LibWeb: Limit HTMLSelectElement.size to allowed values

This change ensures that the correct default value of 0 is used and that values greater than 2147483647 will fall back to the default value. It also splits the display size concept into a separate method, as this isn't supposed to be used when getting the IDL property.
Author: https://github.com/tcl3 Commit: 6218f1a609 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/2635 Reviewed-by: https://github.com/AtkinsSJ ✅
2025-07-29 12:19:54 +00:00 · 2024-11-29 11:19:31 +00:00 · 2024-11-29 11:19:31 +00:00 · 6218f1a609 · 2024-11-29 12:39:58 +00:00
commit 6218f1a609
parent 6bfc35b6a9
5 changed files with 41 additions and 4 deletions
--- a/Libraries/LibWeb/HTML/HTMLSelectElement.cpp
+++ b/Libraries/LibWeb/HTML/HTMLSelectElement.cpp
@ -77,7 +77,7 @@ void HTMLSelectElement::adjust_computed_style(CSS::StyleProperties& style)
 }

 // https://html.spec.whatwg.org/multipage/form-elements.html#concept-select-size
-WebIDL::UnsignedLong HTMLSelectElement::size() const
+u32 HTMLSelectElement::display_size() const
 {
    // The size IDL attribute must reflect the respective content attributes of the same name. The size IDL attribute has a default value of 0.
    if (auto size_string = get_attribute(HTML::AttributeNames::size); size_string.has_value()) {
@ -94,8 +94,22 @@ WebIDL::UnsignedLong HTMLSelectElement::size() const
    return 1;
 }

+// https://html.spec.whatwg.org/multipage/form-elements.html#dom-select-size
+WebIDL::UnsignedLong HTMLSelectElement::size() const
+{
+    // The multiple, required, and size IDL attributes must reflect the respective content attributes of the same name. The size IDL attribute has a default value of 0.
+    if (auto size_string = get_attribute(HTML::AttributeNames::size); size_string.has_value()) {
+        if (auto size = parse_non_negative_integer(*size_string); size.has_value() && *size <= 2147483647)
+            return *size;
+    }
+
+    return 0;
+}
+
 WebIDL::ExceptionOr<void> HTMLSelectElement::set_size(WebIDL::UnsignedLong size)
 {
+    if (size > 2147483647)
+        size = 0;
    return set_attribute(HTML::AttributeNames::size, String::number(size));
 }

@ -574,7 +588,7 @@ void HTMLSelectElement::update_selectedness()
        return;

    // If element's multiple attribute is absent, and element's display size is 1,
-    if (size() == 1) {
+    if (display_size() == 1) {
        bool has_selected_elements = false;
        for (auto const& option_element : list_of_options()) {
            if (option_element->selected()) {
--- a/Libraries/LibWeb/HTML/HTMLSelectElement.h
+++ b/Libraries/LibWeb/HTML/HTMLSelectElement.h
@ -115,6 +115,8 @@ private:
    void update_inner_text_element();
    void queue_input_and_change_events();

+    u32 display_size() const;
+
    GC::Ptr<HTMLOptionsCollection> m_options;
    GC::Ptr<DOM::HTMLCollection> m_selected_options;
    bool m_is_open { false };
--- a/Tests/LibWeb/Text/expected/HTML/unsigned-long-reflection.txt
+++ b/Tests/LibWeb/Text/expected/HTML/unsigned-long-reflection.txt
@ -77,6 +77,26 @@ marquee.getAttribute("scrolldelay") after marquee.setAttribute("scrollDelay", "4
 marquee.scrollDelay after marquee.setAttribute("scrolldelay", "4294967295"): 85
 marquee.getAttribute("scrolldelay") after marquee.scrollDelay = 4294967295: 85
 marquee.scrollDelay after marquee.scrollDelay = 4294967295: 85
+select.getAttribute("size") after select.setAttribute("size", "0"): 0
+select.size after select.setAttribute("size", "0"): 0
+select.getAttribute("size") after select.size = 0: 0
+select.size after select.size = 0: 0
+select.getAttribute("size") after select.setAttribute("size", "1"): 1
+select.size after select.setAttribute("size", "1"): 1
+select.getAttribute("size") after select.size = 1: 1
+select.size after select.size = 1: 1
+select.getAttribute("size") after select.setAttribute("size", "2147483647"): 2147483647
+select.size after select.setAttribute("size", "2147483647"): 2147483647
+select.getAttribute("size") after select.size = 2147483647: 2147483647
+select.size after select.size = 2147483647: 2147483647
+select.getAttribute("size") after select.setAttribute("size", "2147483648"): 2147483648
+select.size after select.setAttribute("size", "2147483648"): 0
+select.getAttribute("size") after select.size = 2147483648: 0
+select.size after select.size = 2147483648: 0
+select.getAttribute("size") after select.setAttribute("size", "4294967295"): 4294967295
+select.size after select.setAttribute("size", "4294967295"): 0
+select.getAttribute("size") after select.size = 4294967295: 0
+select.size after select.size = 4294967295: 0
 textarea.getAttribute("rows") after textarea.setAttribute("rows", "0"): 0
 textarea.rows after textarea.setAttribute("rows", "0"): 2
 textarea.getAttribute("rows") after textarea.rows = 0: 2
--- a/Tests/LibWeb/Text/expected/select.txt
+++ b/Tests/LibWeb/Text/expected/select.txt
@ -6,7 +6,7 @@
 6. "Three"
 7. 45
 8. 0
-9. 1
+9. 0
 10. 3
 11. 999
 12. 10
--- a/Tests/LibWeb/Text/input/HTML/unsigned-long-reflection.html
+++ b/Tests/LibWeb/Text/input/HTML/unsigned-long-reflection.html
@ -31,6 +31,7 @@
        testProperty("input", "size", (input) => input.size, (input, value) => input.size = value);
        testProperty("marquee", "scrollAmount", (marquee) => marquee.scrollAmount, (marquee, value) => marquee.scrollAmount = value);
        testProperty("marquee", "scrollDelay", (marquee) => marquee.scrollDelay, (marquee, value) => marquee.scrollDelay = value);
+        testProperty("select", "size", (select) => select.size, (select, value) => select.size = value);
        testProperty("textarea", "rows", (textarea) => textarea.rows, (textarea, value) => textarea.rows = value);
        testProperty("textarea", "cols", (textarea) => textarea.cols, (textarea, value) => textarea.cols = value);
    });