15455 – XML parser modifies the document when using foo.innerHtml = "some string"

Bug 15455 - XML parser modifies the document when using foo.innerHtml = "some string"

Summary: XML parser modifies the document when using foo.innerHtml = "some string"

Status:	RESOLVED DUPLICATE of bug 15456

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	XML (show other bugs)
Version:	523.x (Safari 3)
Hardware:	Other OS X 10.4

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-10-10 14:07 PDT by Lars Knoll
Modified:	2007-10-11 00:54 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Knoll 2007-10-10 14:07:41 PDT

The XMLTokenizer.cpp has a constructor that takes a document fragment and parses XML into this fragment (which is used at least for handling innerHtml, maybe other places as well).

While parsing this fragment, the parser calls lots of methods on the document, amongst others finishedParsing(), which can lead to memory corruption when innerHtml is used form within the onload handler.

Comment 1 Alexey Proskuryakov 2007-10-11 00:54:07 PDT


*** This bug has been marked as a duplicate of 15456 ***