Don't update selectedcontent in option insertion/removal steps#59528
Merged
chromium-wpt-export-bot merged 1 commit intomasterfrom Apr 29, 2026
Merged
Don't update selectedcontent in option insertion/removal steps#59528chromium-wpt-export-bot merged 1 commit intomasterfrom
chromium-wpt-export-bot merged 1 commit intomasterfrom
Conversation
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-7745871
branch
from
3ab211c to
0916cc8
Compare
Modifying the DOM by updating selectedcontent elements during insertion or removal steps is bad for security reasons. We already removed the selectedcontent element removal steps which was one way this can happen, but the option's InsertedInto and RemovedFrom methods may change which option is selected, which will synchronously update the selectedcontent element. This patch fixes this by moving the selectedcontent updating to the post-insertion steps for insertion, and by using a microtask to update on removal if needed. This matches the behavior in the spec PR: whatwg/html#12263 Bug: 458113204 Change-Id: I42bb94c6eace93445cfbc816529e42ca8a561b94 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7745871 Reviewed-by: David Baron <dbaron@chromium.org> Reviewed-by: Joey Arhar <jarhar@chromium.org> Commit-Queue: Joey Arhar <jarhar@chromium.org> Cr-Commit-Position: refs/heads/main@{#1622241}
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-7745871
branch
from
0916cc8 to
fb3aa7f
Compare
wpt-pr-bot
approved these changes
Apr 29, 2026
Collaborator
wpt-pr-bot
left a comment
wpt-pr-bot
left a comment
There was a problem hiding this comment.
The review process for this patch is being conducted in the Chromium project.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Modifying the DOM by updating selectedcontent elements during insertion
or removal steps is bad for security reasons. We already removed the
selectedcontent element removal steps which was one way this can happen,
but the option's InsertedInto and RemovedFrom methods may change which
option is selected, which will synchronously update the selectedcontent
element.
This patch fixes this by moving the selectedcontent updating to the
post-insertion steps for insertion, and by using a microtask to update
on removal if needed.
This matches the behavior in the spec PR: whatwg/html#12263
Bug: 458113204
Change-Id: I42bb94c6eace93445cfbc816529e42ca8a561b94
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7745871
Reviewed-by: David Baron <dbaron@chromium.org>
Reviewed-by: Joey Arhar <jarhar@chromium.org>
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1622241}