Bug 33920 - dispatchDocumentElementAvailable is fired for fragment parsing on XML and XHTML documents
Summary: dispatchDocumentElementAvailable is fired for fragment parsing on XML and XHT...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Matt Perry
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-20 14:54 PST by Matt Perry
Modified: 2010-01-27 03:44 PST (History)
5 users (show)

See Also:


Attachments
small patch with tests (4.92 KB, patch)
2010-01-25 17:37 PST, Matt Perry
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Perry 2010-01-20 14:54:33 PST
Repro:
1. Visit an XHTML page, eg http://sorryrobot.com/chrometest.php
2. Put a breakpoint in dispatchDocumentElementAvailable.
3. Run this javascript URL:
  javascript:var div = document.createElement('div');div.innerHTML = '<p>hi</p>';
4. Breakpoint is hit.

This causes user scripts to get injected when they shouldn't. If the user script contains javascript similar to #3, it will infinitely reinject itself.

I think the fix is simple. Adding a check for "!m_parsingFragment" to XMLTokenizer::startElementNs before calling dispatchDocumentElementAvailable seems to do the trick. It will just take me a bit to write a suitable test.
Comment 1 Matt Perry 2010-01-25 17:37:37 PST
Created attachment 47378 [details]
small patch with tests
Comment 2 Darin Adler 2010-01-25 17:44:03 PST
Comment on attachment 47378 [details]
small patch with tests

Why does the test case need to be in userscripts? Can't this be tested with a normal script-tests test?
Comment 3 Matt Perry 2010-01-25 17:54:41 PST
(In reply to comment #2)
> (From update of attachment 47378 [details])
> Why does the test case need to be in userscripts? Can't this be tested with a
> normal script-tests test?

It doesn't look like it. I think the only side effect of calling dispatchDocumentElementAvailable is that user scripts are injected.
Comment 4 Eric Seidel (no email) 2010-01-26 14:07:06 PST
Comment on attachment 47378 [details]
small patch with tests

LGTM.
Comment 5 WebKit Commit Bot 2010-01-27 03:44:01 PST
Comment on attachment 47378 [details]
small patch with tests

Clearing flags on attachment: 47378

Committed r53917: <http://trac.webkit.org/changeset/53917>
Comment 6 WebKit Commit Bot 2010-01-27 03:44:08 PST
All reviewed patches have been landed.  Closing bug.