RESOLVED FIXED Bug 113723
HTML parser should consistently inspect the namespace of elements on the stack of open elements 
https://bugs.webkit.org/show_bug.cgi?id=113723
Summary HTML parser should consistently inspect the namespace of elements on the stac...
Adam Klein
Reported 2013-04-01 14:22:28 PDT
Some code uses hasTagName() and some hasLocalName() when walking around the stack of open elements. This has caused several bugs (often security bugs, see e.g. bug 112487). The proposed solution is to always compare with namespaces (unless otherwise specified). This has been filed as a bug against the parser spec at https://www.w3.org/Bugs/Public/show_bug.cgi?id=21308.
Attachments
Work in progress (13.76 KB, patch)
2013-04-01 14:28 PDT, Adam Klein 		no flags
DetailsFormatted DiffDiff
WIP with a test (17.46 KB, patch)
2013-04-01 16:14 PDT, Adam Klein 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Adam Klein
Comment 1 2013-04-01 14:28:30 PDT
Created attachment 196023 [details] Work in progress
Darin Adler
Comment 2 2013-04-01 15:02:34 PDT
I assume this fixes observable problems. Can we come up with test cases to show them?
Adam Klein
Comment 3 2013-04-01 15:09:01 PDT
(In reply to comment #2) > I assume this fixes observable problems. Can we come up with test cases to show them? Yeah, missing test cases is the main reason this is a work in progress. So far we've run into this a couple of times and played whack-a-mole. See bug 110808 for another such example.
Adam Klein
Comment 4 2013-04-01 16:14:51 PDT
Created attachment 196034 [details] WIP with a test
Adam Klein
Comment 5 2013-04-01 16:17:01 PDT
Added the same test (slightly modified to work correctly) from the w3.org bug. It's a little bit of a weird one, but that's the nature of the beast. The basic idea is that the new behavior causes the </td> to match the HTML <td> instead of the SVG <td>, and then the text node gets foster-parented up to <body>.
Adam Barth
Comment 6 2013-04-01 19:05:32 PDT
Comment on attachment 196034 [details] WIP with a test Looks great.
WebKit Review Bot
Comment 7 2013-04-02 09:13:04 PDT
Comment on attachment 196034 [details] WIP with a test Clearing flags on attachment: 196034 Committed r147441: <http://trac.webkit.org/changeset/147441>
WebKit Review Bot
Comment 8 2013-04-02 09:13:07 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.