Bug 239070 - Constructed FormData object should not contain an entry for the submit button that was used to submit the form
Summary: Constructed FormData object should not contain an entry for the submit button...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Forms (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: zsun
URL:
Keywords: InRadar
: 234069 (view as bug list)
Depends on:
Blocks:
 
Reported: 2022-04-11 08:23 PDT by zsun
Modified: 2024-05-15 15:52 PDT (History)
12 users (show)

See Also:

Attachments
Patch (12.43 KB, patch)
2022-04-11 08:41 PDT, zsun 		no flags Details | Formatted Diff | Diff
Patch (10.55 KB, patch)
2022-04-13 02:46 PDT, zsun 		no flags Details | Formatted Diff | Diff
Patch (10.53 KB, patch)
2022-04-14 01:58 PDT, zsun 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (10.53 KB, patch)
2022-04-14 03:05 PDT, zsun 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (12.32 KB, patch)
2022-04-14 04:42 PDT, zsun 		no flags Details | Formatted Diff | Diff
Patch (12.22 KB, patch)
2022-04-25 02:54 PDT, zsun 		no flags Details | Formatted Diff | Diff
Patch (12.22 KB, patch)
2022-04-25 06:43 PDT, zsun 		no flags Details | Formatted Diff | Diff
Patch (12.23 KB, patch)
2022-04-25 09:32 PDT, zsun 		no flags Details | Formatted Diff | Diff
Show Obsolete (7) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description zsun 2022-04-11 08:23:53 PDT 
submit() in submit event handler should not contains a value of a submit button.
Comment 1 zsun 2022-04-11 08:41:07 PDT 
Created attachment 457255 [details]
Patch
Comment 2 Darin Adler 2022-04-11 08:50:29 PDT 
Comment on attachment 457255 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=457255&action=review

> Source/WebCore/loader/FormSubmission.cpp:174
> -    RefPtr submitter = overrideSubmitter ? overrideSubmitter : form.findSubmitter(event);
> +    HTMLFormControlElement* submitter = overrideSubmitter ? overrideSubmitter : form.findSubmitter(event);

This does not seem like a good change. Why not use RefPtr for this local variable?
Comment 3 zsun 2022-04-13 02:46:03 PDT 
Created attachment 457519 [details]
Patch
Comment 4 Chris Dumez 2022-04-13 07:36:49 PDT 
Comment on attachment 457519 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=457519&action=review

> Source/WebCore/html/HTMLFormElement.cpp:422
> +            if (element->form() == this && is<HTMLFormControlElement>(element)) {

Is the form check really useful? Doesn't a form associated element have this form as form by definition?

> Source/WebCore/html/HTMLFormElement.cpp:423
> +                HTMLFormControlElement& control = downcast<HTMLFormControlElement>(element.get());

auto&

> Source/WebCore/html/HTMLFormElement.cpp:432
>      auto firstSuccessfulSubmitButton = findSubmitButton(submitter, activateSubmitButton);

This looks unused now? or am I missing something?

> Source/WebCore/html/HTMLFormElement.cpp:1027
> +RefPtr<DOMFormData> HTMLFormElement::constructEntryList(HTMLFormControlElement* submitter, Ref<DOMFormData>&& domFormData, StringPairVector* formValues)

I would feel better if the submitter parameter was a RefPtr<>&&, given that you use it at the beginning of the function, then again at the end while running script in between.
I am particularly worried the submitter could get destroyed while running this function.

> Source/WebCore/loader/FormSubmission.cpp:215
> +    auto result = form.constructEntryList(submitter.get(), WTFMove(domFormData), &formValues);

submitter.copyRef()
Comment 5 zsun 2022-04-14 01:58:36 PDT 
Created attachment 457604 [details]
Patch
Comment 6 zsun 2022-04-14 03:05:54 PDT 
Created attachment 457608 [details]
Patch
Comment 7 zsun 2022-04-14 04:42:04 PDT 
Created attachment 457610 [details]
Patch
Comment 8 Chris Dumez 2022-04-14 07:23:22 PDT 
Comment on attachment 457610 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=457610&action=review

r=me with improvement suggestion.

> Source/WebCore/html/HTMLFormElement.cpp:422
> +            if (is<HTMLFormControlElement>(element)) {

if (auto* control = dynamicDowncast<HTMLFormControlElement>(element); control.isSuccessfulSubmitButton()) {
     submitter = control;
     break;
}
Comment 9 Radar WebKit Bug Importer 2022-04-18 08:24:13 PDT 
<rdar://problem/91892715>
Comment 10 zsun 2022-04-25 02:54:34 PDT 
Created attachment 458255 [details]
Patch
Comment 11 zsun 2022-04-25 02:56:02 PDT 
(In reply to Chris Dumez from comment #8)
> Comment on attachment 457610 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=457610&action=review
> 
> r=me with improvement suggestion.
> 
> > Source/WebCore/html/HTMLFormElement.cpp:422
> > +            if (is<HTMLFormControlElement>(element)) {
> 
> if (auto* control = dynamicDowncast<HTMLFormControlElement>(element);
> control.isSuccessfulSubmitButton()) {
>      submitter = control;
>      break;
> }

Thanks for the review! I updated the lines but not exactly as you suggested. Please take another look.
Comment 12 Tim Nguyen (:ntim) 2022-04-25 06:09:10 PDT 
Comment on attachment 458255 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=458255&action=review

> Source/WebCore/html/HTMLFormElement.cpp:422
> +            if (auto control = dynamicDowncast<HTMLFormControlElement>(element.get()); control->isSuccessfulSubmitButton()) {

auto* control = dynamicDowncast<HTMLFormControlElement>

dynamicDowncast always gives a pointer.

Chris, do we need `[...]; control && control->isSuccessfulSubmitButton()` ? or is `[...]; control->isSuccessfulSubmitButton()` enough?
Comment 13 zsun 2022-04-25 06:43:59 PDT 
Created attachment 458265 [details]
Patch
Comment 14 Chris Dumez 2022-04-25 07:19:49 PDT 
(In reply to Tim Nguyen (:ntim) from comment #12)
> Comment on attachment 458255 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=458255&action=review
> 
> > Source/WebCore/html/HTMLFormElement.cpp:422
> > +            if (auto control = dynamicDowncast<HTMLFormControlElement>(element.get()); control->isSuccessfulSubmitButton()) {
> 
> auto* control = dynamicDowncast<HTMLFormControlElement>
> 
> dynamicDowncast always gives a pointer.
> 
> Chris, do we need `[...]; control && control->isSuccessfulSubmitButton()` ?
> or is `[...]; control->isSuccessfulSubmitButton()` enough?

Definitely `control && control->isSuccessfulSubmitButton()`.
Comment 15 Chris Dumez 2022-04-25 07:20:48 PDT 
Comment on attachment 458265 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=458265&action=review

> Source/WebCore/html/HTMLFormElement.cpp:422
> +            if (auto* control = dynamicDowncast<HTMLFormControlElement>(element.get()); control->isSuccessfulSubmitButton()) {

Please add missing control null check.
Comment 16 Darin Adler 2022-04-25 09:13:11 PDT 
Comment on attachment 458265 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=458265&action=review

>> Source/WebCore/html/HTMLFormElement.cpp:422
>> +            if (auto* control = dynamicDowncast<HTMLFormControlElement>(element.get()); control->isSuccessfulSubmitButton()) {
> 
> Please add missing control null check.

Maybe it’s obvious, but Chris means:

...; control && control->isSuccessfulSubmitButton()) {
Comment 17 zsun 2022-04-25 09:32:40 PDT 
Created attachment 458279 [details]
Patch
Comment 18 Darin Adler 2022-04-25 09:38:02 PDT 
I see now I just said the same thing Chris had already said!
Comment 19 Tim Nguyen (:ntim) 2022-04-26 11:45:42 PDT 
Is this ready to land? If it is, please set commit-queue+
Comment 20 EWS 2022-04-26 12:32:54 PDT 
Committed r293444 (249999@main): <https://commits.webkit.org/249999@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 458279 [details].
Comment 21 Tim Nguyen (:ntim) 2022-06-01 13:33:39 PDT 
*** Bug 234069 has been marked as a duplicate of this bug. ***