Teach the background parser to ignore certain elements inside '<select>'.

'HTMLTreeBuilderSimulator' doesn't currently understand that we shouldn't
hop into PLAINTEXTState or RAWTEXTState inside '<select>' elements. This
has the unfortunate side-effect of enabling dangling markup injection
attacks that exfiltrate data via '<select><option><plaintext>' and etc.

This patch ensures that `<select>` behaves as specified, matching Safari,
Firefox, and Edge's behavior.

Thanks to @zcorpan for pointing out Blink's error in the thread ad


Review-Url: https://codereview.chromium.org/2625103002
Cr-Commit-Position: refs/heads/master@{#443573}
3 files changed