If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

ᴄꜱꜱ tags are rendered in ꜱᴠɢ even if a required feature of parent is not supported.

RESOLVED INVALID

Status

()

Core
SVG
RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: ytrezq, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

2 years ago
Created attachment 8647639 [details]
file with requiredFeatures="http://www.w3.org/TR/SVG11/feature#Script"

Using the attachment through an img tag strips html.

Whereas doing the with file below work :

<?xml version="1.0" ?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100%" height="1000px" onLoad="alert('hello world!')" preserveAspectRatio="none">
        <defs>
                <style type="text/css"><![CDATA[
                        svg
                        {
                                background-image: url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8c3ZnIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgb25Mb2FkPSJhbGVydCgnaGVsbG8gd29ybGQhJykiIHZpZXdCb3g9IjAgMCAxIDEiIHByZXNlcnZlQXNwZWN0UmF0aW89Im5vbmUiPgogIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij48IVtDREFUQVsKICAgIGFsZXJ0KCJoZWxsbyB3b3JsZCEiKTsKICBdXT48L3NjcmlwdD4KICA8bGluZWFyR3JhZGllbnQgaWQ9ImdyYWQtdWNnZy1nZW5lcmF0ZWQiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIiB4MT0iMCUiIHkxPSIxMDAlIiB4Mj0iMTYlIiB5Mj0iMCUiPgogICAgPHN0b3Agb2Zmc2V0PSIwJSIgc3RvcC1jb2xvcj0iI2YwZjhmZiIgc3RvcC1vcGFjaXR5PSIxIi8+CiAgICA8c3RvcCBvZmZzZXQ9IjQlIiBzdG9wLWNvbG9yPSIjZmFmZGZmIiBzdG9wLW9wYWNpdHk9IjEiLz4KICAgIDxzdG9wIG9mZnNldD0iNyUiIHN0b3AtY29sb3I9IiNmZmZmZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSIzNCUiIHN0b3AtY29sb3I9IiNmZmZmZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI0MCUiIHN0b3AtY29sb3I9IiNmMmY4ZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI0NCUiIHN0b3AtY29sb3I9IiNlZGY2ZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI1MCUiIHN0b3AtY29sb3I9IiNlMGYwZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI1NiUiIHN0b3AtY29sb3I9IiNkM2VhZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI2MCUiIHN0b3AtY29sb3I9IiNjOWU1ZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI2NSUiIHN0b3AtY29sb3I9IiNiN2RjZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI2OSUiIHN0b3AtY29sb3I9IiNhZGQ3ZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI3MiUiIHN0b3AtY29sb3I9IiNhM2QyZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI4NyUiIHN0b3AtY29sb3I9IiM2ZGI0ZjIiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI5NiUiIHN0b3AtY29sb3I9IiMzMjljZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI5OCUiIHN0b3AtY29sb3I9IiMxOTkwZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSIxMDAlIiBzdG9wLWNvbG9yPSIjMDA4M2ZmIiBzdG9wLW9wYWNpdHk9IjEiLz4KICA8L2xpbmVhckdyYWRpZW50PgogIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij48IVtDREFUQVsKICAgIGFsZXJ0KCJoZWxsbyB3b3JsZCEiKTsKICBdXT48L3NjcmlwdD4KICA8cmVjdCB4PSIwIiB5PSIwIiB3aWR0aD0iMSIgaGVpZ2h0PSIxIiBmaWxsPSJ1cmwoI2dyYWQtdWNnZy1nZW5lcmF0ZWQpIiAvPgogIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij48IVtDREFUQVsKICAgIGFsZXJ0KCJoZWxsbyB3b3JsZCEiKTsKICBdXT48L3NjcmlwdD4KPC9zdmc+Cg==); /* I put javascript in that image too, but nothing is happening. */
                        }
                ]]></style>
        </defs>
        <foreignObject width="100%" height="100%" opacity="1">
                <html xmlns="http://www.w3.org/1999/xhtml">
		<head>
		    <title>anti 404 error example</title>
		</head>
		<body>
		    <h1>Found !</h1>
		    <p>The requested URL /fghjkl was found on this server.</p>
		</body>
		</html>
		<iframe xmlns="http://www.w3.org/1999/xhtml" src="PCFkb2N0eXBlIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDx0aXRsZT5FeGFtcGxlIERvbWFpbjwvdGl0bGU+CgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiIC8+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIgLz4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSIgLz4KICAgIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+CiAgICBib2R5IHsKICAgICAgICBiYWNrZ3JvdW5kLWNvbG9yOiAjZjBmMGYyOwogICAgICAgIG1hcmdpbjogMDsKICAgICAgICBwYWRkaW5nOiAwOwogICAgICAgIGZvbnQtZmFtaWx5OiAiT3BlbiBTYW5zIiwgIkhlbHZldGljYSBOZXVlIiwgSGVsdmV0aWNhLCBBcmlhbCwgc2Fucy1zZXJpZjsKICAgICAgICAKICAgIH0KICAgIGRpdiB7CiAgICAgICAgd2lkdGg6IDYwMHB4OwogICAgICAgIG1hcmdpbjogNWVtIGF1dG87CiAgICAgICAgcGFkZGluZzogNTBweDsKICAgICAgICBiYWNrZ3JvdW5kLWNvbG9yOiAjZmZmOwogICAgICAgIGJvcmRlci1yYWRpdXM6IDFlbTsKICAgIH0KICAgIGE6bGluaywgYTp2aXNpdGVkIHsKICAgICAgICBjb2xvcjogIzM4NDg4ZjsKICAgICAgICB0ZXh0LWRlY29yYXRpb246IG5vbmU7CiAgICB9CiAgICBAbWVkaWEgKG1heC13aWR0aDogNzAwcHgpIHsKICAgICAgICBib2R5IHsKICAgICAgICAgICAgYmFja2dyb3VuZC1jb2xvcjogI2ZmZjsKICAgICAgICB9CiAgICAgICAgZGl2IHsKICAgICAgICAgICAgd2lkdGg6IGF1dG87CiAgICAgICAgICAgIG1hcmdpbjogMCBhdXRvOwogICAgICAgICAgICBib3JkZXItcmFkaXVzOiAwOwogICAgICAgICAgICBwYWRkaW5nOiAxZW07CiAgICAgICAgfQogICAgfQogICAgPC9zdHlsZT4gICAgCjwvaGVhZD4KCjxib2R5Pgo8ZGl2PgogICAgPGgxPkV4YW1wbGUgRG9tYWluPC9oMT4KICAgIDxwPlRoaXMgZG9tYWluIGlzIGVzdGFibGlzaGVkIHRvIGJlIHVzZWQgZm9yIGlsbHVzdHJhdGl2ZSBleGFtcGxlcyBpbiBkb2N1bWVudHMuIFlvdSBtYXkgdXNlIHRoaXMKICAgIGRvbWFpbiBpbiBleGFtcGxlcyB3aXRob3V0IHByaW9yIGNvb3JkaW5hdGlvbiBvciBhc2tpbmcgZm9yIHBlcm1pc3Npb24uPC9wPgogICAgPHA+PGEgaHJlZj0iaHR0cDovL3d3dy5pYW5hLm9yZy9kb21haW5zL2V4YW1wbGUiPk1vcmUgaW5mb3JtYXRpb24uLi48L2E+PC9wPgo8L2Rpdj4KPC9ib2R5Pgo8L2h0bWw+Cg=="></iframe>
	</foreignObject>
</svg>

I should be able to use html with that attribute and JavaScript should remains disabled.
(Reporter)

Updated

2 years ago
OS: Unspecified → All
Hardware: Unspecified → All
Two things:
 (1) I think you're missing "data:text/html;base64," at the beginning of your iframe src attribute here. (in comment 0 and in the attachment)

 (2) What do you mean by "strips HTML"? Just that the iframe fails to load?  The rest of the HTML renders fine to me.
(Ah, sorry -- I see what you mean now about "strips HTML". I'd been testing the source in comment 0, and hadn't tried using the actual attached file as an image.)

I think things are working as-expected here. If you have a requiredFeatures attribute which requires script, then things inside of that tag will not render.

(It looks like we *do* render the SVG 'background' property. Not sure if that's a bug or not. But it's absolutely correct that we skip rendering its contents (including the HTML) when its requiredFeatures check fails.)

See https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/requiredFeatures
As for #SVG, that feature is currently marked as "Unsupported" internally:
  http://mxr.mozilla.org/mozilla-central/source/dom/svg/nsSVGFeaturesList.h#57

...so that requiredFeatures check fails, regardless of whether you're in an image. (unlike #Script, which only fails if you're in an image)

I'm not sure why that's marked as unsupported -- that likely just needs an update.
Component: General → SVG
Product: Firefox → Core
(Reporter)

Comment 4

2 years ago
Yes and the point of mr(In reply to Daniel Holbert [:dholbert] from comment #2)
> 
> I think things are working as-expected here. If you have a requiredFeatures
> attribute which requires script, then things inside of that tag will not
> render.
> 
And my point is that putting requiredFeatures="http://www.w3.org/TR/SVG11/feature#Script" or requiredFeatures="http://www.w3.org/TR/SVG11/feature#SVG" should only impact JavaScript, not other things like html.
(Reporter)

Comment 5

2 years ago
In reply to Daniel Holbert [:dholbert] from comment #2)
> 
> I think things are working as-expected here. If you have a requiredFeatures
> attribute which requires script, then things inside of that tag will not
> render.
> 

And the point of that bug report is that putting requiredFeatures="http://www.w3.org/TR/SVG11/feature#Script" or requiredFeatures="http://www.w3.org/TR/SVG11/feature#SVG" should only affect JavaScript, not other things like html.
(In reply to ytrezq from comment #4)
> And my point is that putting
> requiredFeatures="..." should only impact JavaScript, not other things like html.

I'm not sure why you think that. Did you look at the description of requiredFeatures on the MDN page I linked to in comment 2?  It says that if the attribute fails, "the current element and its children are skipped and thus will not be rendered".

In your attachment, the HTML stuff is all children of the element that has a failing requiredFeatures attribute. So, it's not rendered.
The spec text on this is http://www.w3.org/TR/SVG/struct.html#RequiredFeaturesAttribute

# If all of the given features are supported, then
# the attribute evaluates to true; otherwise, the
# current element and its children are skipped and
# thus will not be rendered.

The "otherwise" is what's happening here -- the children (including all the HTML descendants) are skipped & not rendered.
(Reporter)

Comment 8

2 years ago
(In reply to Daniel Holbert [:dholbert] from comment #7)
> The spec text on this is
> http://www.w3.org/TR/SVG/struct.html#RequiredFeaturesAttribute
> 
> # If all of the given features are supported, then
> # the attribute evaluates to true; otherwise, the
> # current element and its children are skipped and
> # thus will not be rendered.
> 
> The "otherwise" is what's happening here -- the children (including all the
> HTML descendants) are skipped & not rendered.

Ok, it’s the behavior of Webkit or blink based browsers which confused me *(where HTML is rendered)*.
Created attachment 8647674 [details]
testcase 2 (seeing whether requiredFeatures works at all in other browsers)

Gotcha.  Yeah, I just noticed Blink/WebKit seem to be less strict here -- they behave as if the requiredFeatures test passed.

I think that's because they simply don't honor requiredFeatures at all. (i.e. requiredFeatures seems to be useless in Blink/WebKit -- it doesn't seem to actually test for anything). Here's a testcase demonstrating this, using <switch>, which renders the first child without a failing requiredFeatures test.

In Firefox, this testcase renders like so:
> We correctly failed requiredFeatures test for #BogusFeature.

In Chrome, this testcase renders like so:
> Um... somehow we PASSED a requiredFeatures test for nonexistant #BogusFeature.

Comment 10

2 years ago
There's a proposal that for SVG 2 all features would return true. I'm not sure that makes sense for Script but it does seem to be what Chrome have implemented.

Comment 11

2 years ago
I don't really see much valid in this bug TBH.
(In reply to Robert Longson from comment #10)
> There's a proposal that for SVG 2 all features would return true. I'm not
> sure that makes sense for Script but it does seem to be what Chrome have
> implemented.

Ah, ok. That makes Chrome's behavior on my attached testcase with a bogus feature make more sense.  (They seem to be the only browser with this behavior; I tested Edge 0.11 and Safari 9.)

Anyway -- yeah, per comment 8 I think this bug report was just inspired by confusion from Firefox differing from Chrome on this. (and we're correct per SVG 1.1)
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Resolution: FIXED → INVALID
(Reporter)

Comment 13

2 years ago
Ok, then it’s definitely a bug if ᴄꜱꜱ is rendered in my example.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Summary: requiredFeatures="http://www.w3.org/TR/SVG11/feature#Script" or requiredFeatures="http://www.w3.org/TR/SVG11/feature#SVG" shouldn’t disable <foreignObject></foreignObject> for ꜱᴠɢ used as an image. → ᴄꜱꜱ tags are rendered in ꜱᴠɢ even if a required feature of parent is not supported.
I don't think so. (I was wondering about that in comment 2 -- but the spec says the children are not rendered, and <style> elements don't directly have anything to render. <style> impacts how *other* elements render, but it already doesn't have anything to render itself.)

Moreover, all browsers that usefully support requiredFeatures (Edge 0.11, Safari 9 (WebKit), Opera 12.16 [Presto], and Firefox) behave like we do in this respect.  So it's unlikely that we'd change away and switch to being un-interoperable with everyone else on this point -- and if the spec does require that we do that [which isn't clear to me], then it may be better that the spec should change.

Moreover, it seems like requiredFeatures may change soon anyway so that it'll always pass (per comment 10).

All of which I think makes this still INVALID.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → INVALID
Created attachment 8647719 [details]
testcase 3 to see whether <style> inside of failing requiredFeatures test is honored

For illustration purposes, here's a simple testcase with <style> inside of a failing requiredFeatures test. As noted above, all browsers which usefully support requiredFeatures behave interoperably on this & render it the same.

[Chrome renders it slightly differently than everyone else, in that it also renders the "BUT:" text because it spuriously passes the requiredFeatures test.]
You need to log in before you can comment on or make changes to this bug.