Closed Bug 99467 Opened 23 years ago Closed 21 years ago

[quirks]options of <a>-tag inside textarea are stripped (compare to source)

Categories

(Core :: DOM: HTML Parser, defect, P3)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.4alpha

People

(Reporter: lucifer, Assigned: harishd)

References

(
URL
)

Details

(Keywords: compat, dataloss, testcase)

Attachments

(2 files, 2 obsolete files)

testcase
380 bytes, text/html
Details
Patch v1.2 [ addresses heikki's and jst's concerns ]
10.09 KB, patch
harishd
: review+
harishd
: superreview+
asa
: approval1.4+
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.3) Gecko/20010801
BuildID:    2001080110

The <a>-tag inside the <textarea> shouldn't be modified by Mozilla.
In mozilla, it shows "<a> ... </a>" when viewing the form, but when
viewing the HTML source, the <a>-tag in fact has a "name" and "target" parameter.

Reproducible: Always
Steps to Reproduce:
1. surf to the page :)
2. scroll down in the textarea
3. compare to source

Actual Results:  mozilla messed up the <a>-tag.

Expected Results:  leave the text between <textarea> and </textarea> alone.

the bug doesn't seem to occur when one just creates a simple form with a
textarea and an <a>-tag inside it.
You _do_ know that you should escape "<" as "&lt;" to prevent just this from
happening, right?

Over to parser; at a guess that's where the issue is....
Seeing this on linux build 2001-09-07-12 as well.
Assignee: rods → harishd
Status: UNCONFIRMED → NEW
Component: HTML Form Controls → Parser
Ever confirmed: true
OS: Windows 98 → All
QA Contact: madhur → bsharma
Attached file testcase 

    
    

    
  
The problem is that <a> tag gets parsed before the javascript creates the
<textarea tag.  I'm not sure what should happen.
Note:  Teplacing the < with a &lt; causes the textarea tag to show up as text -
the javascript gets the text verbatim, it is the HTML parser that expands the
entities.  I think that this is correct.
Keywords: testcase

    
    

    
  
David, I meant escaping the "<" in "<a" as "&lt;".  With that change the dynamic
textarea write works too.

    
    

    
  
well IMHO the tag should either be converted into a link or left alone,
not changed into <a>. IE4 and NN4.7 show the full <a href=...> tag in
the textarea.

ofcourse, escaping < and > is best :) i couldn't find on www.w3c.org if tags 
inside a textarea are allowed or not in the first place..

    
    

    
  
> i couldn't find on www.w3c.org if tags inside a textarea are allowed or not in
> the first place

They are not.  If the <textarea> is just a tag in the html, we render it as NS4
and IE do.  It's only with dynamically written textareas, as David pointed out,
that the parser gets confused.

    
  
QA Contact: bsharma → moied

    
    

    
  
Seems like the < should be escaped...marking quirks.
Summary: options of <a>-tag inside textarea are stripped (compare to source) → [quirks]options of <a>-tag inside textarea are stripped (compare to source)

    
  
Status: NEW → ASSIGNED
Priority: -- → P3
Target Milestone: --- → mozilla0.9.7
Keywords: compat

    
    

    
  
Not a critical issue. Moving to 0.9.9
Target Milestone: mozilla0.9.7 → mozilla0.9.9

    
  
Target Milestone: mozilla0.9.9 → mozilla1.0

    
    

    
  
Mass moving bugs to 1.1
Target Milestone: mozilla1.0 → mozilla1.1

    
    

    
  
*** Bug 133518 has been marked as a duplicate of this bug. ***

    
    

    
  
I was wrong.  Bug 133518 has a testcase with a static textarea that shows this
problem.

    
    

    
  
*** Bug 156432 has been marked as a duplicate of this bug. ***

    
    

    
  
[was 1.1alpha]
Target Milestone: mozilla1.1alpha → Future

    
    

    
  
blogger.com is a fairly major site that is affected by this bug (see bug
156432). I'd like to suggest that this be reconsidered.  Nominating for next
Netscape release.
Keywords: nsbeta1

    
    

    
  
I think this needs to be fixed for 1.1.  This bug makes blogger unusable. 
Actually it's even worse than that, since it mangles your blogger template,
which results in data loss.  I have spent hours recovering my blogger templates
because of this bug.

Keywords: dataloss

    
  
Keywords: dataloss
Keywords: dataloss
Keywords: nsbeta1nsbeta1+
Target Milestone: Future → mozilla1.2beta

    
  
Target Milestone: mozilla1.2beta → mozilla1.3alpha

    
    

    
  
For static textareas, Phil Ringnalda has worked out that it is unescaped
|</noscript>|s inside textareas which are causing the bug. (See bug 157800
comment 10)

    
    

    
  
By the definitions on <http://bugzilla.mozilla.org/bug_status.html#severity> and
<http://bugzilla.mozilla.org/enter_bug.cgi?format=guided>, crashing and dataloss
bugs are of critical or possibly higher severity.  Only changing open bugs to
minimize unnecessary spam.  Keywords to trigger this would be crash, topcrash,
topcrash+, zt4newcrash, dataloss.
Severity: normal → critical

    
    

    
  
*** Bug 192968 has been marked as a duplicate of this bug. ***

    
  
Target Milestone: mozilla1.3alpha → mozilla1.4alpha

    
    

    
  
*** Bug 195272 has been marked as a duplicate of this bug. ***

    
    

    
  
Did a little bit of investigation ( in fact have a "fix" in hand for this bug )
and found out that the duplicate bugs aren't exactly the same bug. The duplicate
bugs are caused by </noscript> inside textarea while this bug is caused by
document.written <textarea>.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v1.0 (obsolete)
        — Splinter Review
      

    


  
Making sure to stop preserving content once the target tag's ( that initiated
the content preserving ) matching end tag is encountered. Also, passing this
information to tokenizers that are on the stack. This should fix this bug and
its duplicates.

Note: I haven't run the parser regression test or walked through the top 100
sites yet.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v1.1 (obsolete)
        — Splinter Review
      

    


  
This patch in addition to fixing this bug and its duplicates also fixes a
completely document.written textarea. That is, it fixes samples like:

<script language="JavaScript">
  document.write('<textarea rows="1", cols="80">')
  document.write('<font style="green"> Mozilla	  </font>');
  document.write('</textarea>');
</script>

Note: Patch v1.0 and v1.1 passed parser regression test.

        Attachment #123926 -
        Attachment is obsolete: true

    
  

        Attachment #123987 -
        Flags: superreview?(jst)

        Attachment #123987 -
        Flags: review?(heikki)

    
    

    
  
Comment on attachment 123987 [details] [diff] [review]
Patch v1.1

>Index: htmlparser/public/nsITokenizer.h
>===================================================================
>Index: htmlparser/src/CParserContext.cpp
>===================================================================
>+      // Propagate tokenizer state so that information is presereved

Typo, should be |preserved|.

>Index: htmlparser/src/nsExpatDriver.cpp
>===================================================================
>Index: htmlparser/src/nsHTMLTokenizer.cpp
>===================================================================
>+     nsHTMLTokenizer* rhsTokenizer = NS_STATIC_CAST(nsHTMLTokenizer*, aTokenizer);
>+     mPreserveTarget = rhsTokenizer->mPreserveTarget;

You could get rid of the temporary.

>Index: htmlparser/src/nsHTMLTokenizer.h
>===================================================================
>+  PRInt32            mFlags;

Make it unsigned.

>Index: htmlparser/src/nsParser.cpp
>===================================================================
>+    mParserContext=  oldContext->mPrevContext;

Add space before =.

Basically just syntax review so far.

I'll talk to you in person figure out why this really fixes things. Should also
run visual check on top100 and do page load tests.

    
    

    
  
Comment on attachment 123987 [details] [diff] [review]
Patch v1.1

What heikki said, and:

- In nsITokenizer.h:

+  NS_IMETHOD			  CopyStates(nsITokenizer* aTokenizer) = 0;

Don't you want to call this CopyState() and not CopyStates()? Singular sounds
more natural here.

sr=jst

        Attachment #123987 -
        Flags: superreview?(jst) → superreview+

    
    

    
  
Comment on attachment 123987 [details] [diff] [review]
Patch v1.1

r=heikki after talking this through with harishd.

Land this on trunk first, and if everything goes well and we don't see
regressions in a few days seek permissions to land it on the 1.4 branch.

        Attachment #123987 -
        Flags: review?(heikki) → review+

    
    

    
  


  
Note: Walked through top 50 sites and they looked ok.

        Attachment #123987 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 124366 [details] [diff] [review]
Patch v1.2 [ addresses heikki's and jst's concerns ]

Carrying forward r/sr=.

        Attachment #124366 -
        Flags: superreview+

        Attachment #124366 -
        Flags: review+

    
    

    
  
Fix landed.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED

    
  

        Attachment #124366 -
        Flags: approval1.4?

    
    

    
  
Comment on attachment 124366 [details] [diff] [review]
Patch v1.2 [ addresses heikki's and jst's concerns ]

a=asa (on behalf of drivers) for checkin to the  1.4 branch.

        Attachment #124366 -
        Flags: approval1.4? → approval1.4+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: