The default bug view has changed. See this FAQ.

Sync up the list of white-listed HTML tags and attributes in the sanitizing fragment sink with the HTML5 spec

RESOLVED FIXED in mozilla2.0b7

Status

()

Core
DOM: Core & HTML
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: Ehsan, Assigned: Ehsan)

Tracking

({html5})

Trunk
mozilla2.0b7
x86
Mac OS X
html5
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+, blocking1.9.2 .11+, status1.9.2 .11-fixed, blocking1.9.1 .14+, status1.9.1 .14-fixed)

Details

(Whiteboard: [tb31needed])

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

7 years ago
The list of tags and attributes that we use for the white-list used in the sanitizing fragment sink is out of date.  I'm filing this bug so that I can go through it and add any missing HTML5 tags/attrs in order for us to comply with HTML5.
blocking1.9.2: --- → ?
blocking2.0: --- → ?
(Assignee)

Comment 1

7 years ago
Here is the lists:

http://www.whatwg.org/specs/web-apps/current-work/multipage/section-index.html#attributes-1
http://www.whatwg.org/specs/web-apps/current-work/multipage/section-index.html#elements-1
(Assignee)

Comment 2

7 years ago
Created attachment 476876 [details] [diff] [review]
Patch (v1)
Attachment #476876 - Flags: review?(bzbarsky)
Attachment #476876 - Flags: approval2.0?
Is @autofocus safe?

Is @form safe if it points outside the editable area?  What about the other @form* attributes?

What about @radiogroup?

Not sure what @pattern, @optimum, @scoped really do.
(Assignee)

Comment 4

7 years ago
(In reply to comment #3)
> Is @autofocus safe?

Yes, it doesn't run any scripts.

> Is @form safe if it points outside the editable area?  What about the other
> @form* attributes?

Hmm, good point.  I think we should not allow those attributes...  Will submit a new patch soon.

> What about @radiogroup?

Looks safe to me.

> Not sure what @pattern, @optimum, @scoped really do.

@pattern allows one to specify the valid patterns of text that an input control accepts.  @optimum allows one to specify the optimum value in the gague for a <meter> element.  @scoped allows one to specify that a <style> element only affects its parent subtree.  We don't generally allow the style element, so this is useless most of the time, except when we specifically allow the paranoid fragment sink to accept <style> elements, which would cause this to come to play.
(Assignee)

Comment 5

7 years ago
Created attachment 476891 [details] [diff] [review]
Patch (v2)

With @form* attributes removed.
Attachment #476876 - Attachment is obsolete: true
Attachment #476891 - Flags: review?(bzbarsky)
Attachment #476891 - Flags: approval2.0?
Attachment #476876 - Flags: review?(bzbarsky)
Attachment #476876 - Flags: approval2.0?
Whiteboard: [tb31needs]
Comment on attachment 476891 [details] [diff] [review]
Patch (v2)

r=me
Attachment #476891 - Flags: review?(bzbarsky) → review+
Attachment #476891 - Flags: approval2.0? → approval2.0+
(Assignee)

Updated

7 years ago
Blocks: 596300
(Assignee)

Updated

7 years ago
blocking1.9.1: --- → ?

Updated

7 years ago
blocking1.9.1: ? → .14+
blocking1.9.2: ? → .11+
(Assignee)

Comment 7

7 years ago
http://hg.mozilla.org/mozilla-central/rev/0fb87b689b2c
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b7
(Assignee)

Updated

7 years ago
Attachment #476891 - Flags: approval1.9.2.11?
Attachment #476891 - Flags: approval1.9.1.14?

Comment 8

7 years ago
Comment on attachment 476891 [details] [diff] [review]
Patch (v2)

a=LegNeato for 1.9.2.11 and 1.9.1.14
Attachment #476891 - Flags: approval1.9.2.11?
Attachment #476891 - Flags: approval1.9.2.11+
Attachment #476891 - Flags: approval1.9.1.14?
Attachment #476891 - Flags: approval1.9.1.14+
(Assignee)

Comment 9

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ff7cddc23d87
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/92bb12378f69
status1.9.1: --- → .14-fixed
status1.9.2: --- → .11-fixed
(Assignee)

Comment 10

7 years ago
Bustage fix:

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/2a751107be31
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/223046422b9d
Is there going to be an automated test included with this?
(Assignee)

Comment 12

7 years ago
(In reply to comment #11)
> Is there going to be an automated test included with this?

Not really.  The benefit of automated tests here is very low, and the cost of creating one is actually really high (the number of possible combinations to test is scary).
I know. Imagine having to test them all by hand because there is no automated test.
(Assignee)

Comment 14

7 years ago
As a way to test it, you can open a tab with data:text/html,<input autofocus value=test>, and another with http://www.mozilla.org/editor/midasdemo/.  In the former, click the body, Cmd+A and Cmd+C, then go to midasdemo and paste inside the editable area, then click View HTML Source and make sure that the autofocus attribute is there.
Whiteboard: [tb31needs] → [tb31needed]

Updated

6 years ago
blocking2.0: ? → final+
You need to log in before you can comment on or make changes to this bug.