Skip to site navigation (Press enter)

[webkit-changes] [284660] trunk

cdumez Thu, 21 Oct 2021 17:46:44 -0700

Title: [284660] trunk

Revision: 284660
Author: cdu...@apple.com
Date: 2021-10-21 17:46:04 -0700 (Thu, 21 Oct 2021)

Log Message

Form submission should be cancelled if the form gets detached from inside the formdata event handler
https://bugs.webkit.org/show_bug.cgi?id=232114


Reviewed by Alex Christensen.

Source/WebCore:

Per the HTML specification [1], form submission should abort if the form cannot navigate (which is true
when the form is detached). The algorithm in the specification does the check twice, once at the very
beginning (Step 1 in the spec), and again after calling the "constructing the entry list" algorithm
(step 9 in the spec). The reason we need to do the check again is that the "constructing the entry list"
algorithm fires the "formdata" event and may thus run _javascript_ and the JS can detach the form element.

In HTMLFormElement::submit(), we were doing only the "form is connected" check only at the beginning
of the function and failing to do so after constructing the FormSubmission object (which ends up constructing
the entry list). This patch fixes that.

[1] https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#concept-form-submit

Test: fast/forms/remove-form-inside-formdata-event.html

* html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::submit):

LayoutTests:

Add layout test coverage.

* fast/forms/remove-form-inside-formdata-event-expected.txt: Added.
* fast/forms/remove-form-inside-formdata-event.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/HTMLFormElement.cpp

Added Paths

trunk/LayoutTests/fast/forms/remove-form-inside-formdata-event-expected.txt
trunk/LayoutTests/fast/forms/remove-form-inside-formdata-event.html

Diff

Modified: trunk/LayoutTests/ChangeLog (284659 => 284660)


--- trunk/LayoutTests/ChangeLog	2021-10-22 00:33:37 UTC (rev 284659)
+++ trunk/LayoutTests/ChangeLog	2021-10-22 00:46:04 UTC (rev 284660)
@@ -1,3 +1,15 @@
+2021-10-21  Chris Dumez  <cdu...@apple.com>
+
+        Form submission should be cancelled if the form gets detached from inside the formdata event handler
+        https://bugs.webkit.org/show_bug.cgi?id=232114
+
+        Reviewed by Alex Christensen.
+
+        Add layout test coverage.
+
+        * fast/forms/remove-form-inside-formdata-event-expected.txt: Added.
+        * fast/forms/remove-form-inside-formdata-event.html: Added.
+
 2021-10-21  Eric Hutchison  <ehutchi...@apple.com>
 
         [ iOS15 Sim EWS ]imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html is a text failure.

Added: trunk/LayoutTests/fast/forms/remove-form-inside-formdata-event-expected.txt (0 => 284660)


--- trunk/LayoutTests/fast/forms/remove-form-inside-formdata-event-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/remove-form-inside-formdata-event-expected.txt	2021-10-22 00:46:04 UTC (rev 284660)
@@ -0,0 +1,10 @@
+Tests that form submission gets cancelled when the form gets detached from inside the formdata event handler.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS frame.contentWindow.location.href.indexOf('test2.txt') != -1 is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/forms/remove-form-inside-formdata-event.html (0 => 284660)


--- trunk/LayoutTests/fast/forms/remove-form-inside-formdata-event.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/remove-form-inside-formdata-event.html	2021-10-22 00:46:04 UTC (rev 284660)
@@ -0,0 +1,31 @@
+<DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+description("Tests that form submission gets cancelled when the form gets detached from inside the formdata event handler.");
+jsTestIsAsync = true;
+ 
+_onload_ = () => {
+    let form = document.getElementById("testForm");
+    frame = document.getElementById("testFrame");
+    frame._onload_ = () => {
+        // Form submission should have been cancelled since the form was detached in the
+        // formdata event handler. As a result, we should continue the origin test2.txt
+        // navigation instead of doing the test.txt form navigation.
+        shouldBeTrue("frame.contentWindow.location.href.indexOf('test2.txt') != -1");
+        finishJSTest();
+    };
+    form.addEventListener('formdata', e => {
+        form.remove();
+    });
+    frame.src = ""
+    form.submit();
+}
+</script>
+<iframe id="testFrame" name="testFrame" style="display:none"></iframe>
+<form id="testForm" action="" target="testFrame" style="display:none">
+    <input name="foo" value="bar">
+<form>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (284659 => 284660)


--- trunk/Source/WebCore/ChangeLog	2021-10-22 00:33:37 UTC (rev 284659)
+++ trunk/Source/WebCore/ChangeLog	2021-10-22 00:46:04 UTC (rev 284660)
@@ -1,5 +1,29 @@
 2021-10-21  Chris Dumez  <cdu...@apple.com>
 
+        Form submission should be cancelled if the form gets detached from inside the formdata event handler
+        https://bugs.webkit.org/show_bug.cgi?id=232114
+
+        Reviewed by Alex Christensen.
+
+        Per the HTML specification [1], form submission should abort if the form cannot navigate (which is true
+        when the form is detached). The algorithm in the specification does the check twice, once at the very
+        beginning (Step 1 in the spec), and again after calling the "constructing the entry list" algorithm
+        (step 9 in the spec). The reason we need to do the check again is that the "constructing the entry list"
+        algorithm fires the "formdata" event and may thus run _javascript_ and the JS can detach the form element.
+
+        In HTMLFormElement::submit(), we were doing only the "form is connected" check only at the beginning
+        of the function and failing to do so after constructing the FormSubmission object (which ends up constructing
+        the entry list). This patch fixes that.
+
+        [1] https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#concept-form-submit
+
+        Test: fast/forms/remove-form-inside-formdata-event.html
+
+        * html/HTMLFormElement.cpp:
+        (WebCore::HTMLFormElement::submit):
+
+2021-10-21  Chris Dumez  <cdu...@apple.com>
+
         RELEASE_ASSERT(result) under FormSubmission::create()
         https://bugs.webkit.org/show_bug.cgi?id=232112

Modified: trunk/Source/WebCore/html/HTMLFormElement.cpp (284659 => 284660)


--- trunk/Source/WebCore/html/HTMLFormElement.cpp	2021-10-22 00:33:37 UTC (rev 284659)
+++ trunk/Source/WebCore/html/HTMLFormElement.cpp	2021-10-22 00:46:04 UTC (rev 284660)
@@ -402,6 +402,10 @@
 
     auto shouldLockHistory = processingUserGesture ? LockHistory::No : LockHistory::Yes;
     auto formSubmission = FormSubmission::create(*this, submitter, m_attributes, event, shouldLockHistory, trigger);
+
+    if (!isConnected())
+        return;
+
     if (m_plannedFormSubmission)
         m_plannedFormSubmission->cancel();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes