Fix some crashes in StylableSelect HTML parser

This patch forbids nested <button>s and <datalist>s to avoid setting kInSelectMode while we are technically still in a <button> or <datalist>. This patch also replaces a call to SetInsertionMode() with ResetInsertionModeAppropriately() and moves it after processing the end tag in order to avoid ending up in kInSelectMode when there is not actually an open <select> tag. The clusterfuzz crash didn't have a minimal repro but I manually verified that the crash does not repro with this patch. Bug: 1511354 Fixed: 1519396 Change-Id: I4358973b36925ea0862f4050f27f804d2676288c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5254124 Reviewed-by: David Baron <[email protected]> Commit-Queue: Joey Arhar <[email protected]> Cr-Commit-Position: refs/heads/main@{#1255770}
web-platform-tests · Feb 2, 2024 · 78ce8e7 · 78ce8e7
1 parent 117e60e
commit 78ce8e7
Showing 1 changed file with 30 additions and 33 deletions.
diff --git a/html/semantics/forms/the-select-element/select-parsing.tentative.html b/html/semantics/forms/the-select-element/select-parsing.tentative.html
@@ -17,36 +17,34 @@
 </select>
 
 <select id=s2>
-  <div>div 1</div>
-  <button>
-    <span>level 1</span>
-    <button>
-      <span>level 2</span>
-    </button>
-  </button>
-  <div>div 2</div>
-</select>
-
-<select id=s3>
   <button>button
 </select>
 
-<select id=s4>
+<select id=s3>
   <datalist>datalist
 </select>
 
-<select id=s5>
+<select id=s4>
   <button>
     <select></select>
   </button>
 </select>
 
-<select id=s6>
+<select id=s5>
   <button>
     <div>
       <select>
 </select>
 
+<select id=s6>
+<button>
+<button></button>
+</button>
+<datalist>
+<datalist></datalist>
+</datalist>
+</select>
+
 <div id=afterlast>
   keep this div after the last test case
 </div>
@@ -70,45 +68,44 @@
 test(() => {
   assert_equals(document.getElementById('s2').parentNode, document.body);
   assert_equals(document.getElementById('s2').innerHTML, `
-  div 1
-  <button>
-    <span>level 1</span>
-    </button><button>
-      <span>level 2</span>
-    </button>
-  \n  div 2
-`);
-}, 'Nested <button>s in <select> should be flattened out.');
-
-test(() => {
-  assert_equals(document.getElementById('s3').parentNode, document.body);
-  assert_equals(document.getElementById('s3').innerHTML, `
   <button>button
 </button>`);
 }, '</select> should close <button>.');
 
 test(() => {
-  assert_equals(document.getElementById('s4').parentNode, document.body);
-  assert_equals(document.getElementById('s4').innerHTML, `
+  assert_equals(document.getElementById('s3').parentNode, document.body);
+  assert_equals(document.getElementById('s3').innerHTML, `
   <datalist>datalist
 </datalist>`);
 }, '</select> should close <datalist>.');
 
 test(() => {
-  assert_equals(document.getElementById('s5').parentNode, document.body);
-  assert_equals(document.getElementById('s5').innerHTML, `
+  assert_equals(document.getElementById('s4').parentNode, document.body);
+  assert_equals(document.getElementById('s4').innerHTML, `
   <button>
     </button>`);
 }, '<select> in <button> in <select> should remove inner <select>.');
 
 test(() => {
-  assert_equals(document.getElementById('s6').parentNode, document.body);
-  assert_equals(document.getElementById('s6').innerHTML, `
+  assert_equals(document.getElementById('s5').parentNode, document.body);
+  assert_equals(document.getElementById('s5').innerHTML, `
   <button>
     <div>
       </div></button>`);
 }, '<select> in <select><button><div> should remove inner <select>.');
 
+test(() => {
+  assert_equals(document.getElementById('s6').parentNode, document.body);
+  assert_equals(document.getElementById('s6').innerHTML, `
+<button>
+</button>
+
+<datalist>
+</datalist>
+
+`);
+}, 'Nested <button>s or <datalist>s in <select> should be dropped.');
+
 test(() => {
   assert_equals(document.getElementById('afterlast').parentNode, document.body);
 }, 'The last test should not leave any tags open after parsing.');