Restore 100,000 limit in HTMLOptionsCollection.length setter

https://bugs.webkit.org/show_bug.cgi?id=252983

Reviewed by Chris Dumez.

This patch is to align WebKit with Blink / Chromium and Gecko / Firefox.

Merge - https://chromium.googlesource.com/chromium/src/+/f27e6ea87ecf211c8b8644813422a9e7f19cd1cc

This patch updates 'maxSelectItems' to new value of 100,000
to reflect update in spec.
Further, it is updated to be only used when new length is
greater than current length.
Additionally, add comments to reflect the details as needed.

Web-Spec: https://html.spec.whatwg.org/#dom-htmloptionscollection-length
Issue: whatwg/html#8337

* Source/WebCore/html/HTMLSelectElement.cpp:
(maxSelectItems): Update constant value
(HTMLSelectElement::setItem): Remove '=' and update comments and console message
(HTMLSelectElement::setLength): Add comment and update console message
* LayoutTests/imported/w3c/web-platform-tests/html/select/options-length-too-large.html: Add Test Case
* LayoutTests/imported/w3c/web-platform-tests/html/select/options-length-too-large-expected.txt: Add Test Case Expectation
* LayoutTests/fast/forms/select-max-length-expected.txt: Rebaselined
* LayoutTests/fast/dom/HTMLSelectElement/select-selectedIndex-multiple-expected.txt: Rebaselined
* LayoutTests/fast/dom/HTMLSelectElement/select-selectedIndex-expected.txt: Rebaselined

Canonical link: https://commits.webkit.org/260896@main

LayoutTests/fast/dom/HTMLSelectElement/select-selectedIndex-expected.txt

@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Blocked attempt to expand the option list to 4294967295 items. The maximum number of items allowed is 10000.
+CONSOLE MESSAGE: Unable to expand the option list to length 4294967295 items. The maximum number of items allowed is 100000.
 
 1) setting length to a negative length
 PASS mySelect.options.length is 2

LayoutTests/fast/dom/HTMLSelectElement/select-selectedIndex-multiple-expected.txt

@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Blocked attempt to expand the option list to 4294967295 items. The maximum number of items allowed is 10000.
+CONSOLE MESSAGE: Unable to expand the option list to length 4294967295 items. The maximum number of items allowed is 100000.
 
 1) setting length to a negative length
 PASS mySelect.options.length is 2

LayoutTests/fast/forms/select-max-length-expected.txt

@@ -1,6 +1,6 @@
-CONSOLE MESSAGE: Blocked attempt to expand the option list to 100001 items. The maximum number of items allowed is 10000.
-CONSOLE MESSAGE: Blocked attempt to expand the option list and set an option at index. The maximum list length is 10000.
-CONSOLE MESSAGE: Blocked attempt to expand the option list and set an option at index. The maximum list length is 10000.
+CONSOLE MESSAGE: Unable to expand the option list to length 100001 items. The maximum number of items allowed is 100000.
+CONSOLE MESSAGE: Unable to expand the option list and set an option at index. The maximum list length is 100000.
+CONSOLE MESSAGE: Unable to expand the option list and set an option at index. The maximum list length is 100000.
 This test that setting HTMLSelectElement.length is capped to 100,000, and you can't add additional Option elements too.
 
 PASS sel.length is 0

LayoutTests/imported/w3c/web-platform-tests/html/select/options-length-too-large-expected.txt

@@ -0,0 +1,11 @@
+CONSOLE MESSAGE: Unable to expand the option list to length 4294967295 items. The maximum number of items allowed is 100000.
+CONSOLE MESSAGE: Unable to expand the option list to length 100001 items. The maximum number of items allowed is 100000.
+CONSOLE MESSAGE: Unable to expand the option list to length 4294967295 items. The maximum number of items allowed is 100000.
+
+
+PASS select options.length too large
+PASS select options.length too large 1
+PASS select options.length too large 2
+PASS select options.length too large 3
+PASS select options.length too large 4
+

LayoutTests/imported/w3c/web-platform-tests/html/select/options-length-too-large.html

@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <title>select options.length too large</title>
+
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <select id="test">
+      <option value="1"></option>
+      <option value="2"></option>
+      <option value="3"></option>
+    </select>
+
+    <script>
+    var mySelect = document.getElementById("test");
+
+    test(function() {
+        mySelect.options.length = -1;
+        assert_equals(mySelect.options.length, 3, "Length of <select> should remain unchanged");
+    });
+
+    test(function() {
+        mySelect.options.length = 100001;
+        assert_equals(mySelect.options.length, 3, "Length of <select> should remain unchanged");
+    });
+
+    test(function() {
+        mySelect.options.length = Number.MAX_SAFE_INTEGER;
+        assert_equals(mySelect.options.length, 3, "Length of <select> should remain unchanged");
+    });
+
+    test(function() {
+        mySelect.options.length = 100000;
+        assert_equals(mySelect.options.length, 100000, "Length of <select> should be 100,000");
+    });
+
+    test(function() {
+        mySelect.appendChild(new Option());
+        mySelect.appendChild(new Option());
+        assert_equals(mySelect.options.length, 100002, "Manual expansion still works");
+        mySelect.options.length = 100001;
+        assert_equals(mySelect.options.length, 100001, "Truncation works if over the limit");
+    });
+    </script>
+  </body>
+</html>

Source/WebCore/html/HTMLSelectElement.cpp

@@ -66,8 +66,8 @@ using namespace WTF::Unicode;
 
 using namespace HTMLNames;
 
-// Upper limit agreed upon with representatives of Opera and Mozilla.
-static const unsigned maxSelectItems = 10000;
+// https://html.spec.whatwg.org/#dom-htmloptionscollection-length
+static constexpr unsigned maxSelectItems = 100000;
 
 HTMLSelectElement::HTMLSelectElement(const QualifiedName& tagName, Document& document, HTMLFormElement* form)
     : HTMLFormControlElement(tagName, document, form)
@@ -466,8 +466,9 @@ ExceptionOr<void> HTMLSelectElement::setItem(unsigned index, HTMLOptionElement*
         return { };
     }
 
-    if (index >= length() && index >= maxSelectItems) {
-        document().addConsoleMessage(MessageSource::Other, MessageLevel::Warning, makeString("Blocked attempt to expand the option list and set an option at index. The maximum list length is ", maxSelectItems, '.'));
+    // If we are adding options, we should check 'index > maxSelectItems' first to avoid integer overflow.
+    if (index > length() && index >= maxSelectItems) {
+        document().addConsoleMessage(MessageSource::Other, MessageLevel::Warning, makeString("Unable to expand the option list and set an option at index. The maximum list length is ", maxSelectItems, '.'));
         return { };
     }
 
@@ -498,8 +499,9 @@ ExceptionOr<void> HTMLSelectElement::setItem(unsigned index, HTMLOptionElement*
 
 ExceptionOr<void> HTMLSelectElement::setLength(unsigned newLength)
 {
+    // If we are adding options, we should check 'index > maxSelectItems' first to avoid integer overflow.
     if (newLength > length() && newLength > maxSelectItems) {
-        document().addConsoleMessage(MessageSource::Other, MessageLevel::Warning, makeString("Blocked attempt to expand the option list to ", newLength, " items. The maximum number of items allowed is ", maxSelectItems, '.'));
+        document().addConsoleMessage(MessageSource::Other, MessageLevel::Warning, makeString("Unable to expand the option list to length ", newLength, " items. The maximum number of items allowed is ", maxSelectItems, '.'));
         return { };
     }