Some code uses hasTagName() and some hasLocalName() when walking around the stack of open elements. This has caused several bugs (often security bugs, see e.g. bug 112487). The proposed solution is to always compare with namespaces (unless otherwise specified). This has been filed as a bug against the parser spec at https://www.w3.org/Bugs/Public/show_bug.cgi?id=21308.
Created attachment 196023 [details] Work in progress
I assume this fixes observable problems. Can we come up with test cases to show them?
(In reply to comment #2) > I assume this fixes observable problems. Can we come up with test cases to show them? Yeah, missing test cases is the main reason this is a work in progress. So far we've run into this a couple of times and played whack-a-mole. See bug 110808 for another such example.
Created attachment 196034 [details] WIP with a test
Added the same test (slightly modified to work correctly) from the w3.org bug. It's a little bit of a weird one, but that's the nature of the beast. The basic idea is that the new behavior causes the </td> to match the HTML <td> instead of the SVG <td>, and then the text node gets foster-parented up to <body>.
Comment on attachment 196034 [details] WIP with a test Looks great.
Comment on attachment 196034 [details] WIP with a test Clearing flags on attachment: 196034 Committed r147441: <http://trac.webkit.org/changeset/147441>
All reviewed patches have been landed. Closing bug.