123899 - document.body.innerHTML is broken

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect, P2)

Description

[Giscard Girard]

<body>
</body>
<script>alert(document.body.innerHTML)</script>

The following alerts "<script>alert(document.body.innerHTML)</script>"

<body>
</body>
<script>document.body.innerHTML="hello";</script>

The following would set the body content to "hellohello"

Comment 1

[Johnny Stenback (:jst)]

<script> is not allowed as an immediate child of of the <html> tag, so mozilla
cleans that up and puts the script element inside the body here. However, the
fact that document.body.innerHTML="hello" ends up duplicating the word "hello"
in the presentation is a valid bug. That also happens if you put the script
inside the body tag where it belongs.

Peter, wanto have a look at this? It seems like the content sink ends up
notifying layout about the text "hello" twice here so we end up creating two
text frames for it, the content model correctly contains only "hello", not
"hellohello". If you won't have time to look into this soon, hand it to harishd
or myself.

Comment 2

[Peter Van der Beken [:peterv]]

Attachment: Fix v1

This fixes the issue. We need to make sure the content sink updates its context
after script evaluation, since that might have added content and the document
already got notified about that content.

Comment 3

[Peter Van der Beken [:peterv]]

BTW, it's not clear from the patch but the added lines are in
HTMLContentSink::PostEvaluateScript.

Comment 4

[Johnny Stenback (:jst)]

Comment on attachment 73771 [details] [diff] [review]
Fix v1

Makes a lot of sense to me. I'm amazed that this hasn't shown up more
frequently though. Weird.

sr=jst

Comment 5

[Fabian Guisset]

Comment on attachment 73771 [details] [diff] [review]
Fix v1

r=fabian

Comment 6

[Peter Van der Beken [:peterv]]

Comment on attachment 73771 [details] [diff] [review]
Fix v1

This one is not good, now we're dropping some content because PreEvaluateScript
doesn't flush with notifications.

Comment 7

[Peter Van der Beken [:peterv]]

Attachment: Fix v2

This one uses FlushPendingNotifications in PreEvaluateScript. All the missing
content that I saw seem to have been solved, and the double content is also
solved. Running pageloader (over a slow modem) gives
With patch: 6507, 1442, 26395, 6714
Without patch: 6551, 1488, 20607, 6635

Looking for reviews again.

Comment 8

[Johnny Stenback (:jst)]

Comment on attachment 74520 [details] [diff] [review]
Fix v2

sr=jst

Comment 9

[Fabian Guisset]

Comment on attachment 74520 [details] [diff] [review]
Fix v2

r=fabian

Comment 10

[Asa Dotzler [:asa]]

Comment on attachment 74520 [details] [diff] [review]
Fix v2

a=asa (on behalf of drivers) for checkin to the 1.0 trunk

Comment 11

[Peter Van der Beken [:peterv]]

Checked in.

Comment 12

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

It looks like this improved page load times on btek by about 20-25 ms. :-)

Comment 13

[John Morrison]

Reopening. Unfortunately, this broke a common usage of javascript on the web:

  <script>
      document.write('<img src="url_for_some_image">');
  </script>

It also breaks the case where multiple images are written into the page. What 
happens is that the last image written is not show on screen. I'll attach a 
short testcase in a moment. I've verified that it is this checkin that is the 
cause by backing out and reapplying the checking in my tree (win2k; 03/21 6pm 
pull).

nsbeta1, mozilla1.0 for fixing the regression.

Hate to see the perf gain go away (although possibly it was an illusory gain,
since if content is now missing from certain pages, then it's not a valid test.
I happened to notice this while running the pageload test and saw a few pages 
that I knew were missing content, most notably the moviefone.com page).

Comment 14

[John Morrison]

Attachment: simple testcase for the document.write() of an IMG into a document.

Comment 15

[Peter Van der Beken [:peterv]]

John, we already have bug 132673 for that problem. I was afraid the performance
win was bogus. I tried to verify that no content was missing (especially after
the previous patch did just that), but I didn't notice any. I hope we can fix
both problems (.innerHTML and document.write), so I'll close this one and use
bug 132673 for now. If there is no solution I'll back out and reopen this one.

Comment 16

[Sivakiran Tummala]

document.body.innerHTML works fine for me. However the testcase john provided
does not work. I will refer to bug 132673 for this problem. If everyone agrees i
will close this bug. 

Comment 17

[Sivakiran Tummala]

Attachment: testcase for innerHTML

Comment 18

[John Morrison]

Sorry for missing bug 132673 before I reopened this one. Yes, leave this bug 
to address the original innerHtml issue, and bug 132673 to address the 
fallout document.write issue. I wouldn't "close" this bug, as peterv noted, 
since if there isn't a fix for 132673, then a new fix will be needed for this
bug.

Comment 19

[Peter Van der Beken [:peterv]]

Reopening this, I'm backing out the patch. document.write is used way more often
and I don't want to leave it broken any longer.

Comment 20

[Peter Van der Beken [:peterv]]

Patch backed out, Tp times went up a little as expected. I probably won't be
able to fix this for 1.0.

Comment 21

[Asa Dotzler [:asa]]

Comment on attachment 74520 [details] [diff] [review]
Fix v2

removing approval so this doesn't look like a patch waiting to land.

Comment 22

[Heikki Toivonen (remove -bugzilla when emailing directly)]

nsbeta1-

Before you renominate, please query bugs marked nsbeta1+ keyword with [ADT# RTM]
in status whiteboard (where # is a number between 1 and 3) and make sure that
this bug is at least as important as those.

Comment 23

[José Jeria]

Attachment: Minimized testcase

Comment 24

[José Jeria]

WFM 2002121608, Windows 2000.

Comment 25

[Markus Hübner]

wfm trunk build 2002121908 on winxp pro sp1