I have pasted the test content below. If this content is present in a .xhtml file, the webkit crashes. (Verified in Safari on Win XP with latest nightly, and in Chrome - It crashes there too.) But, if the same content is served in a .html file, It works fine. I am afraid, the XHTML content <--> JS bindings have serious issues in webkit. Here's the test content: ------------------------------- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8"/> <title>Form access </title> </head> <body style="background-color:white;border-left:0px;border-top:0px;overflow:hidden;" > <form name="MyForm" method="POST" action="about:blank"> <input type="hidden" name="name" value=""></input> </form> <script type="text/javascript"> document.MyForm.name.value="test"; document.MyForm.setAttribute("action","about:blank"); document.MyForm.submit(); </script> </body> </html> ------------------------------------------------------------------
Created attachment 25305 [details] test case as attachment -- did not crash for me
Created attachment 25306 [details] Test content, that crashes the webkit
Hi All, You are right Eric. Sorry.. I found that, on Safari & Chrome... accessing forms as: document.forms.MyForm.name.value= "something"; causes the crash... But, document.MyForm.name.value= "something"; doesn't crash, but doesn't work either. I see that, the 'form submit' action is NOT happening in .xhtml file. If you change the file name to .html, it works.
Created attachment 25309 [details] Test page: Form Submit action Doesn't work.
Created attachment 25310 [details] HTML: Asserts, may crash
Confirmed with r38590. Marking attachments that do not demonstrate the problem as obsolete. This is not related to "document.MyForm" not being a proper way to access elements in XHTML documents in any way.
<rdar://problem/6388377>
Comment on attachment 25310 [details] HTML: Asserts, may crash In fact, the HTML version doesn't work right either - an assertion fails in debug builds, and looking at the code, we have the same problem with using a destroyed object.
Created attachment 28932 [details] some work in progress
Created attachment 28971 [details] more work in progress
Created attachment 29017 [details] more work in progress
Alexey thinks there may be security impact, so moving to the security product.
Created attachment 29047 [details] almost done This patch is almost ready to go. Here's what remains: 1) A few layout tests are failing. Two of them are failing because our behavior now matches Firefox, tests for a crash when submitting a form from an onunload handler. Not sure how to fix those two. One other is failing because back/forward is working differently. Not sure if it's a regression or progression, and how to fix it if it's a progression. 2) No change log yet. 3) Haven't changed the test case into a regression test yet.
Created attachment 29149 [details] event closer to done
Created attachment 29161 [details] even closer
Created attachment 29178 [details] patch
Comment on attachment 29178 [details] patch r=me
http://trac.webkit.org/changeset/42158