[Webkit-unassigned] [Bug 22741] New: innerHTML, forms and images don't play well together

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 8 15:24:47 PST 2008


           Summary: innerHTML, forms and images don't play well together
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: davemoore at google.com

If you have a form that contains a span that contains an img tag with a name
and id, and replace that img with another one, with the same name but a
different id, any javascript that accesses that img through the form
(form.image.id) will get the old value. Accessing the img through the document
will get the new value.

This behavior is consistent in IE6, Safari and Chrome. In FF and IE7 you get
the new value using either path to the image.

In HTMLFormElement there is a vector called imgElements that gets initialized
when the form is created. As far as I can tell this vector is never updated
when the innerHTML is set.

HTMLParser has a notion of the current form, contained in the instance variable
m_currentFormElement. This is used when an HTMLImageElement is created to allow
imgElements to be updated. When innerHTML is set on a span within the form
there is no way for this variable to be initialized, so the image can't be
added to the form's imageElements.

I've modified HTMLElement, HTMLImageElement, HTMLParser and HTMLTokenizer to
support initializing the m_currentFormElement to the form that contains the
HTMLElement which is having its innerHTML set. I remove the image from the form
when it is removed from the document and add it to the form when it's added to
the document. In the attached file you can see the failure when the two numbers
shown (one for document.pic.id and one for form.pic.id) don't match. 

One additional thing I've noticed is that the HTMLImageElement is never
destroyed when removed from the document. If it was, it would have been removed
from the form as well. I believe there is an old IE behavior that says that if
an element is referenced by name at some point then it has to be able to be
referenced by that name later, even if removed from the document. Perhaps this
is to allow for that.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list