[webkit-changes] [191626] trunk

Tue, 27 Oct 2015 10:54:59 -0700

Title: [191626] trunk
Revision
191626
Author
commit-qu...@webkit.org
Date
2015-10-27 10:53:56 -0700 (Tue, 27 Oct 2015)

Log Message

Do not sanitize user input for input[type=url]
https://bugs.webkit.org/show_bug.cgi?id=150346
<rdar://problem/23243240>

Patch by Keith Rollin <krol...@apple.com> on 2015-10-27
Reviewed by Darin Adler.

Source/WebCore:

Do not sanitize user input in text-based input fields that support
the Selection API, in order to not break _javascript_ code that expects
element.value to match what's on the screen.

Test: fast/forms/input-user-input-sanitization.html

* html/TextFieldInputType.cpp:
(WebCore::TextFieldInputType::subtreeHasChanged):

LayoutTests:

Test the sanitization of text-based input fields when the user enters
text.

* fast/forms/input-user-input-sanitization-expected.txt: Added.
* fast/forms/input-user-input-sanitization.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (191625 => 191626)


--- trunk/LayoutTests/ChangeLog	2015-10-27 17:48:51 UTC (rev 191625)
+++ trunk/LayoutTests/ChangeLog	2015-10-27 17:53:56 UTC (rev 191626)
@@ -1,3 +1,17 @@
+2015-10-27  Keith Rollin  <krol...@apple.com>
+
+        Do not sanitize user input for input[type=url]
+        https://bugs.webkit.org/show_bug.cgi?id=150346
+        <rdar://problem/23243240>
+
+        Reviewed by Darin Adler.
+
+        Test the sanitization of text-based input fields when the user enters
+        text.
+
+        * fast/forms/input-user-input-sanitization-expected.txt: Added.
+        * fast/forms/input-user-input-sanitization.html: Added.
+
 2015-10-27  Michael Saboff  <msab...@apple.com>
 
         REGRESSION (r191360): Crash: com.apple.WebKit.WebContent at com.apple._javascript_Core: JSC::FTL:: + 386

Added: trunk/LayoutTests/fast/forms/input-user-input-sanitization-expected.txt (0 => 191626)


--- trunk/LayoutTests/fast/forms/input-user-input-sanitization-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/input-user-input-sanitization-expected.txt	2015-10-27 17:53:56 UTC (rev 191626)
@@ -0,0 +1,15 @@
+Check whether or not sanitization is performed on user input in text-input elements.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS focusAndType("email", "   foo...@example.com   ").value is "foo...@example.com"
+PASS focusAndType("password", "   foobar   ").value is "   foobar   "
+PASS focusAndType("search", "   foobar   ").value is "   foobar   "
+PASS focusAndType("telephone", "   123-456-7890   ").value is "   123-456-7890   "
+PASS focusAndType("text", "   foobar   ").value is "   foobar   "
+PASS focusAndType("url", "   https://foobar.example.com   ").value is "   https://foobar.example.com   "
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/forms/input-user-input-sanitization.html (0 => 191626)


--- trunk/LayoutTests/fast/forms/input-user-input-sanitization.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/input-user-input-sanitization.html	2015-10-27 17:53:56 UTC (rev 191626)
@@ -0,0 +1,47 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script src=""
+</head>
+
+<body>
+
+<div id="container">
+    <input id="email" type="email">
+    <input id="password" type="password">
+    <input id="search" type="search">
+    <input id="telephone" type="telephone">
+    <input id="text" type="text">
+    <input id="url" type="url">
+</div>
+
+<script>
+function focusAndType(id, text)
+{
+    var input = document.getElementById(id);
+    input.focus();
+    for (var i = 0, len = text.length; i < len; i++) {
+        eventSender.keyDown(text[i]);
+    }
+    return input;
+}
+
+function testOne(id, text, expected)
+{
+    result = expected || text;
+    shouldBeEqualToString('focusAndType("' + id + '", "' + text + '").value', result);
+}
+
+description("Check whether or not sanitization is performed on user input in text-input elements.");
+
+testOne("email",     "   foo...@example.com   ", "foo...@example.com");
+testOne("password",  "   foobar   ");
+testOne("search",    "   foobar   ");
+testOne("telephone", "   123-456-7890   ");
+testOne("text",      "   foobar   ");
+testOne("url",       "   https://foobar.example.com   ");
+</script>
+
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (191625 => 191626)


--- trunk/Source/WebCore/ChangeLog	2015-10-27 17:48:51 UTC (rev 191625)
+++ trunk/Source/WebCore/ChangeLog	2015-10-27 17:53:56 UTC (rev 191626)
@@ -1,3 +1,20 @@
+2015-10-27  Keith Rollin  <krol...@apple.com>
+
+        Do not sanitize user input for input[type=url]
+        https://bugs.webkit.org/show_bug.cgi?id=150346
+        <rdar://problem/23243240>
+
+        Reviewed by Darin Adler.
+
+        Do not sanitize user input in text-based input fields that support
+        the Selection API, in order to not break _javascript_ code that expects
+        element.value to match what's on the screen.
+
+        Test: fast/forms/input-user-input-sanitization.html
+
+        * html/TextFieldInputType.cpp:
+        (WebCore::TextFieldInputType::subtreeHasChanged):
+
 2015-10-20  Zalan Bujtas  <za...@apple.com>
 
         Subpixel layout: Convert RenderTable* and AutoTableLayout to use LayoutUnit.

Modified: trunk/Source/WebCore/html/HTMLInputElement.cpp (191625 => 191626)


--- trunk/Source/WebCore/html/HTMLInputElement.cpp	2015-10-27 17:48:51 UTC (rev 191625)
+++ trunk/Source/WebCore/html/HTMLInputElement.cpp	2015-10-27 17:53:56 UTC (rev 191626)
@@ -1042,10 +1042,14 @@
     ASSERT(!isFileUpload());
 
     // Renderer and our event handler are responsible for sanitizing values.
-    ASSERT(value == sanitizeValue(value) || sanitizeValue(value).isEmpty());
+    // Input types that support the selection API do *not* sanitize their
+    // user input in order to retain parity between what's in the model and
+    // what's on the screen.
+    ASSERT(m_inputType->supportsSelectionAPI() || value == sanitizeValue(value) || sanitizeValue(value).isEmpty());
 
     // Workaround for bug where trailing \n is included in the result of textContent.
-    // The assert macro above may also be simplified to: value == constrainValue(value)
+    // The assert macro above may also be simplified by removing the _expression_
+    // that calls isEmpty.
     // http://bugs.webkit.org/show_bug.cgi?id=9661
     m_valueIfDirty = value == "\n" ? emptyString() : value;

Modified: trunk/Source/WebCore/html/TextFieldInputType.cpp (191625 => 191626)


--- trunk/Source/WebCore/html/TextFieldInputType.cpp	2015-10-27 17:48:51 UTC (rev 191625)
+++ trunk/Source/WebCore/html/TextFieldInputType.cpp	2015-10-27 17:53:56 UTC (rev 191626)
@@ -497,8 +497,17 @@
     // We don't need to call sanitizeUserInputValue() function here because
     // HTMLInputElement::handleBeforeTextInsertedEvent() has already called
     // sanitizeUserInputValue().
+    // ---
     // sanitizeValue() is needed because IME input doesn't dispatch BeforeTextInsertedEvent.
-    element().setValueFromRenderer(sanitizeValue(convertFromVisibleValue(element().innerTextValue())));
+    // ---
+    // Input types that support the selection API do *not* sanitize their
+    // user input in order to retain parity between what's in the model and
+    // what's on the screen. Otherwise, we retain the sanitization process for
+    // backward compatibility. https://bugs.webkit.org/show_bug.cgi?id=150346
+    String innerText = convertFromVisibleValue(element().innerTextValue());
+    if (!supportsSelectionAPI())
+        innerText = sanitizeValue(innerText);
+    element().setValueFromRenderer(innerText);
     element().updatePlaceholderVisibility();
     // Recalc for :invalid change.
     element().setNeedsStyleRecalc();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to