Audit and fix innerHTML scripting disabled parsing behavior for template

[hsivonen]

What is the issue with the HTML Standard?

Load https://hsivonen.com/test/moz/template-innerHTML.html in Firefox, Safari, and Chrome and examine the results. (Also view source.)

Observations:

• All three browsers agree on the div cases.
• All three browsers serialize text children of noscript in template as if scripting was disabled vs. in div as if scripting was enabled.
• Firefox parser all cases as if scripting was enabled.
• Safari and Chrome parse the div cases as well as the template contents that are directly in the HTML loaded from network as if scripting was enabled but parse the other template cases as if scripting was disabled.

It appears that these are unintended side effects of how the appropriate template contents owner document.

It seems that template having these inconsistencies compared to div is bad and a hazard that can cause bugs on sites, and it seems that we should make template behave consistently with div here.

Unfortunately, there is existence proof of a site that depends on innerHTML on template parsing as if scripting was disabled.

[zcorpan]

It seems that template having these inconsistencies compared to div is bad and a hazard that can cause bugs on sites, and it seems that we should make template behave consistently with div here.

Agreed, this kind of thing has been exploited as mutation-XSS previously. https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/

[zcorpan]

@mfreed7 IIRC you wanted to add a use counter for this in Chromium. Is there an issue filed?

[mfreed7]

@mfreed7 IIRC you wanted to add a use counter for this in Chromium. Is there an issue filed?

Yep, I'm happy to add a use counter, and no there isn't a bug for that yet. If you'd be so kind as to file one, I could take a look!

[zcorpan]

@mfreed7 filed https://issues.chromium.org/issues/460581850

Thanks!