Bug 33920

Summary: dispatchDocumentElementAvailable is fired for fragment parsing on XML and XHTML documents
Product: WebKit Reporter: Matt Perry <mpcomplete>
Component: Layout and RenderingAssignee: Matt Perry <mpcomplete>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, eric, hyatt, pfeldman, timothy
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
small patch with tests none

Matt Perry
Reported 2010-01-20 14:54:33 PST
Repro: 1. Visit an XHTML page, eg http://sorryrobot.com/chrometest.php 2. Put a breakpoint in dispatchDocumentElementAvailable. 3. Run this javascript URL: javascript:var div = document.createElement('div');div.innerHTML = '<p>hi</p>'; 4. Breakpoint is hit. This causes user scripts to get injected when they shouldn't. If the user script contains javascript similar to #3, it will infinitely reinject itself. I think the fix is simple. Adding a check for "!m_parsingFragment" to XMLTokenizer::startElementNs before calling dispatchDocumentElementAvailable seems to do the trick. It will just take me a bit to write a suitable test.
Attachments
small patch with tests (4.92 KB, patch)
2010-01-25 17:37 PST, Matt Perry 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Matt Perry
Comment 1 2010-01-25 17:37:37 PST
Created attachment 47378 [details] small patch with tests
Darin Adler
Comment 2 2010-01-25 17:44:03 PST
Comment on attachment 47378 [details] small patch with tests Why does the test case need to be in userscripts? Can't this be tested with a normal script-tests test?
Matt Perry
Comment 3 2010-01-25 17:54:41 PST
(In reply to comment #2) > (From update of attachment 47378 [details]) > Why does the test case need to be in userscripts? Can't this be tested with a > normal script-tests test? It doesn't look like it. I think the only side effect of calling dispatchDocumentElementAvailable is that user scripts are injected.
Eric Seidel (no email)
Comment 4 2010-01-26 14:07:06 PST
Comment on attachment 47378 [details] small patch with tests LGTM.
WebKit Commit Bot
Comment 5 2010-01-27 03:44:01 PST
Comment on attachment 47378 [details] small patch with tests Clearing flags on attachment: 47378 Committed r53917: <http://trac.webkit.org/changeset/53917>
WebKit Commit Bot
Comment 6 2010-01-27 03:44:08 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.