Closed
Bug 266958
Opened 20 years ago
Closed 16 years ago
Invalid HTML causes mozilla to open different url than statusbar on new tab
Categories
(SeaMonkey :: UI Design, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: csthomas, Unassigned)
References
()
Details
Attachments
(1 file)
683 bytes,
application/xhtml+xml
|
Details |
Seamonkey version of bug 266932
Updated•20 years ago
|
Assignee: general → guifeatures
Component: Browser-General → XP Apps: GUI Features
QA Contact: general
Reporter | ||
Comment 1•20 years ago
|
||
The URL is set to the testcase (https://bugzilla.mozilla.org/attachment.cgi?id=164020&action=view). From bug 266932 comment 0: > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 > Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 > > As reported by Netcraft > (http://news.netcraft.com/archives/2004/10/29/new_url_spoofing_flaw_found_in_internet_explorer.html), > this bug which affects IE, also affects Firefox. > > The following 2 code samples cause firefox to display http://www.mozilla.org on > the statusbar but when you open the link in a new tab, it goes to google.com. > > 1) > <a href="http://www.mozilla.org"><table><tr><td><a > href="http://www.google.com/">http://www.mozilla.org</a></td></tr></table></a> > > 2) > > <a href="http://www.mozilla.org"><div><a > href="http://www.google.com/">http://www.mozilla.org</a></div></a> > > > > Reproducible: Always > Steps to Reproduce: > 1. Right click on sample url, then choose open in new tab. > 2. > 3. > > Actual Results: > Instead of going to mozilla.org as reported by the status bar, it goes to google.com > > Expected Results: > Firefox should go to mozilla.org or report google.com on the status bar
Flags: blocking1.8a5?
Flags: blocking1.7.x?
Comment 3•20 years ago
|
||
so which url _should_ we go to?
Comment 4•20 years ago
|
||
This one is interesting. Note that actually clicking the link goes to mozilla.org. Which is not surprising, since the same code handles both that and the status bar setting. The "right" thing to do is to not allow <a> within another <a>. If there's no way to fix that, then the "right" thing to do is to go to the inner link (and we have an existing bug on that).
Whiteboard: DUPEME
Comment 5•20 years ago
|
||
In the case of <a href=a><a href=b>foo</a></a> we (correctly) do not allow this nesting (i.e., the DOM is <a></a><a>foo</a>). However, the problem here is that we have to allow <a> to contain <div> (we have bunches of code dealing with this inline-contains-block quirk) which can then contain <a>. I don't think the DTD has the concept of not allowing a tag if its parent is in the current stack. Also, what *should* the content model look like if we don't allow this? The obvious choice to me seems dangerous: 1) <a><table><tr><td></td></tr></table></a> <table><tr><td><a>etc... 2) <a><div></div></a><div><a> ... what if the <div> has an id=? (also note that simply ignoring the nested <a> isn't a real solution) which would be something like we do for RS handling, but looks hard to implement with lots of chances to get things wrong... So unless I've missed something, this doesn't look like it can be fixed in the parser.
Comment 6•20 years ago
|
||
Sorry, I misspoke. We *do* do this sort of check for <a>, but don't actually act on it. I'm still not certain what we should do in this case... if the code worked the way I had expected when I looked at it earlier, we would drop the second <a> on the floor. Is this actually desired? I'll try to look at this on Monday, if nobody else wants to (I probably will not have time to look at it tomorrow).
Comment 7•20 years ago
|
||
This is all down to our screwy event model. Basically event processing for links works like this: a) the event beings capturing phase, and is sent up the DOM tree for processing. Capturing event listeners fire as the recursion unwinds. b) the event begins bubbling phase, and is sent up the DOM tree to fire bubbling events. c) once all the bubbling events have fired, the link processing phase fires as the recursion unwinds. This makes link processing behave somewhat like a capturing event listener in the system group, except that mouse enter and exit events don't have a system event phase. It looks as if areas have been specially hacked to get this right...
Depends on: 234455
Comment 8•20 years ago
|
||
OK, so by making the ESM and PresShell dispatch extra system events, and by calling HandleDOMEventForAnchors during the system bubbling phase, I was able to get the hover and click to apply to the google link.
Updated•20 years ago
|
Blocks: CVE-2005-4809
Updated•20 years ago
|
Flags: blocking1.8a5?
Flags: blocking1.8a5-
Flags: blocking1.7.x?
Flags: blocking1.7.x-
Updated•20 years ago
|
Product: Core → Mozilla Application Suite
Comment 9•19 years ago
|
||
WFM on Mozilla 1.8b2 nightly 2005041106
Reporter | ||
Comment 10•19 years ago
|
||
(In reply to comment #9) > WFM on Mozilla 1.8b2 nightly 2005041106 WFM 20050730
Comment 11•19 years ago
|
||
This particular problem ended up being fixed by the checkin for bug 90664. Note that it is still possible to trigger this with an XHTML page or by using DOM methods.
Comment 12•19 years ago
|
||
Bug 234455 fixed this also for XHTML
Updated•19 years ago
|
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 13•19 years ago
|
||
Oops, no. It is still there...
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 14•19 years ago
|
||
I need to retest with a clean build, but this works in my development tree.
Comment 15•19 years ago
|
||
I think we should retest this after fixing bug 127903... Please do not resolve until then.
Depends on: 127903
Comment 16•19 years ago
|
||
This is still broken for me. The inner link is to google.com but I currently get: Loading in current window: mouseover: google.com in status bar mousedown: mozilla.org in status bar mouseup: mozilla.org loaded Loading in new window/tab: mouseover: google.com in status bar mousedown: mozilla.org in status bar mouseup: google.com loaded (Note: be careful you're putting the cursor directly over the text, or it may not be over the inner link, so everything showing mozilla.org is correct.) This bug is fixed by the current patch in bug 331959 (attachment 216626 [details] [diff] [review]).
Comment 17•18 years ago
|
||
This bug seems to be fixed. I tested with Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20061210 SeaMonkey/1.5a and both links show google.com as target and visit Google when clicked.
Comment 18•16 years ago
|
||
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9pre) Gecko/2008040701 SeaMonkey/2.0a1pre WFM. I'm marking this RESOLVED. If you reopen, please mention: - User-Agent string from about: page, similar to the one at top of this comment - Clear and unambiguous "Steps to Reproduce" - Actual result - Expected result - Any useful additional info.
Status: REOPENED → RESOLVED
Closed: 19 years ago → 16 years ago
Resolution: --- → WORKSFORME
Whiteboard: DUPEME
You need to log in
before you can comment on or make changes to this bug.
Description
•