Steps to reproduce: open the attached test case, click on the text.
Expected results: an alert appears.
Actual results: nothing happens.
Created attachment 6345 [details]
Value OnClick(); (result of expression OnClick) is not object.
For some reason, we have an onclick property on DOM nodes that allows you to set and get the onclick handle for a DOM node. I can't find any other web browser that has this property.
Because of this property, when you try to call a function on the window object named onclick, you find the property on the DOM node first.
The fix is presumably just to remove the property, but I would like to know why the property is there, and how many of the other "onxxx" properties need to be removed.
Removing the properties from kjs_dom.cpp is going to be easy. The only hard thing here is testing with other browsers to see whether they have properties like ours.
Maciej thinks my analysis is wrong and this is really about case sensitivity. I think he's right and my tests of other browsers were confused. I'll look into a fix given that insight.
I now believe that fixing this is as simple as changing the getAttribute calls in KJS::DOMElement::getOwnPropertySlot and KJS::DOMElement::attributeGetter in kjs_dom.cpp. Either we remove them entirely or we change them to construct a QualifiedName directly to avoid the lower-casing that's done in WebCore::ElementImpl::getAttributeNS.
The argument for removing them entirely is that they implement a feature that is not present in Gecko/Firefox. The argument for keeping them is that they implement a feature that is similar to something present in Internet Explorer.