LibWeb/CSS: Reject radial-gradient functions with negative size

Author: https://github.com/tcl3 Commit: 764b80a1cc Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3916 Reviewed-by: https://github.com/AtkinsSJ ✅
2025-08-06 16:19:23 +00:00 · 2025-03-11 15:25:00 +00:00 · 2025-03-11 15:25:00 +00:00 · 764b80a1cc · 2025-03-14 15:09:31 +00:00
commit 764b80a1cc
parent f2678bfcb8
3 changed files with 64 additions and 2 deletions
--- a/Libraries/LibWeb/CSS/Parser/GradientParsing.cpp
+++ b/Libraries/LibWeb/CSS/Parser/GradientParsing.cpp
@ -545,6 +545,14 @@ RefPtr<RadialGradientStyleValue> Parser::parse_radial_gradient_function(TokenStr
        return {};
    };

+    auto length_percentage_is_non_negative = [](LengthPercentage const& length_percentage) -> bool {
+        if (length_percentage.is_length() && length_percentage.length().raw_value() < 0)
+            return false;
+        if (length_percentage.is_percentage() && length_percentage.percentage().value() < 0)
+            return false;
+        return true;
+    };
+
    auto parse_size = [&]() -> Optional<Size> {
        // <size> =
        //      <extent-keyword>              |
@ -561,16 +569,19 @@ RefPtr<RadialGradientStyleValue> Parser::parse_radial_gradient_function(TokenStr
            return commit_value(*extent, transaction_size);
        }
        auto first_radius = parse_length_percentage(tokens);
-        if (!first_radius.has_value())
+        if (!first_radius.has_value() || !length_percentage_is_non_negative(*first_radius))
            return {};
        auto transaction_second_dimension = tokens.begin_transaction();
        tokens.discard_whitespace();
        if (tokens.has_next_token()) {
            auto second_radius = parse_length_percentage(tokens);
-            if (second_radius.has_value())
+            if (second_radius.has_value()) {
+                if (!length_percentage_is_non_negative(*second_radius))
+                    return {};
                return commit_value(EllipseSize { first_radius.release_value(), second_radius.release_value() },
                    transaction_size, transaction_second_dimension);
            }
+        }
        // FIXME: Support calculated lengths
        if (first_radius->is_length())
            return commit_value(CircleSize { first_radius->length() }, transaction_size);
--- a/Tests/LibWeb/Text/expected/wpt-import/css/css-backgrounds/parsing/background-image-invalid.txt
+++ b/Tests/LibWeb/Text/expected/wpt-import/css/css-backgrounds/parsing/background-image-invalid.txt
@ -0,0 +1,17 @@
+Harness status: OK
+
+Found 12 tests
+
+12 Pass
+Pass	e.style['background-image'] = "none, auto" should not set the property value
+Pass	e.style['background-image'] = "radial-gradient(circle -10px at center, red, blue)" should not set the property value
+Pass	e.style['background-image'] = "repeating-radial-gradient(-10px at center, red, blue)" should not set the property value
+Pass	e.style['background-image'] = "radial-gradient(ellipse -20px 30px at center, red, blue)" should not set the property value
+Pass	e.style['background-image'] = "repeating-radial-gradient(-20% 30% at center, red, blue)" should not set the property value
+Pass	e.style['background-image'] = "radial-gradient(20px -30px at center, red, blue)" should not set the property value
+Pass	e.style['background-image'] = "repeating-radial-gradient(20px -30px ellipse at center, red, blue)" should not set the property value
+Pass	e.style['background-image'] = "cross-fade(auto blue, 50% red)" should not set the property value
+Pass	e.style['background-image'] = "cross-fade(1px red, green)" should not set the property value
+Pass	e.style['background-image'] = "cross-fade(calc(1% + 1px) red, green)" should not set the property value
+Pass	e.style['background-image'] = "cross-fade(-1% red, green)" should not set the property value
+Pass	e.style['background-image'] = "cross-fade(101% red, green)" should not set the property value
--- a/Tests/LibWeb/Text/input/wpt-import/css/css-backgrounds/parsing/background-image-invalid.html
+++ b/Tests/LibWeb/Text/input/wpt-import/css/css-backgrounds/parsing/background-image-invalid.html
@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<title>CSS Backgrounds and Borders Module Level 3: parsing background-image with invalid values</title>
+<link rel="author" title="Eric Willigers" href="mailto:ericwilligers@chromium.org">
+<link rel="help" href="https://drafts.csswg.org/css-backgrounds/#background-image">
+<link rel="help" href="https://drafts.csswg.org/css-images/#radial-gradients">
+<meta name="assert" content="background-image supports only the grammar '<bg-image>#'.">
+<meta name="assert" content="Negative radial-gradient radii are invalid.">
+<script src="../../../resources/testharness.js"></script>
+<script src="../../../resources/testharnessreport.js"></script>
+<script src="../../../css/support/parsing-testcommon.js"></script>
+</head>
+<body>
+<script>
+test_invalid_value("background-image", "none, auto");
+
+// Negative radii are invalid.
+test_invalid_value("background-image", "radial-gradient(circle -10px at center, red, blue)");
+test_invalid_value("background-image", "repeating-radial-gradient(-10px at center, red, blue)");
+test_invalid_value("background-image", "radial-gradient(ellipse -20px 30px at center, red, blue)");
+test_invalid_value("background-image", "repeating-radial-gradient(-20% 30% at center, red, blue)");
+test_invalid_value("background-image", "radial-gradient(20px -30px at center, red, blue)");
+test_invalid_value("background-image", "repeating-radial-gradient(20px -30px ellipse at center, red, blue)");
+
+test_invalid_value("background-image", "cross-fade(auto blue, 50% red)");
+test_invalid_value("background-image", "cross-fade(1px red, green)");
+test_invalid_value("background-image", "cross-fade(calc(1% + 1px) red, green)");
+test_invalid_value("background-image", "cross-fade(-1% red, green)");
+test_invalid_value("background-image", "cross-fade(101% red, green)");
+</script>
+</body>
+</html>