The list of tags and attributes that we use for the white-list used in the sanitizing fragment sink is out of date. I'm filing this bug so that I can go through it and add any missing HTML5 tags/attrs in order for us to comply with HTML5.
7 years ago
Created attachment 476876 [details] [diff] [review] Patch (v1)
Is @autofocus safe? Is @form safe if it points outside the editable area? What about the other @form* attributes? What about @radiogroup? Not sure what @pattern, @optimum, @scoped really do.
(In reply to comment #3) > Is @autofocus safe? Yes, it doesn't run any scripts. > Is @form safe if it points outside the editable area? What about the other > @form* attributes? Hmm, good point. I think we should not allow those attributes... Will submit a new patch soon. > What about @radiogroup? Looks safe to me. > Not sure what @pattern, @optimum, @scoped really do. @pattern allows one to specify the valid patterns of text that an input control accepts. @optimum allows one to specify the optimum value in the gague for a <meter> element. @scoped allows one to specify that a <style> element only affects its parent subtree. We don't generally allow the style element, so this is useless most of the time, except when we specifically allow the paranoid fragment sink to accept <style> elements, which would cause this to come to play.
Created attachment 476891 [details] [diff] [review] Patch (v2) With @form* attributes removed.
Comment on attachment 476891 [details] [diff] [review] Patch (v2) r=me
7 years ago
Comment on attachment 476891 [details] [diff] [review] Patch (v2) a=LegNeato for 18.104.22.168 and 22.214.171.124
Is there going to be an automated test included with this?
(In reply to comment #11) > Is there going to be an automated test included with this? Not really. The benefit of automated tests here is very low, and the cost of creating one is actually really high (the number of possible combinations to test is scary).
I know. Imagine having to test them all by hand because there is no automated test.
As a way to test it, you can open a tab with data:text/html,<input autofocus value=test>, and another with http://www.mozilla.org/editor/midasdemo/. In the former, click the body, Cmd+A and Cmd+C, then go to midasdemo and paste inside the editable area, then click View HTML Source and make sure that the autofocus attribute is there.