RESOLVED FIXED 25031
Chrome allows elements with names to override collection properties 
https://bugs.webkit.org/show_bug.cgi?id=25031
Summary Chrome allows elements with names to override collection properties
Dave Moore
Reported 2009-04-03 11:05:28 PDT
If you have an HTMLSelectElement and it has an option that happens to be named 'length' you will get this element when accessing the length property, instead of the actual length. This also causes these accesses to be slower than they need to be.
Attachments
Fix (4.82 KB, patch)
2009-04-03 11:09 PDT, Dave Moore 		dglazkov: review-
DetailsFormatted DiffDiff
Fix (5.08 KB, patch)
2009-04-03 12:26 PDT, Dave Moore 		no flags
DetailsFormatted DiffDiff
Fix (6.19 KB, patch)
2009-04-03 13:27 PDT, Dave Moore 		no flags
DetailsFormatted DiffDiff
Fix (5.58 KB, patch)
2009-04-03 14:06 PDT, Dave Moore 		dglazkov: review+
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Dave Moore
Comment 1 2009-04-03 11:09:57 PDT
Created attachment 29233 [details] Fix This patch will only effect the chromium build, as it's in the bindings
Dimitri Glazkov (Google)
Comment 2 2009-04-03 11:19:22 PDT
Comment on attachment 29233 [details] Fix Don't forget bug URL in ChangeLog description. > + (WebCore::collectionNamedPropertyGetter): > + (WebCore::nodeCollectionNamedPropertyGetter): It's a good practice to add brief descriptions to each line on what's being done. > + if (!value.IsEmpty()) > + return value; 4 spaces. > + > + // Search local callback properties next to find IDL defined > + // properties. > + if (info.Holder()->HasRealNamedCallbackProperty(name)) > + return v8::Handle<v8::Value>(); 4 spaces. Also, I think this should be return notHandledbyInterceptor(). > + if (!value.IsEmpty()) > + return value; 4 spaces. > + if (info.Holder()->HasRealNamedCallbackProperty(name)) > + return v8::Handle<v8::Value>(); 4 spaces, notHandledByInterceptor() > +2009-04-03 Dave Moore <davemoore@google.com> > + > + Reviewed by NOBODY (OOPS!). Need a good description of what the tests test. > + function test() > + { > + if (window.layoutTestController) > + layoutTestController.dumpAsText(); Is this where we should put attempting to override length? > + > + var sl = document.getElementById("sl"); > + if (sl.length == 1)
Dave Moore
Comment 3 2009-04-03 12:26:22 PDT
Created attachment 29236 [details] Fix
Dave Moore
Comment 4 2009-04-03 13:27:41 PDT
Created attachment 29237 [details] Fix Added a new tests to ensure that JS can override the length property on the HTMLSelectElement
Dave Moore
Comment 5 2009-04-03 14:06:09 PDT
Created attachment 29240 [details] Fix Remove test for JS setting the length property.
Dimitri Glazkov (Google)
Comment 6 2009-04-03 14:07:43 PDT
Comment on attachment 29240 [details] Fix looks good!
Dimitri Glazkov (Google)
Comment 7 2009-04-06 11:01:56 PDT
Landed as http://trac.webkit.org/changeset/42247.
Note You need to log in before you can comment on or make changes to this bug.