Virtualize <form> field names.

Fixes <https://github.com/google/caja/issues/1371> a.k.a.
<https://code.google.com/p/google-caja/issues/detail?id=1371>, which was
recently found to be an actual problem.

All attributes which act as the name of form fields get a new attribute
type, FORM_FIELD_NAME. The cajoler and Domado virtualize the value of
such attributes by adding a constant suffix.

(Alternatively, we could reuse the idSuffix, but that makes the output
of the cajoler more complex since it is non-constant.)

Form submission is handled by temporarily removing the suffixes. This
unfortunately is dangerous if script execution is interrupted and the
suffixes are not restored, but no guest code runs in the critical
section so it shouldn't be directly exploitable.

[MarkM, 2015-04-19 16:28:16]

LGTM

[kpreid_google, 2015-04-28 20:49:04]

Fixes <https://github.com/google/caja/issues/1371> a.k.a.
<https://code.google.com/p/google-caja/issues/detail?id=1371>, which was
recently found to be an actual problem.

All attributes which act as the name of form fields get a new attribute
type, FORM_FIELD_NAME. The cajoler and Domado virtualize the value of
such attributes by adding a constant suffix.

(Alternatively, we could reuse the idSuffix, but that makes the output
of the cajoler more complex since it is non-constant.)

Form submission is handled by temporarily removing the suffixes. This
unfortunately is dangerous if script execution is interrupted and the
suffixes are not restored, but no guest code runs in the critical
section so it shouldn't be directly exploitable.

[kpreid_google, 2015-04-28 20:51:28]

Turns out we actually do allow submit via .submit(). I misread the code.

This new snapshot temporarily unsuffixes the names during submit. Please review.

[MarkM, 2015-04-28 20:58:59]

LGTM