[w3c/DOM-Parsing] createContextualFragment() should do adopt node or some such (#65) from Anne van Kesteren on 2020-10-07 (public-webapps-github@w3.org from October 2020)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 07 Oct 2020 06:57:25 -0700
To: w3c/DOM-Parsing <DOM-Parsing@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/DOM-Parsing/issues/65@github.com>

The HTML fragment parsing algorithm creates its own dummy document. Which means that
```
document.createRange().createContextualFragment(`<img src=x onerror=alert(1)>`)
```
should technically not alert as things are currently defined (images are only fetched in active documents). However, it does. In all browsers. And if you check the node document of the returned fragment it will match document, which is an active document.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/DOM-Parsing/issues/65

Received on Wednesday, 7 October 2020 13:57:38 UTC