Diff
Modified: branches/safari-602-branch/LayoutTests/ChangeLog (207193 => 207194)
--- branches/safari-602-branch/LayoutTests/ChangeLog 2016-10-12 07:37:17 UTC (rev 207193)
+++ branches/safari-602-branch/LayoutTests/ChangeLog 2016-10-12 08:40:43 UTC (rev 207194)
@@ -1,3 +1,23 @@
+2016-10-11 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r203383. rdar://problem/28216264
+
+ 2016-07-18 Brent Fulgham <bfulg...@apple.com>
+
+ Don't associate form-associated elements with forms in other trees.
+ https://bugs.webkit.org/show_bug.cgi?id=119451
+ <rdar://problem/27382946>
+
+ Change is based on the Blink change (patch by <ad...@chromium.org>):
+ <https://chromium.googlesource.com/chromium/blink/+/0b33128be67e7845d495d5219614c02ccfe7a414>
+
+ Reviewed by Chris Dumez.
+
+ * fast/forms/image-disconnected-during-parse-expected.txt: Added.
+ * fast/forms/image-disconnected-during-parse.html: Added.
+ * fast/forms/input-disconnected-during-parse-expected.txt: Added.
+ * fast/forms/input-disconnected-during-parse.html: Added.
+
2016-10-02 Babak Shafiei <bshaf...@apple.com>
Merge r205657. rdar://problem/28216268
Added: branches/safari-602-branch/LayoutTests/fast/forms/image-disconnected-during-parse-expected.txt (0 => 207194)
--- branches/safari-602-branch/LayoutTests/fast/forms/image-disconnected-during-parse-expected.txt (rev 0)
+++ branches/safari-602-branch/LayoutTests/fast/forms/image-disconnected-during-parse-expected.txt 2016-10-12 08:40:43 UTC (rev 207194)
@@ -0,0 +1,10 @@
+Image elements should not be associated with forms in different trees
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.forms[0].myimage is undefined.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-602-branch/LayoutTests/fast/forms/image-disconnected-during-parse.html (0 => 207194)
--- branches/safari-602-branch/LayoutTests/fast/forms/image-disconnected-during-parse.html (rev 0)
+++ branches/safari-602-branch/LayoutTests/fast/forms/image-disconnected-during-parse.html 2016-10-12 08:40:43 UTC (rev 207194)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<form>
+ <div id="target">
+ <script>
+ var d = document.getElementById('target');
+ d.parentNode.removeChild(d);
+ </script>
+ <img name=myimage>
+ </div>
+</form>
+<script src=""
+<script>
+description('Image elements should not be associated with forms in different trees');
+shouldBeUndefined('document.forms[0].myimage');
+</script>
+<script src=""
\ No newline at end of file
Added: branches/safari-602-branch/LayoutTests/fast/forms/input-disconnected-during-parse-expected.txt (0 => 207194)
--- branches/safari-602-branch/LayoutTests/fast/forms/input-disconnected-during-parse-expected.txt (rev 0)
+++ branches/safari-602-branch/LayoutTests/fast/forms/input-disconnected-during-parse-expected.txt 2016-10-12 08:40:43 UTC (rev 207194)
@@ -0,0 +1,10 @@
+FormAssociatedElements should not be associated with forms in different trees (and should not crash)
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.forms[0].elements[0] is undefined.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-602-branch/LayoutTests/fast/forms/input-disconnected-during-parse.html (0 => 207194)
--- branches/safari-602-branch/LayoutTests/fast/forms/input-disconnected-during-parse.html (rev 0)
+++ branches/safari-602-branch/LayoutTests/fast/forms/input-disconnected-during-parse.html 2016-10-12 08:40:43 UTC (rev 207194)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<form>
+ <div>
+ <script>
+ var d = document.querySelector('div');
+ d.parentNode.removeChild(d);
+ </script>
+ <input>
+ </div>
+</form>
+<script src=""
+<script>
+description('FormAssociatedElements should not be associated with forms in different trees (and should not crash)');
+var unused = document.forms[0].elements.length;
+d = null;
+gc();
+shouldBeUndefined('document.forms[0].elements[0]');
+</script>
+<script src=""
Modified: branches/safari-602-branch/Source/WebCore/ChangeLog (207193 => 207194)
--- branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-12 07:37:17 UTC (rev 207193)
+++ branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-12 08:40:43 UTC (rev 207194)
@@ -1,3 +1,32 @@
+2016-10-11 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r203383. rdar://problem/28216264
+
+ 2016-07-18 Brent Fulgham <bfulg...@apple.com>
+
+ Don't associate form-associated elements with forms in other trees.
+ https://bugs.webkit.org/show_bug.cgi?id=119451
+ <rdar://problem/27382946>
+
+ Change is based on the Blink change (patch by <ad...@chromium.org>):
+ <https://chromium.googlesource.com/chromium/blink/+/0b33128be67e7845d495d5219614c02ccfe7a414>
+
+ Reviewed by Chris Dumez.
+
+ Prevent elements from being associated with forms that are not part of the same home subtree.
+ This brings us in line with the WhatWG HTML specification as of September, 2013.
+
+ Tests: fast/forms/image-disconnected-during-parse.html
+ fast/forms/input-disconnected-during-parse.html
+
+ * dom/Element.h:
+ (WebCore::Node::rootElement): Added.
+ * html/FormAssociatedElement.cpp:
+ (WebCore::FormAssociatedElement::insertedInto): If the element is associated with a form that
+ is not part of the same tree, remove the association.
+ * html/HTMLImageElement.cpp:
+ (WebCore::HTMLImageElement::insertedInto): Ditto.
+
2016-10-02 Babak Shafiei <bshaf...@apple.com>
Merge r205657. rdar://problem/28216268
Modified: branches/safari-602-branch/Source/WebCore/dom/Element.h (207193 => 207194)
--- branches/safari-602-branch/Source/WebCore/dom/Element.h 2016-10-12 07:37:17 UTC (rev 207193)
+++ branches/safari-602-branch/Source/WebCore/dom/Element.h 2016-10-12 08:40:43 UTC (rev 207194)
@@ -3,7 +3,7 @@
* (C) 1999 Antti Koivisto (koivi...@kde.org)
* (C) 2001 Peter Kelly (p...@post.com)
* (C) 2001 Dirk Mueller (muel...@kde.org)
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2013, 2014, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2016 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -147,6 +147,8 @@
// to the render layer and merge bindingsOffsetParent and offsetParent.
Element* bindingsOffsetParent();
+ const Element* rootElement() const;
+
Element* offsetParent();
double clientLeft();
double clientTop();
@@ -663,6 +665,17 @@
return is<Element>(parent) ? downcast<Element>(parent) : nullptr;
}
+inline const Element* Element::rootElement() const
+{
+ if (inDocument())
+ return document().documentElement();
+
+ const Element* highest = this;
+ while (highest->parentElement())
+ highest = highest->parentElement();
+ return highest;
+}
+
inline bool Element::hasAttributeWithoutSynchronization(const QualifiedName& name) const
{
ASSERT(fastAttributeLookupAllowed(name));
Modified: branches/safari-602-branch/Source/WebCore/html/FormAssociatedElement.cpp (207193 => 207194)
--- branches/safari-602-branch/Source/WebCore/html/FormAssociatedElement.cpp 2016-10-12 07:37:17 UTC (rev 207193)
+++ branches/safari-602-branch/Source/WebCore/html/FormAssociatedElement.cpp 2016-10-12 08:40:43 UTC (rev 207194)
@@ -2,7 +2,7 @@
* Copyright (C) 1999 Lars Knoll (kn...@kde.org)
* (C) 1999 Antti Koivisto (koivi...@kde.org)
* (C) 2001 Dirk Mueller (muel...@kde.org)
- * Copyright (C) 2004, 2005, 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
* (C) 2006 Alexey Proskuryakov (a...@nypop.com)
*
* This library is free software; you can redistribute it and/or
@@ -75,6 +75,9 @@
m_formSetByParser = nullptr;
}
+ if (m_form && element.rootElement() != m_form->rootElement())
+ setForm(nullptr);
+
if (!insertionPoint.inDocument())
return;
Modified: branches/safari-602-branch/Source/WebCore/html/HTMLImageElement.cpp (207193 => 207194)
--- branches/safari-602-branch/Source/WebCore/html/HTMLImageElement.cpp 2016-10-12 07:37:17 UTC (rev 207193)
+++ branches/safari-602-branch/Source/WebCore/html/HTMLImageElement.cpp 2016-10-12 08:40:43 UTC (rev 207194)
@@ -38,6 +38,7 @@
#include "MIMETypeRegistry.h"
#include "MediaList.h"
#include "MediaQueryEvaluator.h"
+#include "NodeTraversal.h"
#include "Page.h"
#include "RenderImage.h"
#include "Settings.h"
@@ -307,6 +308,11 @@
m_form->registerImgElement(this);
}
+ if (m_form && rootElement() != m_form->rootElement()) {
+ m_form->removeImgElement(this);
+ m_form = nullptr;
+ }
+
if (!m_form) {
m_form = HTMLFormElement::findClosestFormAncestor(*this);
if (m_form)