33920 – dispatchDocumentElementAvailable is fired for fragment parsing on XML and XHTML documents

RESOLVED FIXED 33920

dispatchDocumentElementAvailable is fired for fragment parsing on XML and XHTML documents

https://bugs.webkit.org/show_bug.cgi?id=33920

Summary dispatchDocumentElementAvailable is fired for fragment parsing on XML and XHT...

Matt Perry

Reported 2010-01-20 14:54:33 PST

Repro: 1. Visit an XHTML page, eg http://sorryrobot.com/chrometest.php 2. Put a breakpoint in dispatchDocumentElementAvailable. 3. Run this javascript URL: javascript:var div = document.createElement('div');div.innerHTML = '<p>hi</p>'; 4. Breakpoint is hit. This causes user scripts to get injected when they shouldn't. If the user script contains javascript similar to #3, it will infinitely reinject itself. I think the fix is simple. Adding a check for "!m_parsingFragment" to XMLTokenizer::startElementNs before calling dispatchDocumentElementAvailable seems to do the trick. It will just take me a bit to write a suitable test.

Attachments
small patch with tests (4.92 KB, patch) 2010-01-25 17:37 PST, Matt Perry	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Matt Perry

Comment 1 2010-01-25 17:37:37 PST

Created attachment 47378 [details] small patch with tests

Darin Adler

Comment 2 2010-01-25 17:44:03 PST

Comment on attachment 47378 [details] small patch with tests Why does the test case need to be in userscripts? Can't this be tested with a normal script-tests test?

Matt Perry

Comment 3 2010-01-25 17:54:41 PST

(In reply to comment #2) > (From update of attachment 47378 [details]) > Why does the test case need to be in userscripts? Can't this be tested with a > normal script-tests test? It doesn't look like it. I think the only side effect of calling dispatchDocumentElementAvailable is that user scripts are injected.

Eric Seidel (no email)

Comment 4 2010-01-26 14:07:06 PST

Comment on attachment 47378 [details] small patch with tests LGTM.

WebKit Commit Bot

Comment 5 2010-01-27 03:44:01 PST

Comment on attachment 47378 [details] small patch with tests Clearing flags on attachment: 47378 Committed r53917: <http://trac.webkit.org/changeset/53917>

WebKit Commit Bot

Comment 6 2010-01-27 03:44:08 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS OS X 10.5

Product WebKit

Component Layout and Rendering

Assignee

Matt Perry

Reported

2010-01-20 14:54 PST

Modified

2010-01-27 03:44 PST History

CC List

5 users Show

URL

Keywords

Depends on

Blocks