113723 – HTML parser should consistently inspect the namespace of elements on the stack of open elements

Bug 113723 - HTML parser should consistently inspect the namespace of elements on the stack of open elements

Summary: HTML parser should consistently inspect the namespace of elements on the stac...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Adam Klein

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-04-01 14:22 PDT by Adam Klein
Modified:	2013-04-02 09:13 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Work in progress (13.76 KB, patch) 2013-04-01 14:28 PDT, Adam Klein	no flags	Details \| Formatted Diff \| Diff
WIP with a test (17.46 KB, patch) 2013-04-01 16:14 PDT, Adam Klein	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adam Klein 2013-04-01 14:22:28 PDT

Some code uses hasTagName() and some hasLocalName() when walking around the stack of open elements. This has caused several bugs (often security bugs, see e.g. bug 112487). The proposed solution is to always compare with namespaces (unless otherwise specified).

This has been filed as a bug against the parser spec at https://www.w3.org/Bugs/Public/show_bug.cgi?id=21308.

Comment 1 Adam Klein 2013-04-01 14:28:30 PDT

Created attachment 196023 [details]
Work in progress

Comment 2 Darin Adler 2013-04-01 15:02:34 PDT

I assume this fixes observable problems. Can we come up with test cases to show them?

Comment 3 Adam Klein 2013-04-01 15:09:01 PDT

(In reply to comment #2)
> I assume this fixes observable problems. Can we come up with test cases to show them?

Yeah, missing test cases is the main reason this is a work in progress. So far we've run into this a couple of times and played whack-a-mole. See bug 110808 for another such example.

Comment 4 Adam Klein 2013-04-01 16:14:51 PDT

Created attachment 196034 [details]
WIP with a test

Comment 5 Adam Klein 2013-04-01 16:17:01 PDT

Added the same test (slightly modified to work correctly) from the w3.org bug. It's a little bit of a weird one, but that's the nature of the beast. The basic idea is that the new behavior causes the </td> to match the HTML <td> instead of the SVG <td>, and then the text node gets foster-parented up to <body>.

Comment 6 Adam Barth 2013-04-01 19:05:32 PDT

Comment on attachment 196034 [details]
WIP with a test

Looks great.

Comment 7 WebKit Review Bot 2013-04-02 09:13:04 PDT

Comment on attachment 196034 [details]
WIP with a test

Clearing flags on attachment: 196034

Committed r147441: <http://trac.webkit.org/changeset/147441>

Comment 8 WebKit Review Bot 2013-04-02 09:13:07 PDT

All reviewed patches have been landed.  Closing bug.