LibWeb: Track if element was created from token with dupe attributes

This is required for CSP to ignore the nonce attribute to prevent duplicate attributes hijacking the attribute. See https://w3c.github.io/webappsec-csp/#security-nonce-hijacking
Author: https://github.com/Lubrsi Commit: 2368641de5 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5328 Reviewed-by: https://github.com/ADKaster ✅
2025-07-22 17:01:54 +00:00 · 2024-12-02 12:33:52 +00:00 · 2024-12-02 12:33:52 +00:00 · 2368641de5 · 2025-07-09 21:54:13 +00:00
commit 2368641de5
parent b6b030aa43
5 changed files with 27 additions and 0 deletions
--- a/Libraries/LibWeb/HTML/Parser/HTMLToken.cpp
+++ b/Libraries/LibWeb/HTML/Parser/HTMLToken.cpp
@ -98,6 +98,7 @@ void HTMLToken::normalize_attributes()
            // This is a duplicate attribute, remove it.
            tag_attributes.remove(i);
            --i;
+            m_had_duplicate_attribute = true;
        }
    }
 }