[Webkit-unassigned] [Bug 64781] New: SVG <use> referring to a later element causes problems
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 18 21:20:17 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=64781
Summary: SVG <use> referring to a later element causes problems
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: SVG
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: simonjam at chromium.org
CC: zimmermann at kde.org
Blocks: 64419
Fuzzers have found a bunch of bugs related to <use> and <script> in SVG. I think the main problem is that <use> tags are allowed to refer to IDs that occur later in the file. For example:
<svg>
<g>
<use xlink:href="#test"/>
<rect id="test">
<script>
document.body.innerHTML = "PASS";
</script>
The <use> tag constructs its shadow DOM the first time recalcStyle() is called. In this example, that will be when the parser yields, which occurs after reaching </script>, but before executing the script. By this point, the <script> has been constructed and inserted in the tree, but not executed. This leads to a situation where the script block will execute twice: once in the clone and once in the original. This seems wrong. Also, there may be other tags after the </script> that haven't yet been parsed, but ought to have been deep cloned.
It seems that the shadow DOM should be created when the <use> tag is constructed and you shouldn't be allowed to refer to something later in the document. Briefly reading the spec, it always talks about <use>'ing IDs that have been already declared and doesn't seem to cover the above case.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list