| commit | ab7a0ee9d3485c19da8b50af2d1cfc95fd6e4a98 | [log] [tgz] |
|---|---|---|
| author | mkwst <mkwst@chromium.org> | Fri Jan 13 13:30:41 2017 |
| committer | Commit bot <commit-bot@chromium.org> | Fri Jan 13 13:30:41 2017 |
| tree | 72420d1c27308cc3301f6bcb0698444cc25e33e0 | |
| parent | 994437489ea2c9aaf7fac316a90bf4dffeedf7b2 [diff] |
Experiment with restricting form submission with open elements. HTML's parsing mechanism will automatically close form controls at the end of a file. This is fine from a parsing perspective, but the behavior does enable dangling markup attacks, such as those described in http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/ and section 2 of http://lcamtuf.coredump.cx/postxss/. Based on some discussion at https://github.com/whatwg/html/issues/2253, this patch adds metrics to measure how often this happens in the wild for `<textarea>` and `<select>` elements, and an experimental flag which prevents form submission in the presence of those elements if they're closed by reaching the end-of-file. BUG=680462 Review-Url: https://codereview.chromium.org/2628723004 Cr-Commit-Position: refs/heads/master@{#443544}