diff options
| author | Martin Robinson <mrobinson@igalia.com> | 2025-02-09 09:56:05 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-02-09 08:56:05 +0000 |
| commit | 75cf3d72652d48ba999a7f66a613c5cc38549450 (patch) | |
| tree | 75063f48cb44641f0e15d9e87fd13d3614827ef3 /components/script/script_thread.rs | |
| parent | b483cdb7864062468eaa40e3c3dd5132d025dd91 (diff) | |
| download | servo-75cf3d72652d48ba999a7f66a613c5cc38549450.tar.gz servo-75cf3d72652d48ba999a7f66a613c5cc38549450.zip | |
dom: Always replace unpaired surrogates when handling page text (#35381)
Background:
> JavaScript strings are potentially ill-formed UTF-16 (arbitrary
> Vec<u16>) and can contain unpaired surrogates. Rust’s String type is
> well-formed UTF-8 and can not contain any surrogate. Surrogates are
> never emitted when decoding bytes from the network, but they can sneak
> in through document.write, the Element.innerHtml setter, or other DOM
> APIs.
In 2015, Servo launched an experiment to see if unpaired surrogates
cropped up in page content. That experiment caused Servo to panic if
unpaired surrogates were encountered with a request to report the page
to bug #6564. During that time several pages were reported with unpaired
surrogates, causing Servo to panic. In addition, when running the WPT
tests Servo will never panic due to the `-Z replace-surrogates` option
being passed by the test driver.
Motivation:
After this 10 year experiment, it's clear that unpaired surrogates are a
real concern in page content. Several reports were filed of Servo
panicking after encountering them in real world pages. A complete fix for
this issue would be to somehow maintain unpaired surrogates in the DOM,
but that is a much larger task than simply emitting U+FFD instead of an
unpaired surrogate.
Since it is clear that this kind of content exists, it is better for
Servo to try its best to handle the content rather than crash as
production browsers should not crash due to user content when possible.
In this change, I modify Servo to always replace unpaired surrogates.
It would have been ideal to only crash when debug assertions are
enabled, but debug assertions are enabled by default in release mode --
so this wouldn't be effective for WPT tests.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Diffstat (limited to 'components/script/script_thread.rs')
| -rw-r--r-- | components/script/script_thread.rs | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/components/script/script_thread.rs b/components/script/script_thread.rs index 9fe4b10e9b6..695b837e9ad 100644 --- a/components/script/script_thread.rs +++ b/components/script/script_thread.rs @@ -318,10 +318,6 @@ pub struct ScriptThread { /// won't be loaded userscripts_path: Option<String>, - /// Replace unpaired surrogates in DOM strings with U+FFFD. - /// See <https://github.com/servo/servo/issues/6564> - replace_surrogates: bool, - /// An optional string allowing the user agent to be set for testing. user_agent: Cow<'static, str>, @@ -957,7 +953,6 @@ impl ScriptThread { local_script_source: opts.local_script_source.clone(), unminify_css: opts.unminify_css, userscripts_path: opts.userscripts.clone(), - replace_surrogates: opts.debug.replace_surrogates, user_agent, player_context: state.player_context, node_ids: Default::default(), @@ -3146,7 +3141,6 @@ impl ScriptThread { self.unminify_css, self.local_script_source.clone(), self.userscripts_path.clone(), - self.replace_surrogates, self.user_agent.clone(), self.player_context.clone(), #[cfg(feature = "webgpu")] |