Portals: Apply dangling markup restrictions to <portal> element.

Bug: 967204
Change-Id: I276e6f8d8bdc3d317f5ce58f138d77601ee3c878
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2248059Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Lucas Gadani <lfg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#779832}

third_party/blink/renderer/core/html/portal/html_portal_element.cc

@@ -189,10 +189,13 @@ void HTMLPortalElement::Navigate() {
   if (!CheckWithinFrameLimitOrWarn())
     return;
 
-  if (portal_) {
-    portal_->Navigate(GetNonEmptyURLAttribute(html_names::kSrcAttr),
-                      ReferrerPolicyAttribute());
-  }
+  auto url = GetNonEmptyURLAttribute(html_names::kSrcAttr);
+
+  if (url.PotentiallyDanglingMarkup())
+    return;
+
+  if (portal_)
+    portal_->Navigate(url, ReferrerPolicyAttribute());
 }
 
 namespace {

third_party/blink/web_tests/wpt_internal/portals/portals-dangling-markup.sub.html

+<!DOCTYPE html>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+function addPortal(url) {
+  var portal = document.createElement('portal');
+  portal.src = url;
+  document.body.appendChild(portal);
+}
+</script>
+<body>
+  <script>addPortal('resources/report.py?op=report&id={{$id1:uuid()}}')</script>
+  <script async defer src="resources/checkReport.sub.js?&testName=RegularURLOK&id={{$id1}}&expect=url"></script>
+  <script>addPortal('resources/report.py?op=report&id={{$id2:uuid()}}\t<')</script>
+  <script async defer src="resources/checkReport.sub.js?testName=DanglingMarkupError&id={{$id2}}&expect=error"></script>
+</body>

third_party/blink/web_tests/wpt_internal/portals/resources/checkReport.sub.js

+(function () {
+  var id = "{{GET[id]}}";
+  var expect = "{{GET[expect]}}";
+  var testName = "{{GET[testName]}}";
+  var reportLocation = "resources/report.py?op=retrieve&id=" + id;
+
+  var reportTest = async_test(testName);
+  reportTest.step(function () {
+
+    var report = new XMLHttpRequest();
+    report.onload = reportTest.step_func(function () {
+
+        var data = JSON.parse(report.responseText);
+
+        if (data.error) {
+          assert_equals("error", expect, data.error);
+        } else if (data.url) {
+          assert_equals("url", expect, data.url);
+        }
+
+        reportTest.done();
+    });
+
+    report.open("GET", reportLocation, true);
+    report.send();
+  });
+})();

third_party/blink/web_tests/wpt_internal/portals/resources/report.py

+import time
+import json
+
+
+def main(request, response):
+    op = request.GET.first("op")
+    id = request.GET.first("id")
+    timeout = 1.0
+
+    if op == "retrieve":
+        t0 = time.time()
+        while time.time() - t0 < timeout:
+            time.sleep(0.1)
+            with request.server.stash.lock:
+                value = request.server.stash.take(key=id)
+            if value is not None:
+                return [("Content-Type", "application/json")], value
+        return [("Content-Type", "application/json")], json.dumps({'error': 'No such report.', 'id': id})
+
+    # save report
+    with request.server.stash.lock:
+        request.server.stash.take(key=id)
+        request.server.stash.put(key=id, value=json.dumps({'url': request.url}))
+
+    # return acknowledgement report
+    return [("Content-Type", "text/plain")], "Recorded report " + id