[Webkit-unassigned] [Bug 272678] New: Handling stale index value in Element setAttribute() API due to the call of getTrustedTypesCompliantAttributeValue()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 15 07:44:09 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=272678

            Bug ID: 272678
           Summary: Handling stale index value in Element setAttribute()
                    API due to the call of
                    getTrustedTypesCompliantAttributeValue()
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: zsun at igalia.com

With the change at https://github.com/WebKit/WebKit/pull/26519, it calls getTrustedTypesCompliantAttributeValue in Element setAttribute() API. The getTrustedTypesCompliantAttributeValue can result in JS execution which may mutate the attributes of the element and make the index value used in this function stale.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240415/eb58990c/attachment.htm>

More information about the webkit-unassigned mailing list