Summary: | Crash submitting a form when parsing an XHTML document | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Security | Reporter: | Raghu <raghavendra.deshpande> | ||||||||||||||||||||||||
Component: | Security | Assignee: | Darin Adler <darin> | ||||||||||||||||||||||||
Status: | RESOLVED FIXED | ||||||||||||||||||||||||||
Severity: | Normal | CC: | ap, ddkilzer, mihnea, tibor.pacaj2, yong.li.webkit | ||||||||||||||||||||||||
Priority: | P1 | Keywords: | HasReduction, InRadar | ||||||||||||||||||||||||
Version: | 525.x (Nightly build) | ||||||||||||||||||||||||||
Hardware: | All | ||||||||||||||||||||||||||
OS: | All | ||||||||||||||||||||||||||
Bug Depends on: | 24922 | ||||||||||||||||||||||||||
Bug Blocks: | |||||||||||||||||||||||||||
Attachments: |
|
Description
Raghu
2008-11-20 00:35:52 PST
Created attachment 25305 [details]
test case as attachment -- did not crash for me
Created attachment 25306 [details]
Test content, that crashes the webkit
Hi All, You are right Eric. Sorry.. I found that, on Safari & Chrome... accessing forms as: document.forms.MyForm.name.value= "something"; causes the crash... But, document.MyForm.name.value= "something"; doesn't crash, but doesn't work either. I see that, the 'form submit' action is NOT happening in .xhtml file. If you change the file name to .html, it works. Created attachment 25309 [details]
Test page: Form Submit action Doesn't work.
Created attachment 25310 [details]
HTML: Asserts, may crash
Confirmed with r38590. Marking attachments that do not demonstrate the problem as obsolete. This is not related to "document.MyForm" not being a proper way to access elements in XHTML documents in any way. Comment on attachment 25310 [details]
HTML: Asserts, may crash
In fact, the HTML version doesn't work right either - an assertion fails in debug builds, and looking at the code, we have the same problem with using a destroyed object.
Created attachment 28932 [details]
some work in progress
Created attachment 28971 [details]
more work in progress
Created attachment 29017 [details]
more work in progress
Alexey thinks there may be security impact, so moving to the security product. Created attachment 29047 [details]
almost done
This patch is almost ready to go.
Here's what remains:
1) A few layout tests are failing. Two of them are failing because our behavior now matches Firefox, tests for a crash when submitting a form from an onunload handler. Not sure how to fix those two. One other is failing because back/forward is working differently. Not sure if it's a regression or progression, and how to fix it if it's a progression.
2) No change log yet.
3) Haven't changed the test case into a regression test yet.
Created attachment 29149 [details]
event closer to done
Created attachment 29161 [details]
even closer
Created attachment 29178 [details]
patch
Comment on attachment 29178 [details]
patch
r=me
|