RESOLVED FIXED 92838
HTMLTreeBuilder passes a wrong token when pushing the head element 
https://bugs.webkit.org/show_bug.cgi?id=92838
Summary HTMLTreeBuilder passes a wrong token when pushing the head element
Kwang Yul Seo
Reported 2012-07-31 22:08:30 PDT
When the tree builder pushes the head element in the "after head" insertion mode, it creates a HTMLStackItem from a wrong token. Added HTMLConstructionSite::headStackItem() to retrieve the stack item for the head element. Modified the tree builder to pass the correct stack item when pushing the head element in the "after head" insertion mode.
Attachments
Patch (4.32 KB, patch)
2012-07-31 22:11 PDT, Kwang Yul Seo 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Kwang Yul Seo
Comment 1 2012-07-31 22:11:46 PDT
Created attachment 155720 [details] Patch
Adam Barth
Comment 2 2012-08-01 11:08:00 PDT
Comment on attachment 155720 [details] Patch Interesting. It's hard to see how this could have any observable effects, but I agree that it's wrong.
Eric Seidel (no email)
Comment 3 2012-08-01 11:20:05 PDT
Maybe with one of those convoluted tests for token re-use, something like: <head a='b'> <script> document.head.setAttribute('a', 'c'); </script> But I agree with Adam and it's unlikely to matter.
Adam Barth
Comment 4 2012-08-01 11:54:14 PDT
> Maybe with one of those convoluted tests for token re-use, something like: Yeah, but I couldn't think of any cases where we'd read back the attributes of the <head> element...
WebKit Review Bot
Comment 5 2012-08-01 12:03:31 PDT
Comment on attachment 155720 [details] Patch Clearing flags on attachment: 155720 Committed r124353: <http://trac.webkit.org/changeset/124353>
WebKit Review Bot
Comment 6 2012-08-01 12:03:34 PDT
All reviewed patches have been landed. Closing bug.
Kwang Yul Seo
Comment 7 2012-08-01 16:03:27 PDT
(In reply to comment #4) > > Maybe with one of those convoluted tests for token re-use, something like: > > Yeah, but I couldn't think of any cases where we'd read back the attributes of the <head> element... It's hardly a problem in real situations. But the first assertion in HTMLElementStack::pushHTMLHeadElement(PassRefPtr<HTMLStackItem>) fails after Bug 92830. void HTMLElementStack::pushHTMLHeadElement(PassRefPtr<HTMLStackItem> item) { ASSERT(item->hasTagName(HTMLNames::headTag)); // <- this assertion fails because the tag name is read from the stack item (saved token). ASSERT(!m_headElement); m_headElement = item->element(); pushCommon(item); }
Note You need to log in before you can comment on or make changes to this bug.