From 04e6913344e8a9e4a7e7b06e7719cd657ee308bd Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Thu, 18 May 2023 21:21:02 +0000 Subject: [PATCH 01/16] Ignore dangling markup in target name --- source | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/source b/source index f5417730b87..3c37e83ee5b 100644 --- a/source +++ b/source @@ -89926,8 +89926,10 @@ interface BeforeUnloadEvent : Event { data-x="navigate">navigations at that navigable.

A valid navigable target name is any string with - at least one character that does not start with a U+005F LOW LINE character. (Names starting with - an underscore are reserved for special keywords.)

+ at least one character that does not start with a U+005F LOW LINE character (Names starting with + an underscore are reserved for special keywords). A target name + which contains both a U+000A END OF LINE character and a U+003C LESS-THAN SIGN character will be + converted to _blank.

A valid navigable target name or keyword is any string that is either a valid navigable target name or that is @@ -90098,6 +90100,10 @@ interface BeforeUnloadEvent : Event { data-x="">_top", set chosen to currentNavigable's traversable navigable.

+

  • Otherwise, if name contains both a U+000A END OF LINE character (\n) and a + U+003C LESS-THAN SIGN character (<), set name to "_blank". +

    • +

  • Otherwise, if name is not an ASCII case-insensitive match for "_blank", there exists a navigable whose Date: Mon, 22 May 2023 17:59:43 +0000 Subject: [PATCH 02/16] Address comments --- source | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source b/source index 3c37e83ee5b..65f1b97e60f 100644 --- a/source +++ b/source @@ -89928,8 +89928,8 @@ interface BeforeUnloadEvent : Event {

    A valid navigable target name is any string with at least one character that does not start with a U+005F LOW LINE character (Names starting with an underscore are reserved for special keywords). A target name - which contains both a U+000A END OF LINE character and a U+003C LESS-THAN SIGN character will be - converted to _blank.

    + which contains any ASCII tab or newline characters and a U+003C LESS-THAN SIGN character + will be converted to _blank.

    A valid navigable target name or keyword is any string that is either a valid navigable target name or that is @@ -90088,6 +90088,10 @@ interface BeforeUnloadEvent : Event {

  • Let sandboxingFlagSet be currentNavigable's active document's active sandboxing flag set.

    • +

  • If name contains any ASCII tab or newline characters and a U+003C + LESS-THAN SIGN character (<), set name to "_blank".

    +
    • +

  • If name is the empty string or an ASCII case-insensitive match for "_self", then set chosen to currentNavigable.

    • @@ -90100,10 +90104,6 @@ interface BeforeUnloadEvent : Event { data-x="">_top", set chosen to currentNavigable's traversable navigable.

    -

  • Otherwise, if name contains both a U+000A END OF LINE character (\n) and a - U+003C LESS-THAN SIGN character (<), set name to "_blank". -

    • -

  • Otherwise, if name is not an ASCII case-insensitive match for "_blank", there exists a navigable whose Date: Mon, 22 May 2023 18:07:13 +0000 Subject: [PATCH 03/16] Change to --- source | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source b/source index 65f1b97e60f..229cf5f2d30 100644 --- a/source +++ b/source @@ -89928,7 +89928,7 @@ interface BeforeUnloadEvent : Event {

    A valid navigable target name is any string with at least one character that does not start with a U+005F LOW LINE character (Names starting with an underscore are reserved for special keywords). A target name - which contains any ASCII tab or newline characters and a U+003C LESS-THAN SIGN character + which contains any ASCII tab or newline characters and a U+003C LESS-THAN SIGN character will be converted to _blank.

    A valid navigable target name or @@ -90088,7 +90088,7 @@ interface BeforeUnloadEvent : Event {

  • Let sandboxingFlagSet be currentNavigable's active document's active sandboxing flag set.

    • -

  • If name contains any ASCII tab or newline characters and a U+003C +

  • If name contains any ASCII tab or newline characters and a U+003C LESS-THAN SIGN character (<), set name to "_blank".

    • From 8d5797bb3a0b2e98b94c8bdabcb57d93a0e7477c Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Mon, 22 May 2023 23:58:46 +0000 Subject: [PATCH 04/16] Move the logic so that only html attributes are considered in the mitigation --- source | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/source b/source index 229cf5f2d30..188099ce49b 100644 --- a/source +++ b/source @@ -14646,15 +14646,22 @@ interface HTMLBaseElement : HTMLElement { form element element, run these steps:
      -

    1. If element has a target attribute, then return that - attribute's value.

      2. +

    2. Let targetName be the empty string.

      3. -

    3. If element's node document contains a base element - with a target attribute, then return the value of the - target attribute of the first such base +

    4. If element has a target attribute, then set + targetName to that attribute's value.

      5. + +

    5. Otherwise, if element's node document contains a + base element with a target attribute, + then set targetName to the value of the target attribute of the first such base element.

      6. -

    6. Return the empty string.

      7. +

    7. If targetName contains any ASCII tab or newline characters + and a U+003C LESS-THAN SIGN character (<), set targetName to "_blank".

      8. + +

    8. Return targetName.

    @@ -89927,9 +89934,7 @@ interface BeforeUnloadEvent : Event {

    A valid navigable target name is any string with at least one character that does not start with a U+005F LOW LINE character (Names starting with - an underscore are reserved for special keywords). A target name - which contains any ASCII tab or newline characters and a U+003C LESS-THAN SIGN character - will be converted to _blank.

    + an underscore are reserved for special keywords).

    A valid navigable target name or keyword is any string that is either a valid navigable target name or that is @@ -90088,10 +90093,6 @@ interface BeforeUnloadEvent : Event {

  • Let sandboxingFlagSet be currentNavigable's active document's active sandboxing flag set.

    • -

  • If name contains any ASCII tab or newline characters and a U+003C - LESS-THAN SIGN character (<), set name to "_blank".

    -
    • -

  • If name is the empty string or an ASCII case-insensitive match for "_self", then set chosen to currentNavigable.

    • From 131f32f5f1600dcdda7c496256cef576060f21ac Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Tue, 23 May 2023 00:10:15 +0000 Subject: [PATCH 05/16] Add dfn for ascii tab and newline --- source | 1 + 1 file changed, 1 insertion(+) diff --git a/source b/source index 188099ce49b..9b0c478c3da 100644 --- a/source +++ b/source @@ -2222,6 +2222,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
  • scalar value string
  • convert
  • ASCII string
    • +
  • ASCII tab or newline
  • ASCII whitespace
  • control
  • ASCII digit
    • From c205aa5560123e0624bd12dcf46977de1d397062 Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Sat, 27 May 2023 00:20:29 +0000 Subject: [PATCH 06/16] Address few comments --- source | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/source b/source index 9b0c478c3da..46b85a3d9a5 100644 --- a/source +++ b/source @@ -14649,17 +14649,17 @@ interface HTMLBaseElement : HTMLElement {

    1. Let targetName be the empty string.

      2. -

    2. If element has a target attribute, then set +

    3. If element has a target attribute, then set targetName to that attribute's value.

      4. -

    4. Otherwise, if element's node document contains a - base element with a target attribute, - then set targetName to the value of the

      Otherwise, if element's node document contains a + base element with a target attribute, + set targetName to the value of the target attribute of the first such base element.

      5. -

    5. If targetName contains any ASCII tab or newline characters - and a U+003C LESS-THAN SIGN character (<), set targetName to "

      If targetName contains any ASCII tab or newline characters + and a U+003C LESS-THAN SIGN character (<), then set targetName to "_blank".

    6. Return targetName.

      7. @@ -89935,7 +89935,9 @@ interface BeforeUnloadEvent : Event {

      A valid navigable target name is any string with at least one character that does not start with a U+005F LOW LINE character (Names starting with - an underscore are reserved for special keywords).

      + an underscore are reserved for special keywords). A target name + which contains any ASCII tab or newline characters and a U+003C LESS-THAN SIGN + character will be converted to _blank.

      A valid navigable target name or keyword is any string that is either a valid navigable target name or that is From 7c3f5cbb9288f828edfaede749067143bcf0edaf Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Tue, 30 May 2023 20:04:47 +0000 Subject: [PATCH 07/16] Change targetName to target --- source | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source b/source index 46b85a3d9a5..11f7d0886b9 100644 --- a/source +++ b/source @@ -14647,22 +14647,22 @@ interface HTMLBaseElement : HTMLElement { form element element, run these steps:

        -

      1. Let targetName be the empty string.

        2. +

      2. Let target be the empty string.

      3. If element has a target attribute, then set - targetName to that attribute's value.

        4. + target to that attribute's value.

      4. Otherwise, if element's node document contains a base element with a target attribute, - set targetName to the value of the target to the value of the target attribute of the first such base element.

        5. -

      5. If targetName contains any ASCII tab or newline characters - and a U+003C LESS-THAN SIGN character (<), then set targetName to "

        If target contains any ASCII tab or newline characters + and a U+003C LESS-THAN SIGN character (<), then set target to "_blank".

        6. -

      6. Return targetName.

        7. +

      7. Return target.

      From 8376ac1ec2f15e21aa3eafad4110593972fcb291 Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Tue, 6 Jun 2023 21:09:18 +0000 Subject: [PATCH 08/16] Add an optional targetValue --- source | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/source b/source index 11f7d0886b9..2314b9bfd2a 100644 --- a/source +++ b/source @@ -14644,12 +14644,16 @@ interface HTMLBaseElement : HTMLElement { data-x="attr-base-target">target       attributes, all but the first are ignored.

      To get an element's target, given an a, area, or - form element element, run these steps: + form element element, and an optional targetValue + (default null), run these steps:

      1. Let target be the empty string.

        2. -

      2. If element has a target attribute, then set +

      3. If targetValue is non-null, then set target to + targetValue.

        4. + +

      4. Otherwise, if element has a target attribute, set target to that attribute's value.

      5. Otherwise, if element's node document contains a @@ -58674,11 +58678,10 @@ fur

      6. Let enctype be the submitter element's enctype.

        7. -

      7. Let target be the submitter element's formtarget attribute value, if the element is a submit button and has such an attribute. Otherwise, let it - be the result of getting an element's target given - submitter's form owner.

        8. +

      8. Let target be the result of getting an element's target given + submitter's form owner and submitter element's formtarget attribute value.

      9. Let noopener be the result of getting an element's noopener with form and target.

        10. From ce6254a0838028591d17ddc77e18eb5395e87324 Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Tue, 6 Jun 2023 21:17:04 +0000 Subject: [PATCH 09/16] Add back an if --- source | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source b/source index 2314b9bfd2a..a59ffb68cff 100644 --- a/source +++ b/source @@ -58681,7 +58681,8 @@ fur

      10. Let target be the result of getting an element's target given submitter's form owner and submitter element's formtarget attribute value.

        11. + data-x="attr-fs-formtarget">formtarget         attribute value, if the element is a submit button and has such an attribute.

      11. Let noopener be the result of getting an element's noopener with form and target.

        12. From 67ed490eb08691a62990d479c2ede6bb5c168072 Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Wed, 7 Jun 2023 20:16:22 +0000 Subject: [PATCH 10/16] Clean up formTarget argument --- source | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/source b/source index a59ffb68cff..225665fe9e7 100644 --- a/source +++ b/source @@ -58678,11 +58678,16 @@ fur

      12. Let enctype be the submitter element's enctype.

        13. +

      13. Let formTarget be null.

        14. + +

      14. If the submitter element is a submit button and it has a formtarget attribute, then set formTarget to + the formtarget attribute value.

        15. +

      15. Let target be the result of getting an element's target given - submitter's form owner and submitter element's formtarget attribute value, if the element is a submit button and has such an attribute.

        16. + submitter's form owner and formTarget.

      16. Let noopener be the result of getting an element's noopener with form and target.

        17. From 829202c9547a4ce8dcef277388a3460daf71ac46 Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Wed, 14 Jun 2023 16:50:17 +0000 Subject: [PATCH 11/16] Address comments --- source | 38 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/source b/source index 225665fe9e7..cc5814d07ec 100644 --- a/source +++ b/source @@ -14644,27 +14644,26 @@ interface HTMLBaseElement : HTMLElement { data-x="attr-base-target">target         attributes, all but the first are ignored.

        To get an element's target, given an a, area, or - form element element, and an optional targetValue + form element element, and an optional string-or-null target (default null), run these steps:

          -

        1. Let target be the empty string.

          2. +

        2. If target is null, then:

          3. -

        3. If targetValue is non-null, then set target to - targetValue.

          4. - -

        4. Otherwise, if element has a target attribute, set - target to that attribute's value.

          5. - -

        5. Otherwise, if element's node document contains a - base element with a target attribute, - set target to the value of the target attribute of the first such base - element.

          6. - -

        6. If target contains any ASCII tab or newline characters - and a U+003C LESS-THAN SIGN character (<), then set target to "_blank".

          7. +
            +

          1. If element has a target attribute, then set + target to that attribute's value.

            2. + +

          2. Otherwise, if element's node document contains a + base element with a target attribute, + set target to the value of the target attribute of the first such base + element.

            3. + +

          3. If target contains any ASCII tab or newline characters + and a U+003C LESS-THAN SIGN character (<), then set target to "_blank".

            4. +

        7. Return target.

        @@ -89944,9 +89943,8 @@ interface BeforeUnloadEvent : Event {

        A valid navigable target name is any string with at least one character that does not start with a U+005F LOW LINE character (Names starting with - an underscore are reserved for special keywords). A target name - which contains any ASCII tab or newline characters and a U+003C LESS-THAN SIGN - character will be converted to _blank.

        + an underscore are reserved for special keywords.), and it does not contain both + ASCII tab or newline characters and a U+003C LESS-THAN SIGN character.

        A valid navigable target name or keyword is any string that is either a valid navigable target name or that is From 0f6f6240d5c5a643d8a76b146593f286c5728143 Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Mon, 26 Jun 2023 03:54:08 +0000 Subject: [PATCH 12/16] Address comments --- source | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/source b/source index cc5814d07ec..b35150957fc 100644 --- a/source +++ b/source @@ -14648,22 +14648,22 @@ interface HTMLBaseElement : HTMLElement { (default null), run these steps:

          -

        1. If target is null, then:

          2. +

        2. If target is null, then:

          +
            +

          1. If element has a target attribute, then set + target to that attribute's value.

            2. -
              -

            1. If element has a target attribute, then set - target to that attribute's value.

              2. - -

            2. Otherwise, if element's node document contains a - base element with a target attribute, - set target to the value of the target attribute of the first such base - element.

              3. - -

            3. If target contains any ASCII tab or newline characters - and a U+003C LESS-THAN SIGN character (<), then set target to "_blank".

              4. -
            +

          2. Otherwise, if element's node document contains a + base element with a target attribute, + set target to the value of the target attribute of the first such base + element.

            3. +
          +
          3. + +

        3. If target contains any ASCII tab or newline characters + and a U+003C LESS-THAN SIGN character (<), then set target to "_blank".

        4. Return target.

        From 0e623a20194f5cdc91b3550e60818576f019abc6 Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Mon, 26 Jun 2023 07:23:02 +0000 Subject: [PATCH 13/16] Change wording --- source | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/source b/source index b35150957fc..0396557426a 100644 --- a/source +++ b/source @@ -14661,9 +14661,8 @@ interface HTMLBaseElement : HTMLElement {
      -

    7. If target contains any ASCII tab or newline characters - and a U+003C LESS-THAN SIGN character (<), then set target to "_blank".

      8. +

    8. If target contains an ASCII tab or newline and a U+003C + (<), then set target to "_blank".

    9. Return target.

    From 8f69a9c2aaa3d22f448532148bc58c91171d079f Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Mon, 26 Jun 2023 07:26:45 +0000 Subject: [PATCH 14/16] Change wording --- source | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source b/source index 0396557426a..a2924129045 100644 --- a/source +++ b/source @@ -89943,7 +89943,7 @@ interface BeforeUnloadEvent : Event {

    A valid navigable target name is any string with at least one character that does not start with a U+005F LOW LINE character (Names starting with an underscore are reserved for special keywords.), and it does not contain both - ASCII tab or newline characters and a U+003C LESS-THAN SIGN character.

    + an ASCII tab or newline and a U+003C (<).

    A valid navigable target name or keyword is any string that is either a valid navigable target name or that is From 12eeb8c99458c57263dbd4147c10c844cf75ea88 Mon Sep 17 00:00:00 2001 From: Jun Kokatsu Date: Fri, 25 Aug 2023 18:51:22 +0000 Subject: [PATCH 15/16] Address comments --- source | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/source b/source index 8c61aea6bf0..4d8a54a0864 100644 --- a/source +++ b/source @@ -14748,7 +14748,8 @@ interface HTMLBaseElement : HTMLElement { (default null), run these steps:

      -

    1. If target is null, then:

      +
    2. +

      If target is null, then:

      1. If element has a target attribute, then set target to that attribute's value.

        2. @@ -14761,7 +14762,7 @@ interface HTMLBaseElement : HTMLElement {
      3. -

    3. If target contains an ASCII tab or newline and a U+003C +

    4. If target is not null, and contains an ASCII tab or newline and a U+003C (<), then set target to "_blank".

    5. Return target.

      6. @@ -93878,9 +93879,9 @@ interface BeforeUnloadEvent : Event { data-x="navigate">navigations at that navigable.

      A valid navigable target name is any string with - at least one character that does not start with a U+005F LOW LINE character (Names starting with - an underscore are reserved for special keywords.), and it does not contain both - an ASCII tab or newline and a U+003C (<).

      + at least one character that does not contain both an ASCII tab or newline and a + U+003C (<), and it does not start with a U+005F LOW LINE character (Names starting with + an underscore are reserved for special keywords.)

      A valid navigable target name or keyword is any string that is either a valid navigable target name or that is From edebcccc1f38cda39e741100fcfdf42737d0dedf Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Wed, 30 Aug 2023 16:30:09 +0200 Subject: [PATCH 16/16] nits --- source | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/source b/source index 4d8a54a0864..e2988e40161 100644 --- a/source +++ b/source @@ -14750,20 +14750,20 @@ interface HTMLBaseElement : HTMLElement {

      1. If target is null, then:

        +

        1. If element has a target attribute, then set target to that attribute's value.

        2. Otherwise, if element's node document contains a - base element with a target attribute, - set target to the value of the target attribute of the first such base - element.

          3. + base element with a target attribute, set + target to the value of the target attribute + of the first such base element.

        2. -

      2. If target is not null, and contains an ASCII tab or newline and a U+003C - (<), then set target to "_blank".

        3. +

      3. If target is not null, and contains an ASCII tab or newline and a + U+003C (<), then set target to "_blank".

      4. Return target.

      @@ -58962,14 +58962,14 @@ fur

    6. Let formTarget be null.

      7. -

    7. If the submitter element is a submit button and it has a formtarget attribute, then set formTarget to - the formtarget attribute value.

      8. +

    8. If the submitter element is a submit + button and it has a formtarget attribute, then + set formTarget to the formtarget attribute + value.

      9. -

    9. Let target be the result of getting an element's target given - submitter's form owner and formTarget.

      10. +

    10. Let target be the result of getting an + element's target given submitter's form owner and + formTarget.

    11. Let noopener be the result of getting an element's noopener with form and target.

      12. @@ -93878,10 +93878,10 @@ interface BeforeUnloadEvent : Event { data-x="attr-hyperlink-target">target       attribute) to target navigations at that navigable.

      -

      A valid navigable target name is any string with - at least one character that does not contain both an ASCII tab or newline and a - U+003C (<), and it does not start with a U+005F LOW LINE character (Names starting with - an underscore are reserved for special keywords.)

      +

      A valid navigable target name is any string with at + least one character that does not contain both an ASCII tab or newline and a U+003C + (<), and it does not start with a U+005F (_). (Names starting with a U+005F (_) are reserved + for special keywords.)

      A valid navigable target name or keyword is any string that is either a valid navigable target name or that is