1945800 - [wpt-sync] Sync PR 50486 - [Sanitizer API] Update default handling for comments and data-*.

Status: RESOLVED FIXED

(Core :: DOM: Security, task, P4)

Description

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Sync web-platform-tests PR 50486 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/50486
Details from upstream follow.

Daniel Vogelheim <vogelheim@chromium.org> wrote:

[Sanitizer API] Update default handling for comments and data-*.

This tracks development of the spec:
https://github.com/WICG/sanitizer-api/pull/254

The PR makes the default for "comments:" and "dataAttributes:" keys in
the configuration depend on whether this is for safe or unsafe use. That
requires a bit of plumbing, since now the logic to interpret a config
depends on a new flag. Also adds test cases.

Bug: 356601280
Change-Id: I076c5418006b0dc35babbffd7d991e04c0f1d522
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6189121
Commit-Queue: Daniel Vogelheim \<vogelheim@chromium.org>
Reviewed-by: Yifan Luo \<lyf@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1415510}

Comment 1

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=34c44eb54c8809340e38e706b1bcce5a5dc07566

Comment 2

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

CI Results

Ran 8 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 4 tests and 17 subtests

Status Summary

Firefox

OK : 4
PASS: 25
FAIL: 128

Chrome

OK : 4
PASS: 1
FAIL: 152

Safari

OK : 4
PASS: 25
FAIL: 128

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

• /sanitizer-api/sanitizer-basic-filtering.tentative.html [wpt.fyi]
  • setHTML testcase text/0, "text": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase text/0, "text": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase elements/0, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase elements/0, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase elements/1, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase elements/1, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase elements/1, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase elements/1, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase elements/2, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase elements/2, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase elements/2, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase elements/2, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase elements/3, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase elements/3, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase elements/3, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase elements/3, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase elements/4, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase elements/4, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase elements/4, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase elements/4, "<div><p>Hello <b>World!</b>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase attributes/0, "<p id="hello" style="font-weight: bold">x": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase attributes/0, "<p id="hello" style="font-weight: bold">x": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase attributes/1, "<p id="hello" style="font-weight: bold">x": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase attributes/1, "<p id="hello" style="font-weight: bold">x": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase attributes/1, "<p id="hello" style="font-weight: bold">x": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase attributes/1, "<p id="hello" style="font-weight: bold">x": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase attributes/2, "<p id="hello" style="font-weight: bold">x": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase attributes/2, "<p id="hello" style="font-weight: bold">x": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase attributes/2, "<p id="hello" style="font-weight: bold">x": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase attributes/2, "<p id="hello" style="font-weight: bold">x": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase attributes-per-element/0, "<div style="font-weight: bold" class="bourgeoisie">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase attributes-per-element/0, "<div style="font-weight: bold" class="bourgeoisie">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase attributes-per-element/0, "<div style="font-weight: bold" class="bourgeoisie">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase attributes-per-element/0, "<div style="font-weight: bold" class="bourgeoisie">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase attributes-per-element/1, "<div style="font-weight: bold" class="bourgeoisie">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase attributes-per-element/1, "<div style="font-weight: bold" class="bourgeoisie">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase attributes-per-element/1, "<div style="font-weight: bold" class="bourgeoisie">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase attributes-per-element/1, "<div style="font-weight: bold" class="bourgeoisie">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase comments/0, "a <!-- comment --> b": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase comments/0, "a <!-- comment --> b": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase comments/1, "a <!-- comment --> b": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase comments/1, "a <!-- comment --> b": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase comments/1, "a <!-- comment --> b": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase comments/1, "a <!-- comment --> b": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase dataAttributes/0, "<p data-x="1" data-y="2" data-z="3">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase dataAttributes/0, "<p data-x="1" data-y="2" data-z="3">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase dataAttributes/0, "<p data-x="1" data-y="2" data-z="3">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase dataAttributes/0, "<p data-x="1" data-y="2" data-z="3">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase dataAttributes/1, "<p data-x="1" data-y="2" data-z="3">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase dataAttributes/1, "<p data-x="1" data-y="2" data-z="3">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase dataAttributes/1, "<p data-x="1" data-y="2" data-z="3">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase dataAttributes/1, "<p data-x="1" data-y="2" data-z="3">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase namespaces/0, "<svg><rect></svg><math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase namespaces/0, "<svg><rect></svg><math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase namespaces/1, "<svg><rect>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase namespaces/1, "<svg><rect>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase namespaces/1, "<svg><rect>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase namespaces/1, "<svg><rect>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase namespaces/2, "<svg><rect>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase namespaces/2, "<svg><rect>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase namespaces/3, "<svg><rect>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase namespaces/3, "<svg><rect>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase namespaces/3, "<svg><rect>": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase namespaces/3, "<svg><rect>": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase namespaces/4, "<math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase namespaces/4, "<math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase namespaces/4, "<math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase namespaces/4, "<math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase namespaces/5, "<math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase namespaces/5, "<math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase namespaces/6, "<math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase namespaces/6, "<math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase namespaces/6, "<math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase namespaces/6, "<math><mi>x": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase namespaces/7, "<svg xml:space="default" xlink:href="about:blank" xmlns:foo="barspace">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase namespaces/7, "<svg xml:space="default" xlink:href="about:blank" xmlns:foo="barspace">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase namespaces/8, "<svg xml:space="default" xlink:href="about:blank" xmlns:foo="barspace">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase namespaces/8, "<svg xml:space="default" xlink:href="about:blank" xmlns:foo="barspace">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase namespaces/8, "<svg xml:space="default" xlink:href="about:blank" xmlns:foo="barspace">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase namespaces/8, "<svg xml:space="default" xlink:href="about:blank" xmlns:foo="barspace">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTML testcase namespaces/9, "<svg xml:space="default" xlink:href="about:blank" xmlns:foo="barspace">": FAIL (Chrome: FAIL, Safari: FAIL)
  • setHTMLUnsafe testcase namespaces/9, "<svg xml:space="default" xlink:href="about:blank" xmlns:foo="barspace">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTML testcase namespaces/9, "<svg xml:space="default" xlink:href="about:blank" xmlns:foo="barspace">": FAIL (Chrome: FAIL, Safari: FAIL)
  • parseHTMLUnsafe testcase namespaces/9, "<svg xml:space="default" xlink:href="about:blank" xmlns:foo="barspace">": FAIL (Chrome: FAIL, Safari: FAIL)
• /sanitizer-api/sanitizer-boolean-defaults.tentative.html [wpt.fyi]
  • comments: FAIL (Chrome: FAIL, Safari: FAIL)
  • data attributes: FAIL (Chrome: FAIL, Safari: FAIL)
• /sanitizer-api/sanitizer-config.tentative.html [wpt.fyi]
  • Sanitizer constructor without config.: FAIL (Chrome: FAIL, Safari: FAIL)
  • Sanitizer constructor with empty config.: FAIL (Chrome: FAIL, Safari: FAIL)
  • Sanitizer constructor with null as config.: FAIL (Chrome: FAIL, Safari: FAIL)
  • Sanitizer constructor with undefined as config.: FAIL (Chrome: FAIL, Safari: FAIL)
  • Sanitizer constructor with config ignore unknown values.: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig comments field.: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig dataAttributes field.: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: elements: ["div"]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: elements: [{"name":"b"}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: elements: [{"name":"p","namespace":"http://www.w3.org/1999/xhtml"}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: elements: [{"name":"bla","namespace":"http://fantasy.org/namespace"}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: removeElements: ["div"]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: removeElements: [{"name":"b"}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: removeElements: [{"name":"p","namespace":"http://www.w3.org/1999/xhtml"}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: removeElements: [{"name":"bla","namespace":"http://fantasy.org/namespace"}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: replaceWithChildrenElements: ["div"]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: replaceWithChildrenElements: [{"name":"b"}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: replaceWithChildrenElements: [{"name":"p","namespace":"http://www.w3.org/1999/xhtml"}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: replaceWithChildrenElements: [{"name":"bla","namespace":"http://fantasy.org/namespace"}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: attributes: ["href"]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: attributes: [{"name":"href","namespace":null}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: attributes: [{"name":"href","namespace":""}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: attributes: [{"name":"href","namespace":"https://www.w3.org/1999/xlink"}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: removeAttributes: ["href"]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: removeAttributes: [{"name":"href","namespace":null}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: removeAttributes: [{"name":"href","namespace":""}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • SanitizerConfig, normalization: removeAttributes: [{"name":"href","namespace":"https://www.w3.org/1999/xlink"}]: FAIL (Chrome: FAIL, Safari: FAIL)
  • Test elements addition.: FAIL (Chrome: FAIL, Safari: FAIL)
  • Test elements removal.: FAIL (Chrome: FAIL, Safari: FAIL)
  • Test elements replacewithchildren.: FAIL (Chrome: FAIL, Safari: FAIL)
  • Test attribute addition.: FAIL (Chrome: FAIL, Safari: FAIL)
  • Test attribute removal.: FAIL (Chrome: FAIL, Safari: FAIL)
  • Test attribute-per-element sets (i.e. overwrites).: FAIL (Chrome: FAIL, Safari: FAIL)
  • Test removeAttribute-per-element sets (i.e. overwrites).: FAIL (Chrome: FAIL, Safari: FAIL)
• /sanitizer-api/sethtml-safety.tentative.html [wpt.fyi]
  • Testcase #0, setHTML("test)".: FAIL (Chrome: FAIL, Safari: FAIL)
  • Testcase #1, setHTML("<p>Hello</p>)".: FAIL (Chrome: FAIL, Safari: FAIL)
  • Testcase #2, setHTML("<div>Hello<script>World</script>xxx)".: FAIL (Chrome: FAIL, Safari: FAIL)
  • Testcase #3, setHTML("<div>Hello<script>World</script>xxx)".: FAIL (Chrome: FAIL, Safari: FAIL)
  • Testcase #4, setHTML("<svg>Hello<script>World</script>xxx)".: FAIL (Chrome: FAIL, Safari: FAIL)
  • Testcase #5, setHTML("<img src="https://web-platform.test/test-image" onclick="2+2" one="two">)".: FAIL (Chrome: FAIL, Safari: FAIL)
  • Testcase #6, setHTML("<img src="https://web-platform.test/test-image" onclick="2+2" one="two">)".: FAIL (Chrome: FAIL, Safari: FAIL)
  • Testcase #7, setHTML("<p data-x="1" data-y="2" data-z="3">)".: FAIL (Chrome: FAIL, Safari: FAIL)

Comment 3

[Pulsebot]

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b2045e71144a
[wpt PR 50486] - [Sanitizer API] Update default handling for comments and data-*., a=testonly
https://hg.mozilla.org/integration/autoland/rev/78a28d6d515b
[wpt PR 50486] - Update wpt metadata, a=testonly

Comment 4

[Serban Stanca [:SerbanS]]

https://hg.mozilla.org/mozilla-central/rev/b2045e71144a
https://hg.mozilla.org/mozilla-central/rev/78a28d6d515b