Submitting a form can cause HTMLFormElement's associated elements vector to be mutate...
authorwenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Sep 2017 01:49:05 +0000 (01:49 +0000)
committerwenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Sep 2017 01:49:05 +0000 (01:49 +0000)
commit38d3262dfd6c55a76f87824edd981658f9df3f1c
treea4f4dbf4166fe08eba48f402bb1c2fe684ff53e2
parent5e83a7daf1e34e70f05ec29b39949b0b061099c3
Submitting a form can cause HTMLFormElement's associated elements vector to be mutated during iteration
https://bugs.webkit.org/show_bug.cgi?id=176368
<rdar://problem/34254998>

Reviewed by Ryosuke Niwa.

Source/WebCore:

In the process of iterating over form.associatedElements() during form submission in FormSubmission::create, the
page may cause us to clobber the vector of FormAssociatedElements* we're currently iterating over by inserting
new form controls beneath the form element we're in the process of submitting. This happens because
FormSubmission::create calls HTMLTextAreaElement::appendFormData, which requires layout to be up to date, which
in turn makes us updateLayout() and set focus, which fires a `change` event, upon which the page's JavaScript
inserts additonal DOM nodes into the form, modifying the vector of associated elements.

To mitigate this, instead of iterating over HTMLFormElement::associatedElements(), which returns a reference to
the HTMLFormElement's actual m_associatedElements vector, we iterate over a new vector of
Ref<FormAssociatedElement>s created from m_associatedElements.

This patch also removes an event dispatch assertion added in r212026. This assertion was added to catch any
other events dispatched in this scope, since dispatching events there would have had security implications, but
after making iteration over associated elements robust, this NoEventDispatchAssertion is no longer useful.

Test: fast/forms/append-children-during-form-submission.html

* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):

LayoutTests:

Adds a new test to make sure we don't crash when mutating a form's associated elements during form submission.

* fast/forms/append-children-during-form-submission-expected.txt: Added.
* fast/forms/append-children-during-form-submission.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@222005 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/forms/append-children-during-form-submission-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/append-children-during-form-submission.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FormSubmission.cpp