl:template match=\"/\"> \
+            <html> \
+            <body> \
+                <a href=\"javascript:alert(1)\"><xsl:value-of select=\"test\"/></a> \
+            </body> \
+            </html> \
+        </xsl:template> \
+        </xsl:stylesheet>"; 
+    var xslParser = new DOMParser();
+    var parsedXSL = xslParser.parseFromString(xsl, "text/xml");
+
+    var xslt = new XSLTProcessor();
+    xslt.importStylesheet(parsedXSL); 
+
+    var transformedXML = xslt.transformToDocument(parsedXML);
+    var string = new XMLSerializer().serializeToString(transformedXML);
+    var textNode = document.createTextNode(string);
+    document.getElementById('result').appendChild(textNode);
+</script>
+</body>
+</html>

Source/WebCore/ChangeLog

@@ -1,3 +1,17 @@
+2021-05-24  Sihui Liu  <sihui_liu@apple.com>
+
+        REGRESSION(r256715): XSLTProcessor does not parse script when transforming to document
+        https://bugs.webkit.org/show_bug.cgi?id=226087
+
+        Reviewed by Darin Adler.
+
+        Allow JavaScript if context document is null to match old behavior before r256715.
+
+        Test: fast/xsl/xslt-transform-script.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::allowsContentJavaScript const):
+
 2021-05-24  Tim Nguyen  <ntim@apple.com>
 
         Clean up handling of `-webkit-inline-flex`/`-webkit-flex` CSS display values

Source/WebCore/dom/Document.cpp

@@ -7072,7 +7072,7 @@ bool Document::allowsContentJavaScript() const
     if (!m_frame || m_frame->document() != this) {
         // If this Document is frameless or in the wrong frame, its context document
         // must allow for it to run content JavaScript.
-        return m_contextDocument && m_contextDocument->allowsContentJavaScript();
+        return !m_contextDocument || m_contextDocument->allowsContentJavaScript();
     }
 
     return m_frame->loader().client().allowsContentJavaScriptFromMostRecentNavigation() == AllowsContentJavaScript::Yes;