Bug 25031

Summary:

Chrome allows elements with names to override collection properties

Product:

WebKit

Reporter:

Dave Moore <davemoore>

Component:

WebKit Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

dglazkov

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

Windows XP

Attachments:

Description	Flags
Fix	dglazkov: review-
Fix	none
Fix	none
Fix	dglazkov: review+

Dave Moore

Reported 2009-04-03 11:05:28 PDT

If you have an HTMLSelectElement and it has an option that happens to be named 'length' you will get this element when accessing the length property, instead of the actual length. This also causes these accesses to be slower than they need to be.

Attachments
Fix (4.82 KB, patch) 2009-04-03 11:09 PDT, Dave Moore	dglazkov: review-	Details Formatted Diff Diff
Fix (5.08 KB, patch) 2009-04-03 12:26 PDT, Dave Moore	no flags	Details Formatted Diff Diff
Fix (6.19 KB, patch) 2009-04-03 13:27 PDT, Dave Moore	no flags	Details Formatted Diff Diff
Fix (5.58 KB, patch) 2009-04-03 14:06 PDT, Dave Moore	dglazkov: review+	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Dave Moore

Comment 1 2009-04-03 11:09:57 PDT

Created attachment 29233 [details] Fix This patch will only effect the chromium build, as it's in the bindings

Dimitri Glazkov (Google)

Comment 2 2009-04-03 11:19:22 PDT

Comment on attachment 29233 [details] Fix Don't forget bug URL in ChangeLog description. > + (WebCore::collectionNamedPropertyGetter): > + (WebCore::nodeCollectionNamedPropertyGetter): It's a good practice to add brief descriptions to each line on what's being done. > + if (!value.IsEmpty()) > + return value; 4 spaces. > + > + // Search local callback properties next to find IDL defined > + // properties. > + if (info.Holder()->HasRealNamedCallbackProperty(name)) > + return v8::Handle<v8::Value>(); 4 spaces. Also, I think this should be return notHandledbyInterceptor(). > + if (!value.IsEmpty()) > + return value; 4 spaces. > + if (info.Holder()->HasRealNamedCallbackProperty(name)) > + return v8::Handle<v8::Value>(); 4 spaces, notHandledByInterceptor() > +2009-04-03 Dave Moore <davemoore@google.com> > + > + Reviewed by NOBODY (OOPS!). Need a good description of what the tests test. > + function test() > + { > + if (window.layoutTestController) > + layoutTestController.dumpAsText(); Is this where we should put attempting to override length? > + > + var sl = document.getElementById("sl"); > + if (sl.length == 1)

Dave Moore

Comment 3 2009-04-03 12:26:22 PDT

Created attachment 29236 [details] Fix

Dave Moore

Comment 4 2009-04-03 13:27:41 PDT

Created attachment 29237 [details] Fix Added a new tests to ensure that JS can override the length property on the HTMLSelectElement

Dave Moore

Comment 5 2009-04-03 14:06:09 PDT

Created attachment 29240 [details] Fix Remove test for JS setting the length property.

Dimitri Glazkov (Google)

Comment 6 2009-04-03 14:07:43 PDT

Comment on attachment 29240 [details] Fix looks good!

Dimitri Glazkov (Google)

Comment 7 2009-04-06 11:01:56 PDT

Landed as http://trac.webkit.org/changeset/42247.

Note You need to log in before you can comment on or make changes to this bug.