Re: [whatwg/dom] Trusted types attributes (PR #1268) from smaug---- on 2024-07-04 (public-webapps-github@w3.org from July 2024)

From: smaug---- <notifications@github.com>
Date: Thu, 04 Jul 2024 07:24:29 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/pull/1268/review/2158977493@github.com>

@smaug---- commented on this pull request.

Some questions. I could be missing something in TT spec which somehow covers the problematic cases, but please at least explain and ask review again.

> @@ -6457,6 +6457,16 @@ steps:
  <a for=Attr>value</a>.
 </ol>
 
+<p>To <dfn>verify attribute value</dfn>
+{{TrustedType}} or string <var>value</var> for an <a>attribute</a> <var>attribute</var>, given an
+<a for=/>Element</a> <var>element</var>:
+
+<ol>
+ <li><p>Return the result of calling
+ <a abstract-op>get Trusted Types-compliant attribute value</a> for <var>attribute</var>, with
+ <var>element</var>, <var>value</var>. [[!TRUSTED-TYPES]]

So this may throw. Do the callers of this method handle that in some way?

> @@ -6519,6 +6529,11 @@ string <var>namespace</var> (default null):</p>
 
  <li><p>If <var>oldAttr</var> is <var>attr</var>, return <var>attr</var>.
 
+ <li><p>Let <var>verifiedValue</var> be the result of calling <a>verify attribute value</a>
+ <var>attr</var>'s <a for=Attr>value</a> for <var>attr</var>, with <var>element</var>.
+
+ <li><p>Set <var>attr</var>'s <a for=Attr>value</a> to <var>verifiedValue</var>.
+

Hmm, so doing the verification may run scripts. And that means oldAttr might not be anymore in the element it used to be.   Could that cause issues? Could the value be validated first for certain kind of element but then used on some other kind of element?

> @@ -7382,7 +7437,13 @@ string <var>value</var>, run these steps:
  <li><p>If <var>attribute</var>'s <a for=Attr>element</a> is null, then set <var>attribute</var>'s
  <a for=Attr>value</a> to <var>value</var>.
 
- <li><p>Otherwise, <a lt="change an attribute">change</a> <var>attribute</var> to <var>value</var>.
+ <li><p>Otherwise:
+  <ol>
+    <li><p>Let <var>verifiedValue</var> be the result of calling <a>verify attribute value</a>
+    <var>value</var> for <var>attribute</var>, with <a>this</a>.
+
+   <li><p><a lt="change an attribute">Change</a> <var>attribute</var> to <var>verifiedValue</var>.

Doesn't this lead to effectively null pointer crashes in algorithms if attribute has been moved out from an element by the tt callback? 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/pull/1268#pullrequestreview-2158977493
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/dom/pull/1268/review/2158977493@github.com>

Received on Thursday, 4 July 2024 14:24:33 UTC