LibWeb: Limit HTMLImageElement width and height to allowed values

Setting the `width` or `height` properties of `HTMLImageElement` to a value greater than 2147483647 will now cause the property to be set to 0.
Author: https://github.com/tcl3 Commit: https://github.com/LadybirdBrowser/ladybird/commit/b05bc710023 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/2641
2024-11-29 15:32:37 +00:00 · 2024-11-29 15:32:37 +00:00 · b05bc71002 · 2024-12-01 15:13:03 +00:00
commit b05bc71002
parent c94b4316e7
4 changed files with 58 additions and 12 deletions
--- a/Libraries/LibWeb/HTML/HTMLImageElement.cpp
+++ b/Libraries/LibWeb/HTML/HTMLImageElement.cpp
@ -190,7 +190,7 @@ void HTMLImageElement::set_visible_in_viewport(bool)
 }

 // https://html.spec.whatwg.org/multipage/embedded-content.html#dom-img-width
-unsigned HTMLImageElement::width() const
+WebIDL::UnsignedLong HTMLImageElement::width() const
 {
    const_cast<DOM::Document&>(document()).update_layout();

@ -198,9 +198,9 @@ unsigned HTMLImageElement::width() const
    if (auto* paintable_box = this->paintable_box())
        return paintable_box->content_width().to_int();

-    // NOTE: This step seems to not be in the spec, but all browsers do it.
+    // On setting [the width or height IDL attribute], they must act as if they reflected the respective content attributes of the same name.
    if (auto width_attr = get_attribute(HTML::AttributeNames::width); width_attr.has_value()) {
-        if (auto converted = width_attr->to_number<unsigned>(); converted.has_value())
+        if (auto converted = parse_non_negative_integer(*width_attr); converted.has_value() && *converted <= 2147483647)
            return *converted;
    }

@ -213,13 +213,15 @@ unsigned HTMLImageElement::width() const
    return 0;
 }

-WebIDL::ExceptionOr<void> HTMLImageElement::set_width(unsigned width)
+WebIDL::ExceptionOr<void> HTMLImageElement::set_width(WebIDL::UnsignedLong width)
 {
+    if (width > 2147483647)
+        width = 0;
    return set_attribute(HTML::AttributeNames::width, String::number(width));
 }

 // https://html.spec.whatwg.org/multipage/embedded-content.html#dom-img-height
-unsigned HTMLImageElement::height() const
+WebIDL::UnsignedLong HTMLImageElement::height() const
 {
    const_cast<DOM::Document&>(document()).update_layout();

@ -227,9 +229,9 @@ unsigned HTMLImageElement::height() const
    if (auto* paintable_box = this->paintable_box())
        return paintable_box->content_height().to_int();

-    // NOTE: This step seems to not be in the spec, but all browsers do it.
+    // On setting [the width or height IDL attribute], they must act as if they reflected the respective content attributes of the same name.
    if (auto height_attr = get_attribute(HTML::AttributeNames::height); height_attr.has_value()) {
-        if (auto converted = height_attr->to_number<unsigned>(); converted.has_value())
+        if (auto converted = parse_non_negative_integer(*height_attr); converted.has_value() && *converted <= 2147483647)
            return *converted;
    }

@ -242,8 +244,10 @@ unsigned HTMLImageElement::height() const
    return 0;
 }

-WebIDL::ExceptionOr<void> HTMLImageElement::set_height(unsigned height)
+WebIDL::ExceptionOr<void> HTMLImageElement::set_height(WebIDL::UnsignedLong height)
 {
+    if (height > 2147483647)
+        height = 0;
    return set_attribute(HTML::AttributeNames::height, String::number(height));
 }

--- a/Libraries/LibWeb/HTML/HTMLImageElement.h
+++ b/Libraries/LibWeb/HTML/HTMLImageElement.h
@ -52,11 +52,11 @@ public:

    RefPtr<Gfx::ImmutableBitmap> immutable_bitmap() const;

-    unsigned width() const;
-    WebIDL::ExceptionOr<void> set_width(unsigned);
+    WebIDL::UnsignedLong width() const;
+    WebIDL::ExceptionOr<void> set_width(WebIDL::UnsignedLong);

-    unsigned height() const;
-    WebIDL::ExceptionOr<void> set_height(unsigned);
+    WebIDL::UnsignedLong height() const;
+    WebIDL::ExceptionOr<void> set_height(WebIDL::UnsignedLong);

    unsigned natural_width() const;
    unsigned natural_height() const;
--- a/Tests/LibWeb/Text/expected/HTML/unsigned-long-reflection.txt
+++ b/Tests/LibWeb/Text/expected/HTML/unsigned-long-reflection.txt
@ -1,3 +1,23 @@
+img.getAttribute("height") after img.setAttribute("height", "0"): 0
+img.height after img.setAttribute("height", "0"): 0
+img.getAttribute("height") after img.height = 0: 0
+img.height after img.height = 0: 0
+img.getAttribute("height") after img.setAttribute("height", "1"): 1
+img.height after img.setAttribute("height", "1"): 1
+img.getAttribute("height") after img.height = 1: 1
+img.height after img.height = 1: 1
+img.getAttribute("height") after img.setAttribute("height", "2147483647"): 2147483647
+img.height after img.setAttribute("height", "2147483647"): 2147483647
+img.getAttribute("height") after img.height = 2147483647: 2147483647
+img.height after img.height = 2147483647: 2147483647
+img.getAttribute("height") after img.setAttribute("height", "2147483648"): 2147483648
+img.height after img.setAttribute("height", "2147483648"): 0
+img.getAttribute("height") after img.height = 2147483648: 0
+img.height after img.height = 2147483648: 0
+img.getAttribute("height") after img.setAttribute("height", "4294967295"): 4294967295
+img.height after img.setAttribute("height", "4294967295"): 0
+img.getAttribute("height") after img.height = 4294967295: 0
+img.height after img.height = 4294967295: 0
 img.getAttribute("hspace") after img.setAttribute("hspace", "0"): 0
 img.hspace after img.setAttribute("hspace", "0"): 0
 img.getAttribute("hspace") after img.hspace = 0: 0
@ -18,6 +38,26 @@ img.getAttribute("hspace") after img.setAttribute("hspace", "4294967295"): 42949
 img.hspace after img.setAttribute("hspace", "4294967295"): 0
 img.getAttribute("hspace") after img.hspace = 4294967295: 0
 img.hspace after img.hspace = 4294967295: 0
+img.getAttribute("width") after img.setAttribute("width", "0"): 0
+img.width after img.setAttribute("width", "0"): 0
+img.getAttribute("width") after img.width = 0: 0
+img.width after img.width = 0: 0
+img.getAttribute("width") after img.setAttribute("width", "1"): 1
+img.width after img.setAttribute("width", "1"): 1
+img.getAttribute("width") after img.width = 1: 1
+img.width after img.width = 1: 1
+img.getAttribute("width") after img.setAttribute("width", "2147483647"): 2147483647
+img.width after img.setAttribute("width", "2147483647"): 2147483647
+img.getAttribute("width") after img.width = 2147483647: 2147483647
+img.width after img.width = 2147483647: 2147483647
+img.getAttribute("width") after img.setAttribute("width", "2147483648"): 2147483648
+img.width after img.setAttribute("width", "2147483648"): 0
+img.getAttribute("width") after img.width = 2147483648: 0
+img.width after img.width = 2147483648: 0
+img.getAttribute("width") after img.setAttribute("width", "4294967295"): 4294967295
+img.width after img.setAttribute("width", "4294967295"): 0
+img.getAttribute("width") after img.width = 4294967295: 0
+img.width after img.width = 4294967295: 0
 input.getAttribute("size") after input.setAttribute("size", "0"): 0
 input.size after input.setAttribute("size", "0"): 20
 input.size = 0 threw exception of type IndexSizeError
--- a/Tests/LibWeb/Text/input/HTML/unsigned-long-reflection.html
+++ b/Tests/LibWeb/Text/input/HTML/unsigned-long-reflection.html
@ -42,7 +42,9 @@
            return input;
        }

+        testProperty("img", "height", (img) => img.height, (img, value) => img.height = value);
        testProperty("img", "hspace", (img) => img.hspace, (img, value) => img.hspace = value);
+        testProperty("img", "width", (img) => img.width, (img, value) => img.width = value);
        testProperty("input", "size", (input) => input.size, (input, value) => input.size = value);
        testProperty(imageButtonInputFactory, "height", (input) => input.height, (input, value) => input.height = value);
        testProperty(imageButtonInputFactory, "width", (input) => input.width, (input, value) => input.width = value);