[webkit-changes] [115398] trunk

Thu, 26 Apr 2012 19:35:01 -0700

Title: [115398] trunk
Revision
115398
Author
jp...@apple.com
Date
2012-04-26 19:35:47 -0700 (Thu, 26 Apr 2012)

Log Message

Invalid cast in WebCore::HTMLCollection::isAcceptableElement
https://bugs.webkit.org/show_bug.cgi?id=84626

Reviewed by Darin Adler.

Source/WebCore:

Check if the object is an HTMLElement before casting.

Test: fast/dom/htmlcollection-non-html.html

* html/HTMLCollection.cpp:
(WebCore::HTMLCollection::isAcceptableElement):

LayoutTests:

Add tests to make sure only HTML elements are present in most HTMLCollection objects.

* fast/dom/htmlcollection-non-html-option-expected.txt: Added.
* fast/dom/htmlcollection-non-html.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (115397 => 115398)


--- trunk/LayoutTests/ChangeLog	2012-04-27 02:17:03 UTC (rev 115397)
+++ trunk/LayoutTests/ChangeLog	2012-04-27 02:35:47 UTC (rev 115398)
@@ -1,3 +1,15 @@
+2012-04-26  Jeffrey Pfau  <jp...@apple.com>
+
+        Invalid cast in WebCore::HTMLCollection::isAcceptableElement
+        https://bugs.webkit.org/show_bug.cgi?id=84626
+
+        Reviewed by Darin Adler.
+
+        Add tests to make sure only HTML elements are present in most HTMLCollection objects.
+
+        * fast/dom/htmlcollection-non-html-option-expected.txt: Added.
+        * fast/dom/htmlcollection-non-html.html: Added.
+
 2012-04-26  Benjamin Poulain  <bpoul...@apple.com>
 
         Skip the new ObjC tests for WebKit2

Added: trunk/LayoutTests/fast/dom/htmlcollection-non-html-expected.txt (0 => 115398)


--- trunk/LayoutTests/fast/dom/htmlcollection-non-html-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/htmlcollection-non-html-expected.txt	2012-04-27 02:35:47 UTC (rev 115398)
@@ -0,0 +1,42 @@
+Tests that HTMLCollection only properly contains HTML elements
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS select.options.length is 0
+PASS select.selectedOptions.length is 0
+PASS select.options.length is 1
+PASS document.images.length is 0
+PASS document.images.length is 1
+PASS document.forms.length is 0
+PASS document.forms.length is 1
+PASS document.applets.length is 0
+PASS document.applets.length is 1
+PASS document.embeds.length is 0
+PASS document.embeds.length is 1
+PASS document.scripts.length is 3
+PASS document.scripts.length is 4
+PASS document.links.length is 0
+PASS document.links.length is 1
+PASS document.links.length is 0
+PASS document.links.length is 1
+PASS document.anchors.length is 0
+PASS document.anchors.length is 1
+PASS elem.areas.length is 0
+PASS elem.areas.length is 1
+PASS elem.rows.length is 0
+PASS elem.rows.length is 1
+PASS elem.tBodies.length is 0
+PASS elem.tBodies.length is 1
+PASS elem.cells.length is 0
+PASS elem.cells.length is 1
+PASS elem.rows.length is 0
+PASS elem.rows.length is 1
+PASS elem.rows.length is 0
+PASS elem.rows.length is 1
+PASS elem.rows.length is 0
+PASS elem.rows.length is 1
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/htmlcollection-non-html.html (0 => 115398)


--- trunk/LayoutTests/fast/dom/htmlcollection-non-html.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/htmlcollection-non-html.html	2012-04-27 02:35:47 UTC (rev 115398)
@@ -0,0 +1,102 @@
+<html>
+<head>
+<script src=""
+<script>
+var elem;
+var ns = "http://not-html.test";
+
+function testDocumentProperty(attributeName, elementName, base) {
+  var elem;
+  if (typeof base == 'undefined')
+    base = 0;
+
+  elem = document.createElementNS(ns, elementName);
+  document.body.appendChild(elem);
+  shouldBe("document." + attributeName + ".length", base + "");
+  document.body.removeChild(elem);
+
+  elem = document.createElement(elementName);
+  document.body.appendChild(elem);
+  shouldBe("document." + attributeName + ".length", base + 1 + "");
+  document.body.removeChild(elem);
+}
+
+function testDocumentPropertyWithAttribute(attributeName, elementName, elementAttributeName, base) {
+  var elem;
+  if (typeof base == 'undefined')
+    base = 0;
+
+  elem = document.createElementNS(ns, elementName);
+  elem.setAttribute(elementAttributeName, "foo");
+  document.body.appendChild(elem);
+  shouldBe("document." + attributeName + ".length", base + "");
+  document.body.removeChild(elem);
+
+  elem = document.createElement(elementName);
+  elem.setAttribute(elementAttributeName, "foo");
+  document.body.appendChild(elem);
+  shouldBe("document." + attributeName + ".length", base + 1 + "");
+  document.body.removeChild(elem);
+}
+
+function testElementProperty(elementName, attributeName, subelementName, base) {
+  var subelem;
+  if (typeof base == 'undefined')
+    base = 0;
+
+  elem = document.createElement(elementName);
+  subelem = document.createElementNS(ns, subelementName);
+  elem.appendChild(subelem);
+  shouldBe("elem." + attributeName + ".length", base + "");
+  elem.removeChild(subelem);
+
+  subelem = document.createElement(subelementName);
+  elem.appendChild(subelem);
+  shouldBe("elem." + attributeName + ".length", base + 1 + "");
+  elem.removeChild(subelem);
+}
+
+function runTest() {
+  if (window.layoutTestController)
+    window.layoutTestController.dumpAsText();
+
+  description('Tests that HTMLCollection only properly contains HTML elements');
+
+  var elem;
+  select = document.createElement("select");
+  elem = document.createElementNS(ns, "option");
+  select.appendChild(elem);
+  shouldBe("select.options.length", "0");
+  shouldBe("select.selectedOptions.length", "0");
+
+  elem = document.createElement("option");
+  select.appendChild(elem);
+  shouldBe("select.options.length", "1");
+
+  testDocumentProperty("images", "img");
+  testDocumentProperty("forms", "form");
+  testDocumentProperty("applets", "applet");
+  testDocumentProperty("embeds", "embed");
+
+  // Note that this is run before the final script element on this page is inserted
+  testDocumentProperty("scripts", "script", 3);
+
+  testDocumentPropertyWithAttribute("links", "a", "href");
+  testDocumentPropertyWithAttribute("links", "area", "href");
+  testDocumentPropertyWithAttribute("anchors", "a", "name");
+
+  testElementProperty("map", "areas", "area");
+  testElementProperty("table", "rows", "tr");
+  testElementProperty("table", "tBodies", "tbody");
+  testElementProperty("tr", "cells", "td");
+  testElementProperty("thead", "rows", "tr");
+  testElementProperty("tbody", "rows", "tr");
+  testElementProperty("tfoot", "rows", "tr");
+}
+</script>
+</head>
+<body>
+  <script>runTest();</script>
+  <script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (115397 => 115398)


--- trunk/Source/WebCore/ChangeLog	2012-04-27 02:17:03 UTC (rev 115397)
+++ trunk/Source/WebCore/ChangeLog	2012-04-27 02:35:47 UTC (rev 115398)
@@ -1,3 +1,17 @@
+2012-04-26  Jeffrey Pfau  <jp...@apple.com>
+
+        Invalid cast in WebCore::HTMLCollection::isAcceptableElement
+        https://bugs.webkit.org/show_bug.cgi?id=84626
+
+        Reviewed by Darin Adler.
+
+        Check if the object is an HTMLElement before casting.
+
+        Test: fast/dom/htmlcollection-non-html.html
+
+        * html/HTMLCollection.cpp:
+        (WebCore::HTMLCollection::isAcceptableElement):
+
 2012-04-26  Dana Jansens  <dan...@chromium.org>
 
         [chromium] Some background filters require inflating damage on the surface behind them

Modified: trunk/Source/WebCore/html/HTMLCollection.cpp (115397 => 115398)


--- trunk/Source/WebCore/html/HTMLCollection.cpp	2012-04-27 02:17:03 UTC (rev 115397)
+++ trunk/Source/WebCore/html/HTMLCollection.cpp	2012-04-27 02:35:47 UTC (rev 115398)
@@ -100,6 +100,9 @@
 
 inline bool HTMLCollection::isAcceptableElement(Element* element) const
 {
+    if (!element->isHTMLElement() && !(m_type == DocAll || m_type == NodeChildren))
+        return false;
+
     switch (m_type) {
     case DocImages:
         return element->hasLocalName(imgTag);
@@ -146,7 +149,7 @@
         return true;
 #if ENABLE(MICRODATA)
     case ItemProperties:
-        return element->isHTMLElement() && element->fastHasAttribute(itempropAttr);
+        return element->fastHasAttribute(itempropAttr);
 #endif
     case DocumentNamedItems:
     case OtherCollection:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to