Bug 64781 - SVG <use> referring to a later element causes problems
Summary: SVG <use> referring to a later element causes problems
Status: RESOLVED DUPLICATE of bug 78902
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Depends on:
Blocks: 64419
  Show dependency treegraph
Reported: 2011-07-18 21:20 PDT by James Simonsen
Modified: 2012-02-25 02:46 PST (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description James Simonsen 2011-07-18 21:20:17 PDT
Fuzzers have found a bunch of bugs related to <use> and <script> in SVG. I think the main problem is that <use> tags are allowed to refer to IDs that occur later in the file. For example:

<use xlink:href="#test"/>
<rect id="test">
document.body.innerHTML = "PASS";

The <use> tag constructs its shadow DOM the first time recalcStyle() is called. In this example, that will be when the parser yields, which occurs after reaching </script>, but before executing the script. By this point, the <script> has been constructed and inserted in the tree, but not executed. This leads to a situation where the script block will execute twice: once in the clone and once in the original. This seems wrong. Also, there may be other tags after the </script> that haven't yet been parsed, but ought to have been deep cloned.

It seems that the shadow DOM should be created when the <use> tag is constructed and you shouldn't be allowed to refer to something later in the document. Briefly reading the spec, it always talks about <use>'ing IDs that have been already declared and doesn't seem to cover the above case.
Comment 1 Nikolas Zimmermann 2012-02-25 02:46:44 PST
Shadow tree creation time changed, marking as duplicate of bug 78902.

*** This bug has been marked as a duplicate of bug 78902 ***