15455 2007-10-10 14:07:41 -0700 XML parser modifies the document when using foo.innerHtml = "some string" 2007-10-11 00:54:07 -0700 1 1 1 Unclassified WebKit XML 523.x (Safari 3) Other OS X 10.4 RESOLVED DUPLICATE 15456 P2 Normal --- 1 lars.knoll webkit-unassigned ap oldest_to_newest 58248 0 lars.knoll 2007-10-10 14:07:41 -0700 The XMLTokenizer.cpp has a constructor that takes a document fragment and parses XML into this fragment (which is used at least for handling innerHtml, maybe other places as well). While parsing this fragment, the parser calls lots of methods on the document, amongst others finishedParsing(), which can lead to memory corruption when innerHtml is used form within the onload handler. 58281 1 ap 2007-10-11 00:54:07 -0700 *** This bug has been marked as a duplicate of 15456 ***