Bug 88685

Summary: REGRESSION(r106388): Form hidden element values being restored incorrectly for dynamically generated content
Product: WebKit Reporter: Darth <priyajeet.hora>
Component: FormsAssignee: Kent Tamura <tkent>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, jonlee, morrita, priyajeet.hora, tkent, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 89539    
Bug Blocks: 23346    
Attachments:
Description Flags
testcase
none
form submit action file
none
Patch none

Description Darth 2012-06-08 13:40:34 PDT
Created attachment 146641 [details]
testcase

Upstream bug: http://code.google.com/p/chromium/issues/detail?id=131645
As mentioned in the above bug, regression likely caused by http://trac.webkit.org/changeset/106388

Copying from the above bug:

index.html (attached):

<html>
<body>
<form method="POST" action="index2.html" >
<input type="hidden" id="one" name="one" value="one" />
<input type="submit" value="submit" />
</form>
</body>
</html>


index2.html (attached):

just an empty file, does nothing.



Steps:

1] Open index.html in the browser, inspect the form and you will see the above structure.
2] Submit the form and remain on this index2 page.
3] In an editor, edit the index.html file as follows to simulate a server side change of dynamic content

<html>
<body>
<form method="POST" action="index2.html" >
<input type="hidden" id="one" name="one" value="two" />
<input type="submit" value="submit" />
</form>
</body>
</html>

Notice how I re-used the name and id, but the value is changed by the server

4] Press the browser back button
5] inspect the form again in web inspector as well as the response in the network tab


What is the expected result?

<input type="hidden" id="one" name="one" value="two" />


What happens instead?

<input type="hidden" id="one" name="one" value="one" />

6] Try the same in Chrome 18 or with autocomplete=off in the form and it works as expected
Comment 1 Darth 2012-06-08 13:41:34 PDT
Created attachment 146643 [details]
form submit action file
Comment 2 Kent Tamura 2012-06-20 21:59:29 PDT
https://bugs.webkit.org/show_bug.cgi?id=77391#c13
> I think the second one (saving hidden values updated after HTMLInputElement::finishParsingChildren()) is the safest for Bug 88685.
Comment 3 Kent Tamura 2012-06-20 22:03:33 PDT
Created attachment 148728 [details]
Patch
Comment 4 Hajime Morrita 2012-06-28 22:34:53 PDT
Comment on attachment 148728 [details]
Patch

Why is this only for hidden?
Comment 5 Kent Tamura 2012-06-28 22:40:28 PDT
(In reply to comment #4)
> Why is this only for hidden?

We can detect whether the value is updated or not for other types because the current value is separately stored in other types. However the hidden type doesn't have such separated value.

http://www.whatwg.org/specs/web-apps/current-work/multipage/common-input-element-attributes.html#dom-input-value-value
Many types behave as "value" mode, and the hidden type behaves as "default".
Comment 6 WebKit Review Bot 2012-06-28 23:12:38 PDT
Comment on attachment 148728 [details]
Patch

Clearing flags on attachment: 148728

Committed r121519: <http://trac.webkit.org/changeset/121519>
Comment 7 WebKit Review Bot 2012-06-28 23:12:43 PDT
All reviewed patches have been landed.  Closing bug.