[Webkit-unassigned] [Bug 23956] Safari crashes when cloneNode fails (cloning a XML element with an invalid nodeName)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Feb 21 22:46:14 PST 2009


------- Comment #7 from jchaffraix at webkit.org  2009-02-21 22:46 PDT -------
(In reply to comment #6)
> The bug here is that since this is an XML document, we shouldn't have been able
> to create a node with an invalid prefix to begin with. 
> Document::createElement() should have thrown an error.  We'll need to check
> what FF and IE do here, and what the spec says, but I expect that
> createElement() should have just thrown an error and we would never have gotten
> to a case where we have an XML element with an invalid nodeName.

I disagree with your conclusion. createElement is asked just to check that the
string is a valid XML name by the DOM spec and throwing an exception will lead
to regressions. As strange as it seems, createElement puts the string as the
localName without any checks on the prefix and thus can lead to invalid XML
I have tried your test case with the other browser: FF abide by the spec, Opera
mostly abide (it just set the namespace to 'http://www.example.com' (instead of
null per DOM requirement)) and IE fails on

The issue here is that we are calling createElementNS with nodes that may have
been created by another method and thus do not play along with it.
HTMLDocument::cloneNode calls directly the factory and it does not crash on
such invalid nodes. I think we should do something equivalent in

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list