eliott/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird synced 2026-05-11 01:22:43 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
1aeb08025038b8810118a4871c2894de54960dac
ladybird/Tests/LibWeb/Crash/HTML/range-input-mousedown-hidden.html
Andreas Kling 5da72570b8 LibWeb: Harden UA event handlers on range and number inputs 
These handlers crashed on several kinds of JS-dispatched input:
zero-width range (divide by zero in the slider mouse handler),
step="any" (MUST(step_up) throws InvalidStateError), plain Event
without clientX/deltaY/key (unchecked as_foo() asserts on
undefined), min > max (trips clamp()'s VERIFY), and input.type
changes leaving the range listeners attached to dereference empty
Optionals from the range-only min()/max() accessors.

Gate each handler on its expected type_state() and on
allowed_value_step() having a value, validate event property types
before converting, and bail out on zero-width rects or min > max.
Six crash tests cover the new paths.

Hit on a Cloudflare challenge page.
2026-04-24 07:58:34 +02:00

7 lines
215 B
HTML
Raw Blame History

<!DOCTYPE html>
<input type="range" style="display: none" id="r">
<script>
const input = document.getElementById("r");
input.dispatchEvent(new MouseEvent("mousedown", { clientX: 0, clientY: 0 }));
</script>
Reference in New Issue View Git Blame Copy Permalink