[Hardening] Early return in JSLazyEventListener::initializeJSFunction…

…() if !settings().scriptMarkupEnabled() https://bugs.webkit.org/show_bug.cgi?id=233646 Reviewed by Geoff Garen. Early return in JSLazyEventListener::initializeJSFunction() if !settings().scriptMarkupEnabled() as a hardening measure. * bindings/js/JSLazyEventListener.cpp: (WebCore::JSLazyEventListener::initializeJSFunction const): Canonical link: https://commits.webkit.org/244683@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286324 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Nov 30, 2021 · d8c312391a0fa5f3effece31a0eda4ee0c757eab · d8c3123
1 parent 140dbd3
commit d8c312391a0fa5f3effece31a0eda4ee0c757eab
Showing with 17 additions and 0 deletions.

+13 −0 Source/WebCore/ChangeLog

+4 −0 Source/WebCore/bindings/js/JSLazyEventListener.cpp
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2021-11-30  Chris Dumez  <cdumez@apple.com>
+
+        [Hardening] Early return in JSLazyEventListener::initializeJSFunction() if !settings().scriptMarkupEnabled()
+        https://bugs.webkit.org/show_bug.cgi?id=233646
+
+        Reviewed by Geoff Garen.
+
+        Early return in JSLazyEventListener::initializeJSFunction() if !settings().scriptMarkupEnabled() as a
+        hardening measure.
+
+        * bindings/js/JSLazyEventListener.cpp:
+        (WebCore::JSLazyEventListener::initializeJSFunction const):
+
 2021-11-30  Chris Dumez  <cdumez@apple.com>
 
         html/semantics/forms/constraints/form-validation-validity-customError.html WPT test is failing

diff --git a/Source/WebCore/bindings/js/JSLazyEventListener.cpp b/Source/WebCore/bindings/js/JSLazyEventListener.cpp
@@ -139,6 +139,10 @@ JSObject* JSLazyEventListener::initializeJSFunction(ScriptExecutionContext& exec
     if (!script.canExecuteScripts(AboutToCreateEventListener) || script.isPaused())
         return nullptr;
 
+    ASSERT_WITH_MESSAGE(document.settings().scriptMarkupEnabled(), "Scripting element attributes should have been stripped during parsing");
+    if (UNLIKELY(!document.settings().scriptMarkupEnabled()))
+        return nullptr;
+
     if (!executionContextDocument.frame())
         return nullptr;
     auto* globalObject = toJSDOMWindow(*executionContextDocument.frame(), isolatedWorld());