Implement attr() tainting.
attr() cannot be used as part of URLs, so we taint all values coming
from it using a special internal fast-to-test-for (and presumably
unguessable) token shaped like a comment. If ConsumeUrl() sees such
a token, it will return a parse error. We put the token at the end
to make sure that it doesn't get skipped inadvertently by lookahead.
The spec isn't completely clear about tainted equality values,
but at least the test for style queries works as it should.
There's one issue left after this patch; we do not properly taint
values going through registered custom properties. (There is
a failing test reflecting this.) This will be fixed in a future patch.
Change-Id: Ia83dd916a8d81d52664bd74bd8758b6236ee3c4c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5803681
Commit-Queue: Steinar H Gunderson sesse@chromium.org
Reviewed-by: Anders Hartvoll Ruud andruud@chromium.org
Cr-Commit-Position: refs/heads/main@{#1352638}