Repro: 1. Visit an XHTML page, eg http://sorryrobot.com/chrometest.php 2. Put a breakpoint in dispatchDocumentElementAvailable. 3. Run this javascript URL: javascript:var div = document.createElement('div');div.innerHTML = '<p>hi</p>'; 4. Breakpoint is hit. This causes user scripts to get injected when they shouldn't. If the user script contains javascript similar to #3, it will infinitely reinject itself. I think the fix is simple. Adding a check for "!m_parsingFragment" to XMLTokenizer::startElementNs before calling dispatchDocumentElementAvailable seems to do the trick. It will just take me a bit to write a suitable test.
Created attachment 47378 [details] small patch with tests
Comment on attachment 47378 [details] small patch with tests Why does the test case need to be in userscripts? Can't this be tested with a normal script-tests test?
(In reply to comment #2) > (From update of attachment 47378 [details]) > Why does the test case need to be in userscripts? Can't this be tested with a > normal script-tests test? It doesn't look like it. I think the only side effect of calling dispatchDocumentElementAvailable is that user scripts are injected.
Comment on attachment 47378 [details] small patch with tests LGTM.
Comment on attachment 47378 [details] small patch with tests Clearing flags on attachment: 47378 Committed r53917: <http://trac.webkit.org/changeset/53917>
All reviewed patches have been landed. Closing bug.