angler-fishThe Vulnerability History Project

Supress script during parser adjusting DOM node location

      This attack uses HTML parser's tree tweaking operation to trigger
a script execution. This CL supresses it. This should be acceptable
because:

 * It never happens with well-formed markup.
 * It only happens to a node being a child of <script>, which is unusual.

BUG=464552
TEST=parser-adjust-parent-crash.html
R=haraken@chromium.org

Review URL: https://codereview.chromium.org/1007523003

git-svn-id: svn://svn.chromium.org/blink/trunk@191807 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Lulu the Dalmatian 2015-03-13 01:35:59 UTC
commit ad6d56fe76a49244896156182c30d8e9ff3afbf2
Chromium Fix CVE-2015-1253
third_party/WebKit/LayoutTests/fast/dom/parser-adjust-parent-crash-expected.txt
-1
third_party/WebKit/LayoutTests/fast/dom/parser-adjust-parent-crash.html
-20
third_party/WebKit/Source/core/html/parser/HTMLConstructionSite.cpp
+2 -7
expand_less