225044 – HTMLImageElement should have an associated picture element only if inserted as a direct child

Bug 225044 - HTMLImageElement should have an associated picture element only if inserted as a direct child

Summary: HTMLImageElement should have an associated picture element only if inserted a...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Images (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Cameron McCormack (:heycam)

URL:
Keywords:	InRadar

Depends on:
Blocks:	222801
	Show dependency tree / graph

Reported:	2021-04-25 21:09 PDT by Cameron McCormack (:heycam)
Modified:	2021-04-27 16:41 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (3.94 KB, patch) 2021-04-25 23:09 PDT, Cameron McCormack (:heycam)	no flags	Details \| Formatted Diff \| Diff
Patch (7.89 KB, patch) 2021-04-26 22:11 PDT, Cameron McCormack (:heycam)	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cameron McCormack (:heycam) 2021-04-25 21:09:59 PDT

HTMLImageElement::insertedIntoAncestor doesn't check that we're appending the <img> as a direct child of a <picture>, which means that some random other ancestor <picture> could be used instead.

Comment 1 Cameron McCormack (:heycam) 2021-04-25 23:00:42 PDT

WPT PR that tests this: https://github.com/web-platform-tests/wpt/pull/28680

Forthcoming patch makes that test pass.

Comment 2 Cameron McCormack (:heycam) 2021-04-25 23:09:10 PDT

Created attachment 427022 [details]
Patch

Comment 3 Ryosuke Niwa 2021-04-26 21:50:20 PDT

Comment on attachment 427022 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=427022&action=review

> Source/WebCore/ChangeLog:8
> +        Tests: https://github.com/web-platform-tests/wpt/pull/28680

Please update the imported test now that it has been merged upstream.

> Source/WebCore/html/parser/HTMLConstructionSite.cpp:702
>      if (is<HTMLPictureElement>(currentNode()) && is<HTMLImageElement>(*element))
>          downcast<HTMLImageElement>(*element).setPictureElement(&downcast<HTMLPictureElement>(currentNode()));

This is crazy. How is this code even needed?

Comment 4 Cameron McCormack (:heycam) 2021-04-26 22:11:48 PDT

Created attachment 427118 [details]
Patch

Comment 5 EWS Watchlist 2021-04-26 22:12:45 PDT

This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess

Comment 6 EWS 2021-04-27 16:40:26 PDT

Committed r276679 (237096@main): <https://commits.webkit.org/237096@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 427118 [details].

Comment 7 Radar WebKit Bug Importer 2021-04-27 16:41:22 PDT

<rdar://problem/77237671>