[Webkit-unassigned] [Bug 33920] New: dispatchDocumentElementAvailable is fired for fragment parsing on XML and XHTML documents

Wed Jan 20 14:54:34 PST 2010

https://bugs.webkit.org/show_bug.cgi?id=33920

           Summary: dispatchDocumentElementAvailable is fired for fragment
                    parsing on XML and XHTML documents
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mpcomplete at chromium.org
                CC: hyatt at apple.com

Repro:
1. Visit an XHTML page, eg http://sorryrobot.com/chrometest.php
2. Put a breakpoint in dispatchDocumentElementAvailable.
3. Run this javascript URL:
  javascript:var div = document.createElement('div');div.innerHTML =
'<p>hi</p>';
4. Breakpoint is hit.

This causes user scripts to get injected when they shouldn't. If the user
script contains javascript similar to #3, it will infinitely reinject itself.

I think the fix is simple. Adding a check for "!m_parsingFragment" to
XMLTokenizer::startElementNs before calling dispatchDocumentElementAvailable
seems to do the trick. It will just take me a bit to write a suitable test.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.