LibWeb: Empty CE reaction queue instead of destroying it on exception

If an exception occurs in a custom element constructor, we clear the reaction queue by destroying it, instead of emptying the Vector. 3da6916383/Userland/Libraries/LibWeb/DOM/Element.cpp (L2033) This causes a UAF here, as async upgrades (i.e. custom elements not created by document.createElement) are performed in this loop: 3da6916383/Userland/Libraries/LibWeb/Bindings/MainThreadVM.cpp (L657) Fixes crash when loading https://github.com/SerenityOS/serenity
Author: https://github.com/Lubrsi Commit: https://github.com/SerenityOS/serenity/commit/48e11a1f12 Pull-request: https://github.com/SerenityOS/serenity/pull/23409
2026-04-30 19:47:17 +02:00 · 2024-03-01 00:58:51 +00:00 · 2024-07-17 05:18:58 +09:00
parent 5b4533cab8
commit 48e11a1f12
3 changed files with 24 additions and 1 deletions
--- a/Tests/LibWeb/Text/input/HTML/custom-elements-throw-in-constructor.html
+++ b/Tests/LibWeb/Text/input/HTML/custom-elements-throw-in-constructor.html
@@ -0,0 +1,20 @@
+<test-element></test-element>
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        class TestElement extends HTMLElement {
+            constructor() {
+                super();
+                println("Entered TestElement constructor, throwing.");
+                throw "test";
+            }
+
+            connectedCallback() {
+                println("connectedCallback");
+            }
+        }
+
+        customElements.define("test-element", TestElement);
+        println("PASS! (Didn't crash)");
+    });
+</script>