CSS selectors aren't split up correctly after inner quotes

[passbrains]

Adapted from ​https://www.passbrains.com/dashboard/view-ticket.php?ticket_no=ACH-181

Environment

Windows + 8 64bit + Chrome + English
ABP version 1.8.12.1423

How to reproduce

1. Install ABP extension.
2. Load website ​https://www.zopim.com/
3. Click on ABP icon and choose 'Block element'. Click on zopimchat displayed in the right bottom of the screen.
4. When 'Add filter(s)?' Dialog box is displayed with filter,  click on 'Add'. 

This is <iframe> element.

In opera, zopim chat is blocked with filters :
zopim.com##iframe[src="javascript:false"]
zopim.com##.zopim

Observed behaviour

zopimchat is not blocked.

Expected behaviour

zopimchat is blocked.

[passbrains]

1 - 07 May 2015 01:09:10 posted by Ross Green
Reproduced as described.

This also occurs as described in Opera 29.0.1795.47 with ABP 1.8.12.1423. Opera doesn't recommend the filters mentioned in the initial reproduction steps and behaves as Chrome does.

ABP 1.8.12.1423
Chrome 42.0.2311.135 / Windows 8.1 x64

[Ross]

Actually I might have misunderstood this ticket slightly. If you manually use the filter zopim.com##iframe[src="javascript:false"] it does block it as expected in Opera after page refresh but it does NOT in Chrome.

[sebastian]

This website delivers different HTML dependent on the browser. On Opera the element looks like <iframe src="javascript:false">. Hence the filter zopim.com##iframe[src="javascript:false"] is generated and works as expected.

On Chrome however, the element looks like that:

<iframe src="javascript:void(document.write('<!DOCTYPE html><html><head><style>html,body{height:100%;width:100%;} *{border:0;padding:0;margin:0;box-sizing:border-box;-moz-box-sizing:border-box;-webkit-box-sizing:border-box}</style></head><body onload="window.isLoaded = true"></body></html>'), document.close())">

Hence following filter is generated:

zopim.com##iframe[src="javascript:void(document.write('<!DOCTYPE html><html><head><style>html,body\7b height:100%;width:100%;\7d  *\7b border:0;padding:0;margin:0;box-sizing:border-box;-moz-box-sizing:border-box;-webkit-box-sizing:border-box\7d </style></head><body onload=\"window.isLoaded = true\"></body></html>'), document.close())"]

The reason that this filter doesn't work, is a bug in the code splitting up CSS selectors to add the ::content pseudo selector for shadow DOM. The CSS selector in the filter above is currently transformed like below:

::content iframe[src="javascript:void(document.write('<!DOCTYPE html><html><head><style>html,body\7b height:100%;width:100%;\7d  *\7b border:0;padding:0;margin:0;box-sizing:border-box;-moz-box-sizing:border-box;-webkit-box-sizing:border-box\7d </style></head><body onload=\"window.isLoaded = true\"></body></html>'),
::content document.close())"]

That is because the current code assumes to be outside of a quoted string, when the comma occurs, hence splitting up the selector there. But merely the inner quoted string (i.e. '<!DOCTYPE html><html>..</html>') was closed, however we are still between the outer double quotes. I realized that the state machine used here forgets about the outer quotes when parsing inner quotes, causing this issue.

[sebastian]

​https://hg.adblockplus.org/adblockpluschrome/rev/2aedd44c6585