Last Comment Bug 504941 - [HTML5]Unclosed comment inside <script> causes page to appear blank
: [HTML5]Unclosed comment inside <script> causes page to appear blank
Status: RESOLVED DUPLICATE of bug 503632
: testcase
Product: Core
Classification: Components
Component: HTML: Parser (show other bugs)
: Trunk
: x86 All
: P1 normal (vote)
: mozilla1.9.2a1
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
http://www.aerosnap.de.vu/
Depends on: 503632 508075
Blocks: html5-parsing
  Show dependency treegraph
 
Reported: 2009-07-17 14:56 PDT by Priit Uring
Modified: 2010-12-08 23:37 PST (History)
10 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
reduced testcase (93 bytes, text/html)
2009-07-17 18:02 PDT, Jesse Ruderman
no flags Details

Description Priit Uring 2009-07-17 14:56:34 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a1pre) Gecko/20090717 Minefield/3.6a1pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a1pre) Gecko/20090717 Minefield/3.6a1pre

Details

Reproducible: Always

Steps to Reproduce:
1.about:config set HTML5 to true
2.close Minefield and go to SafeMode
3.open up webpage http://www.aerosnap.de.vu/
Actual Results:  
Page was Blank - White - Empty

Expected Results:  
Webpage should had been shown even in HTML5 enabled
Safemode should had disregard non-default value HTML5 - True to False

Using Windows 7 and Official Minefield Build 20090718
Comment 1 Jim Jeffery not reading bug-mail 1/2/11 2009-07-17 15:42:38 PDT
Confirming and setting new:

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a1pre) Gecko/20090717 Minefield/3.6a1pre (.NET CLR 3.5.30729) ID:20090717120342 <latest hourly available
Comment 2 Jesse Ruderman 2009-07-17 18:01:39 PDT
It's actually the frame http://aerosnap.de/ that incorrectly shows up blank.
Comment 3 Jesse Ruderman 2009-07-17 18:02:27 PDT
Created attachment 389243 [details]
reduced testcase

Blank only with HTML5 parser enabled.
Comment 4 Jesse Ruderman 2009-07-17 18:09:00 PDT
See also bug 503632.  Based on the direction that discussion is going, I'm not marking this as a dup.
Comment 5 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2009-08-07 01:38:05 PDT
I don't see a way to fix this without reparsing. If the problem is rare, I think WONTFIX plus evang is the right solution. If the problem is common, we have a serious issue with a fundamental design constraint of the spec.
Comment 6 Jesse Ruderman 2009-08-07 12:17:48 PDT
What design constraint is that?  Why does <!-- inside <script> need to be treated as anything at all?
Comment 7 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2009-08-10 04:12:24 PDT
<!-- needs magic treatment inside script to mask document.write("</script>");

<script><!--
...
document.write("<script src='foo'></script>");
...
--></script>

The design constraint I meant was the constraint not to do reparsing, because reparsing would change the executability characteristics of pieces of the page if an attacker can force a premature end of file.
Comment 8 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2009-08-10 04:55:38 PDT
Note to people who are searching for dupes before filing bugs:
If you see this in the wild, please note the URL of the page here.
Comment 9 Jesse Ruderman 2009-08-10 10:28:45 PDT
Interesting!  I guess strings in scripts must have "<!--", "-->", and "</script" escaped to avoid XSS, depending on whether the script already has a "<!--" and the browser version.  I used to think escaping "/" as "\/" and escaping the string delimiter was enough.

I like the no-reparsing constraint, though.
Comment 10 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2009-08-12 05:05:34 PDT
I wrote up a relatively radical proposal for a fix:
http://wiki.whatwg.org/wiki/CDATA_Escapes
Comment 11 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2009-12-03 01:46:33 PST

*** This bug has been marked as a duplicate of bug 503632 ***

Note You need to log in before you can comment on or make changes to this bug.