Bug 254692

Summary: innerHTML and outerHTML escapes <, >, &, and nbsp inside `noscript`
Product: WebKit Reporter: Ahmad Saleem <ahmad.saleem792>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: annevk, cdumez, karlcow, rniwa, webkit-bug-importer
Priority: P2 Keywords: BrowserCompat, InRadar, WPTImpact
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Ahmad Saleem 2023-03-29 14:33:39 PDT 
Hi Team,

This is last standing bug to make us parity with other browser engines (Blink & Gecko) [pass them all] and it has impact on following WPT tests:

>> html/syntax/serializing-html-fragments/serializing.html
>> html/syntax/parsing-html-fragments/tokenizer-modes-001.html

It can be done by adding 'noscript' below but with some considerations:

https://github.com/WebKit/WebKit/commit/a641fc693f57c0b0910a0c2bbb13796b34544ef1#diff-f783bf306bb85322c91bd87f08bb25550a2b7cbc13a6eb929f5ae9283c17e3c2

________________

Blink Commit (Initial for Support) - https://chromium-review.googlesource.com/c/chromium/src/+/886646

Blink Commit (Post above - Security Bug) - https://chromium.googlesource.com/chromium/src/+/4193ecf74963e69eb6b635d429ed5944bf30124a

^ I didn't added 'noscript' due to lack of skills and with opportunity that it could lead to similar or any other security issue. Hence, I would leave it with someone else to fix it.

_________________

Appreciate if someone can take it up and fix this last remaining bit.

Thanks!
Comment 1 Ahmad Saleem 2023-04-04 15:00:08 PDT 
I am not sure about 'GetExecutionContext()', but this can be something possible:

    if (parentName) {
        bool isNoscriptTagWithScriptEnabled = *parentName == noscriptTag && text.script() && text.document().domWindow() && text.script()->canExecuteScripts(NotAboutToExecuteScript);
        if (*parentName == scriptTag || *parentName == styleTag || *parentName == xmpTag
        || *parentName == noembedTag || *parentName == noframesTag || *parentName == plaintextTag
        || *parentName == iframeTag || isNoscriptTagWithScriptEnabled)
        return EntityMaskInCDATA;
    return EntityMaskInHTMLPCDATA;
    }

In above 'script()' is wrong, I thought it might be equivalent of 'GetExecutionContext()' but I got build error as below:

no member named 'script' in 'WebCore::Text'
Comment 2 Radar WebKit Bug Importer 2023-04-05 14:34:17 PDT 
<rdar://problem/107678717>
Comment 3 Ryosuke Niwa 2023-05-02 18:45:53 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/13388
Comment 4 EWS 2023-05-03 09:34:31 PDT 
Committed 263633@main (b731e7a77411): <https://commits.webkit.org/263633@main>

Reviewed commits have been landed. Closing PR #13388 and removing active labels.