Bug 33920

Summary: dispatchDocumentElementAvailable is fired for fragment parsing on XML and XHTML documents
Product: WebKit Reporter: Matt Perry <mpcomplete>
Component: Layout and RenderingAssignee: Matt Perry <mpcomplete>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, eric, hyatt, pfeldman, timothy
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
small patch with tests none

Description Matt Perry 2010-01-20 14:54:33 PST 
Repro:
1. Visit an XHTML page, eg http://sorryrobot.com/chrometest.php
2. Put a breakpoint in dispatchDocumentElementAvailable.
3. Run this javascript URL:
  javascript:var div = document.createElement('div');div.innerHTML = '<p>hi</p>';
4. Breakpoint is hit.

This causes user scripts to get injected when they shouldn't. If the user script contains javascript similar to #3, it will infinitely reinject itself.

I think the fix is simple. Adding a check for "!m_parsingFragment" to XMLTokenizer::startElementNs before calling dispatchDocumentElementAvailable seems to do the trick. It will just take me a bit to write a suitable test.
Comment 1 Matt Perry 2010-01-25 17:37:37 PST 
Created attachment 47378 [details]
small patch with tests
Comment 2 Darin Adler 2010-01-25 17:44:03 PST 
Comment on attachment 47378 [details]
small patch with tests

Why does the test case need to be in userscripts? Can't this be tested with a normal script-tests test?
Comment 3 Matt Perry 2010-01-25 17:54:41 PST 
(In reply to comment #2)
> (From update of attachment 47378 [details])
> Why does the test case need to be in userscripts? Can't this be tested with a
> normal script-tests test?

It doesn't look like it. I think the only side effect of calling dispatchDocumentElementAvailable is that user scripts are injected.
Comment 4 Eric Seidel (no email) 2010-01-26 14:07:06 PST 
Comment on attachment 47378 [details]
small patch with tests

LGTM.
Comment 5 WebKit Commit Bot 2010-01-27 03:44:01 PST 
Comment on attachment 47378 [details]
small patch with tests

Clearing flags on attachment: 47378

Committed r53917: <http://trac.webkit.org/changeset/53917>
Comment 6 WebKit Commit Bot 2010-01-27 03:44:08 PST 
All reviewed patches have been landed.  Closing bug.