[Webkit-unassigned] [Bug 64781] New: SVG <use> referring to a later element causes problems

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 18 21:20:17 PDT 2011


https://bugs.webkit.org/show_bug.cgi?id=64781

           Summary: SVG <use> referring to a later element causes problems
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: simonjam at chromium.org
                CC: zimmermann at kde.org
            Blocks: 64419


Fuzzers have found a bunch of bugs related to <use> and <script> in SVG. I think the main problem is that <use> tags are allowed to refer to IDs that occur later in the file. For example:

<svg>
<g>
<use xlink:href="#test"/>
<rect id="test">
<script>
document.body.innerHTML = "PASS";
</script>

The <use> tag constructs its shadow DOM the first time recalcStyle() is called. In this example, that will be when the parser yields, which occurs after reaching </script>, but before executing the script. By this point, the <script> has been constructed and inserted in the tree, but not executed. This leads to a situation where the script block will execute twice: once in the clone and once in the original. This seems wrong. Also, there may be other tags after the </script> that haven't yet been parsed, but ought to have been deep cloned.

It seems that the shadow DOM should be created when the <use> tag is constructed and you shouldn't be allowed to refer to something later in the document. Briefly reading the spec, it always talks about <use>'ing IDs that have been already declared and doesn't seem to cover the above case.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list