Chrome Universal XSS using an <input type="color"> element (CVE-2016-5208)

#### VULNERABILITY DETAILS When an input element is removed, the popup is closed during the layout tree detach: ``` void HTMLInputElement::detachLayoutTree(const AttachContext& context) { HTMLTextFormControlElement::detachLayoutTree(context); m_needsToUpdateViewValue = true; m_inputTypeView->closePopupView(); } ``` If the chooser is still being displayed, its associated popup is torn down and the client (ColorChooserPopupUIController for inputs of type "color") is notified: ``` void WebPagePopupImpl::closePopup() { // This function can be called in EventDispatchForbiddenScope for the main // document, and the following operations dispatch some events. It's safe // because web authors can't listen the events. EventDispatchForbiddenScope::AllowUserAgentEvents allowEvents; (...) m_popupClient->didClosePopup(); m_webView->cleanupPagePopup(); } ``` The notification is propagated back to the input type, which may dispatch a change event to the input element if its value has changed recently: ``` void ColorInputType::didEndChooser() { EventQueueScope scope; if (LayoutTheme::theme().isModalColorChooser()) element().dispatchFormControlChangeEvent(); m_chooser.clear(); } ``` An attacker can exploit this synchronous event to corrupt the DOM tree. #### VERSION Chrome 54.0.2840.59 (Stable) Chrome 55.0.2883.21 (Beta) Chrome 56.0.2896.3 (Dev) Chromium 56.0.2899.0 (Release build compiled today) 附件：[exploit.zip](http://paper.seebug.org/papers/Archive/poc/CVE-2016-5208.zip)