[Webkit-unassigned] [Bug 12744] New: innerHTML in PRE not properly escaped

[bugzilla-daemon at webkit.org]

http://bugs.webkit.org/show_bug.cgi?id=12744

           Summary: innerHTML in PRE not properly escaped
           Product: WebKit
           Version: 312.x
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptGlue
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: msamuel at google.com
                CC: mjs at apple.com


The attached html page demonstrates what I think is a bug in Safari.  I have
only tested with Safari 2.0.4, not the latest version of Webkit.

Firefox and IE both treat the innerHTML of a <PRE> tag as regular html, but
Safari seems to group it with style, script, and other tags that contain CDATA
in some cases.
Strangely, Firefox and IE treat XMP and PLAINTEXT elements' content as CDATA
but Safari does not.

The XMP, LISTING, and PLAINTEXT tags are deprecated, but the PRE tag is not,
and its content should not be treated as CDATA.

If it is, then the following naive code:
   document.writeln(myPreTag.innerHTML);
could cause arbitrary script to execute by injecting an onmouseover handler.


Actual Behavior:
The right column of row 6 of the attached page renders as 
  <!DOCTYPE foo PUBLIC "foo"> <foo />


Expected Behavior:
It should render as
  <DOCTYPE foo PUBLIC "foo"> <foo />
though escape other characters, such as the double quotes, would be acceptable
too.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.