Skip to site navigation (Press enter)

[webkit-changes] [104275] trunk

tkent Fri, 06 Jan 2012 00:47:29 -0800

Title: [104275] trunk

Revision: 104275
Author: [email protected]
Date: 2012-01-06 00:47:18 -0800 (Fri, 06 Jan 2012)

Log Message

Fix a crash by importing an element of which local name ends with ":input".
https://bugs.webkit.org/show_bug.cgi?id=75103


Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: fast/dom/importNode-confusing-localName.html

* dom/Document.cpp:
(WebCore::Document::importNode): Pass QualifiedName of the source elemnt
to createElement() in order to avoid unnecessary serialization and
parsing of the qualified name

LayoutTests:

* fast/dom/importNode-confusing-localName-expected.txt: Added.
* fast/dom/importNode-confusing-localName.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/Document.cpp

Added Paths

trunk/LayoutTests/fast/dom/importNode-confusing-localName-expected.txt
trunk/LayoutTests/fast/dom/importNode-confusing-localName.html

Diff

Modified: trunk/LayoutTests/ChangeLog (104274 => 104275)


--- trunk/LayoutTests/ChangeLog	2012-01-06 08:33:24 UTC (rev 104274)
+++ trunk/LayoutTests/ChangeLog	2012-01-06 08:47:18 UTC (rev 104275)
@@ -1,3 +1,13 @@
+2012-01-05  Kent Tamura  <[email protected]>
+
+        Fix a crash by importing an element of which local name ends with ":input".
+        https://bugs.webkit.org/show_bug.cgi?id=75103
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/dom/importNode-confusing-localName-expected.txt: Added.
+        * fast/dom/importNode-confusing-localName.html: Added.
+
 2012-01-05  Gavin Barraclough  <[email protected]>
 
         Date constructor handles infinite values incorrectly.

Added: trunk/LayoutTests/fast/dom/importNode-confusing-localName-expected.txt (0 => 104275)


--- trunk/LayoutTests/fast/dom/importNode-confusing-localName-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/importNode-confusing-localName-expected.txt	2012-01-06 08:47:18 UTC (rev 104275)
@@ -0,0 +1,5 @@
+PASS imported.constructor is source.constructor
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Property changes on: trunk/LayoutTests/fast/dom/importNode-confusing-localName-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: trunk/LayoutTests/fast/dom/importNode-confusing-localName.html (0 => 104275)


--- trunk/LayoutTests/fast/dom/importNode-confusing-localName.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/importNode-confusing-localName.html	2012-01-06 08:47:18 UTC (rev 104275)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<xht:input id="test"></xht:input>
+<script>
+var source = document.getElementById('test');
+var imported = document.importNode(source, true);
+shouldBe('imported.constructor', 'source.constructor');
+</script>
+<script src=""
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/dom/importNode-confusing-localName.html
___________________________________________________________________

Added: svn:eol-style

Modified: trunk/Source/WebCore/ChangeLog (104274 => 104275)


--- trunk/Source/WebCore/ChangeLog	2012-01-06 08:33:24 UTC (rev 104274)
+++ trunk/Source/WebCore/ChangeLog	2012-01-06 08:47:18 UTC (rev 104275)
@@ -1,3 +1,17 @@
+2012-01-05  Kent Tamura  <[email protected]>
+
+        Fix a crash by importing an element of which local name ends with ":input".
+        https://bugs.webkit.org/show_bug.cgi?id=75103
+
+        Reviewed by Ryosuke Niwa.
+
+        Test: fast/dom/importNode-confusing-localName.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::importNode): Pass QualifiedName of the source elemnt
+        to createElement() in order to avoid unnecessary serialization and
+        parsing of the qualified name
+
 2012-01-06  Alexis Menard  <[email protected]>
 
         Move HTMLFormControlElementWithState class in its own header file.

Modified: trunk/Source/WebCore/dom/Document.cpp (104274 => 104275)


--- trunk/Source/WebCore/dom/Document.cpp	2012-01-06 08:33:24 UTC (rev 104274)
+++ trunk/Source/WebCore/dom/Document.cpp	2012-01-06 08:47:18 UTC (rev 104275)
@@ -835,8 +835,13 @@
         return createComment(importedNode->nodeValue());
     case ELEMENT_NODE: {
         Element* oldElement = static_cast<Element*>(importedNode);
-        RefPtr<Element> newElement = createElementNS(oldElement->namespaceURI(), oldElement->tagQName().toString(), ec);
-                    
+        // FIXME: The following check might be unnecessary. Is it possible that
+        // oldElement has mismatched prefix/namespace?
+        if (hasPrefixNamespaceMismatch(oldElement->tagQName())) {
+            ec = NAMESPACE_ERR;
+            return 0;
+        }
+        RefPtr<Element> newElement = createElement(oldElement->tagQName(), ec);
         if (ec)
             return 0;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes