RESOLVED FIXED Bug 239070
Constructed FormData object should not contain an entry for the submit button that was used to submit the form 
https://bugs.webkit.org/show_bug.cgi?id=239070
Summary Constructed FormData object should not contain an entry for the submit button...
zsun
Reported 2022-04-11 08:23:53 PDT
submit() in submit event handler should not contains a value of a submit button.
Attachments
Patch (12.43 KB, patch)
2022-04-11 08:41 PDT, zsun 		no flags
DetailsFormatted DiffDiff
Patch (10.55 KB, patch)
2022-04-13 02:46 PDT, zsun 		no flags
DetailsFormatted DiffDiff
Patch (10.53 KB, patch)
2022-04-14 01:58 PDT, zsun 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (10.53 KB, patch)
2022-04-14 03:05 PDT, zsun 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (12.32 KB, patch)
2022-04-14 04:42 PDT, zsun 		no flags
DetailsFormatted DiffDiff
Patch (12.22 KB, patch)
2022-04-25 02:54 PDT, zsun 		no flags
DetailsFormatted DiffDiff
Patch (12.22 KB, patch)
2022-04-25 06:43 PDT, zsun 		no flags
DetailsFormatted DiffDiff
Patch (12.23 KB, patch)
2022-04-25 09:32 PDT, zsun 		no flags
DetailsFormatted DiffDiff
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.
zsun
Comment 1 2022-04-11 08:41:07 PDT
Created attachment 457255 [details] Patch
Darin Adler
Comment 2 2022-04-11 08:50:29 PDT
Comment on attachment 457255 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=457255&action=review > Source/WebCore/loader/FormSubmission.cpp:174 > - RefPtr submitter = overrideSubmitter ? overrideSubmitter : form.findSubmitter(event); > + HTMLFormControlElement* submitter = overrideSubmitter ? overrideSubmitter : form.findSubmitter(event); This does not seem like a good change. Why not use RefPtr for this local variable?
zsun
Comment 3 2022-04-13 02:46:03 PDT
Created attachment 457519 [details] Patch
Chris Dumez
Comment 4 2022-04-13 07:36:49 PDT
Comment on attachment 457519 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=457519&action=review > Source/WebCore/html/HTMLFormElement.cpp:422 > + if (element->form() == this && is<HTMLFormControlElement>(element)) { Is the form check really useful? Doesn't a form associated element have this form as form by definition? > Source/WebCore/html/HTMLFormElement.cpp:423 > + HTMLFormControlElement& control = downcast<HTMLFormControlElement>(element.get()); auto& > Source/WebCore/html/HTMLFormElement.cpp:432 > auto firstSuccessfulSubmitButton = findSubmitButton(submitter, activateSubmitButton); This looks unused now? or am I missing something? > Source/WebCore/html/HTMLFormElement.cpp:1027 > +RefPtr<DOMFormData> HTMLFormElement::constructEntryList(HTMLFormControlElement* submitter, Ref<DOMFormData>&& domFormData, StringPairVector* formValues) I would feel better if the submitter parameter was a RefPtr<>&&, given that you use it at the beginning of the function, then again at the end while running script in between. I am particularly worried the submitter could get destroyed while running this function. > Source/WebCore/loader/FormSubmission.cpp:215 > + auto result = form.constructEntryList(submitter.get(), WTFMove(domFormData), &formValues); submitter.copyRef()
zsun
Comment 5 2022-04-14 01:58:36 PDT
Created attachment 457604 [details] Patch
zsun
Comment 6 2022-04-14 03:05:54 PDT
Created attachment 457608 [details] Patch
zsun
Comment 7 2022-04-14 04:42:04 PDT
Created attachment 457610 [details] Patch
Chris Dumez
Comment 8 2022-04-14 07:23:22 PDT
Comment on attachment 457610 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=457610&action=review r=me with improvement suggestion. > Source/WebCore/html/HTMLFormElement.cpp:422 > + if (is<HTMLFormControlElement>(element)) { if (auto* control = dynamicDowncast<HTMLFormControlElement>(element); control.isSuccessfulSubmitButton()) { submitter = control; break; }
Radar WebKit Bug Importer
Comment 9 2022-04-18 08:24:13 PDT
<rdar://problem/91892715>
zsun
Comment 10 2022-04-25 02:54:34 PDT
Created attachment 458255 [details] Patch
zsun
Comment 11 2022-04-25 02:56:02 PDT
(In reply to Chris Dumez from comment #8) > Comment on attachment 457610 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=457610&action=review > > r=me with improvement suggestion. > > > Source/WebCore/html/HTMLFormElement.cpp:422 > > + if (is<HTMLFormControlElement>(element)) { > > if (auto* control = dynamicDowncast<HTMLFormControlElement>(element); > control.isSuccessfulSubmitButton()) { > submitter = control; > break; > } Thanks for the review! I updated the lines but not exactly as you suggested. Please take another look.
Tim Nguyen (:ntim)
Comment 12 2022-04-25 06:09:10 PDT
Comment on attachment 458255 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=458255&action=review > Source/WebCore/html/HTMLFormElement.cpp:422 > + if (auto control = dynamicDowncast<HTMLFormControlElement>(element.get()); control->isSuccessfulSubmitButton()) { auto* control = dynamicDowncast<HTMLFormControlElement> dynamicDowncast always gives a pointer. Chris, do we need `[...]; control && control->isSuccessfulSubmitButton()` ? or is `[...]; control->isSuccessfulSubmitButton()` enough?
zsun
Comment 13 2022-04-25 06:43:59 PDT
Created attachment 458265 [details] Patch
Chris Dumez
Comment 14 2022-04-25 07:19:49 PDT
(In reply to Tim Nguyen (:ntim) from comment #12) > Comment on attachment 458255 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=458255&action=review > > > Source/WebCore/html/HTMLFormElement.cpp:422 > > + if (auto control = dynamicDowncast<HTMLFormControlElement>(element.get()); control->isSuccessfulSubmitButton()) { > > auto* control = dynamicDowncast<HTMLFormControlElement> > > dynamicDowncast always gives a pointer. > > Chris, do we need `[...]; control && control->isSuccessfulSubmitButton()` ? > or is `[...]; control->isSuccessfulSubmitButton()` enough? Definitely `control && control->isSuccessfulSubmitButton()`.
Chris Dumez
Comment 15 2022-04-25 07:20:48 PDT
Comment on attachment 458265 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=458265&action=review > Source/WebCore/html/HTMLFormElement.cpp:422 > + if (auto* control = dynamicDowncast<HTMLFormControlElement>(element.get()); control->isSuccessfulSubmitButton()) { Please add missing control null check.
Darin Adler
Comment 16 2022-04-25 09:13:11 PDT
Comment on attachment 458265 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=458265&action=review >> Source/WebCore/html/HTMLFormElement.cpp:422 >> + if (auto* control = dynamicDowncast<HTMLFormControlElement>(element.get()); control->isSuccessfulSubmitButton()) { > > Please add missing control null check. Maybe it’s obvious, but Chris means: ...; control && control->isSuccessfulSubmitButton()) {
zsun
Comment 17 2022-04-25 09:32:40 PDT
Created attachment 458279 [details] Patch
Darin Adler
Comment 18 2022-04-25 09:38:02 PDT
I see now I just said the same thing Chris had already said!
Tim Nguyen (:ntim)
Comment 19 2022-04-26 11:45:42 PDT
Is this ready to land? If it is, please set commit-queue+
EWS
Comment 20 2022-04-26 12:32:54 PDT
Committed r293444 (249999@main): <https://commits.webkit.org/249999@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 458279 [details].
Tim Nguyen (:ntim)
Comment 21 2022-06-01 13:33:39 PDT
*** Bug 234069 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.