Closed Bug 1194373 Opened 9 years ago Closed 9 years ago

ᴄꜱꜱ tags are rendered in ꜱᴠɢ even if a required feature of parent is not supported.

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ytrezq, Unassigned)

Details

Attachments

(3 files)

file with requiredFeatures="http://www.w3.org/TR/SVG11/feature#Script"
4.78 KB, image/svg+xml
Details
testcase 2 (seeing whether requiredFeatures works at all in other browsers)
521 bytes, image/svg+xml
Details
testcase 3 to see whether <style> inside of failing requiredFeatures test is honored
547 bytes, image/svg+xml
Details 
Using the attachment through an img tag strips html.

Whereas doing the with file below work :

<?xml version="1.0" ?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100%" height="1000px" onLoad="alert('hello world!')" preserveAspectRatio="none">
        <defs>
                <style type="text/css"><![CDATA[
                        svg
                        {
                                background-image: url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8c3ZnIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgb25Mb2FkPSJhbGVydCgnaGVsbG8gd29ybGQhJykiIHZpZXdCb3g9IjAgMCAxIDEiIHByZXNlcnZlQXNwZWN0UmF0aW89Im5vbmUiPgogIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij48IVtDREFUQVsKICAgIGFsZXJ0KCJoZWxsbyB3b3JsZCEiKTsKICBdXT48L3NjcmlwdD4KICA8bGluZWFyR3JhZGllbnQgaWQ9ImdyYWQtdWNnZy1nZW5lcmF0ZWQiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIiB4MT0iMCUiIHkxPSIxMDAlIiB4Mj0iMTYlIiB5Mj0iMCUiPgogICAgPHN0b3Agb2Zmc2V0PSIwJSIgc3RvcC1jb2xvcj0iI2YwZjhmZiIgc3RvcC1vcGFjaXR5PSIxIi8+CiAgICA8c3RvcCBvZmZzZXQ9IjQlIiBzdG9wLWNvbG9yPSIjZmFmZGZmIiBzdG9wLW9wYWNpdHk9IjEiLz4KICAgIDxzdG9wIG9mZnNldD0iNyUiIHN0b3AtY29sb3I9IiNmZmZmZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSIzNCUiIHN0b3AtY29sb3I9IiNmZmZmZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI0MCUiIHN0b3AtY29sb3I9IiNmMmY4ZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI0NCUiIHN0b3AtY29sb3I9IiNlZGY2ZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI1MCUiIHN0b3AtY29sb3I9IiNlMGYwZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI1NiUiIHN0b3AtY29sb3I9IiNkM2VhZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI2MCUiIHN0b3AtY29sb3I9IiNjOWU1ZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI2NSUiIHN0b3AtY29sb3I9IiNiN2RjZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI2OSUiIHN0b3AtY29sb3I9IiNhZGQ3ZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI3MiUiIHN0b3AtY29sb3I9IiNhM2QyZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI4NyUiIHN0b3AtY29sb3I9IiM2ZGI0ZjIiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI5NiUiIHN0b3AtY29sb3I9IiMzMjljZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSI5OCUiIHN0b3AtY29sb3I9IiMxOTkwZmYiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSIxMDAlIiBzdG9wLWNvbG9yPSIjMDA4M2ZmIiBzdG9wLW9wYWNpdHk9IjEiLz4KICA8L2xpbmVhckdyYWRpZW50PgogIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij48IVtDREFUQVsKICAgIGFsZXJ0KCJoZWxsbyB3b3JsZCEiKTsKICBdXT48L3NjcmlwdD4KICA8cmVjdCB4PSIwIiB5PSIwIiB3aWR0aD0iMSIgaGVpZ2h0PSIxIiBmaWxsPSJ1cmwoI2dyYWQtdWNnZy1nZW5lcmF0ZWQpIiAvPgogIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij48IVtDREFUQVsKICAgIGFsZXJ0KCJoZWxsbyB3b3JsZCEiKTsKICBdXT48L3NjcmlwdD4KPC9zdmc+Cg==); /* I put javascript in that image too, but nothing is happening. */
                        }
                ]]></style>
        </defs>
        <foreignObject width="100%" height="100%" opacity="1">
                <html xmlns="http://www.w3.org/1999/xhtml">
		<head>
		    <title>anti 404 error example</title>
		</head>
		<body>
		    <h1>Found !</h1>
		    <p>The requested URL /fghjkl was found on this server.</p>
		</body>
		</html>
		<iframe xmlns="http://www.w3.org/1999/xhtml" src="PCFkb2N0eXBlIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDx0aXRsZT5FeGFtcGxlIERvbWFpbjwvdGl0bGU+CgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiIC8+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIgLz4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSIgLz4KICAgIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+CiAgICBib2R5IHsKICAgICAgICBiYWNrZ3JvdW5kLWNvbG9yOiAjZjBmMGYyOwogICAgICAgIG1hcmdpbjogMDsKICAgICAgICBwYWRkaW5nOiAwOwogICAgICAgIGZvbnQtZmFtaWx5OiAiT3BlbiBTYW5zIiwgIkhlbHZldGljYSBOZXVlIiwgSGVsdmV0aWNhLCBBcmlhbCwgc2Fucy1zZXJpZjsKICAgICAgICAKICAgIH0KICAgIGRpdiB7CiAgICAgICAgd2lkdGg6IDYwMHB4OwogICAgICAgIG1hcmdpbjogNWVtIGF1dG87CiAgICAgICAgcGFkZGluZzogNTBweDsKICAgICAgICBiYWNrZ3JvdW5kLWNvbG9yOiAjZmZmOwogICAgICAgIGJvcmRlci1yYWRpdXM6IDFlbTsKICAgIH0KICAgIGE6bGluaywgYTp2aXNpdGVkIHsKICAgICAgICBjb2xvcjogIzM4NDg4ZjsKICAgICAgICB0ZXh0LWRlY29yYXRpb246IG5vbmU7CiAgICB9CiAgICBAbWVkaWEgKG1heC13aWR0aDogNzAwcHgpIHsKICAgICAgICBib2R5IHsKICAgICAgICAgICAgYmFja2dyb3VuZC1jb2xvcjogI2ZmZjsKICAgICAgICB9CiAgICAgICAgZGl2IHsKICAgICAgICAgICAgd2lkdGg6IGF1dG87CiAgICAgICAgICAgIG1hcmdpbjogMCBhdXRvOwogICAgICAgICAgICBib3JkZXItcmFkaXVzOiAwOwogICAgICAgICAgICBwYWRkaW5nOiAxZW07CiAgICAgICAgfQogICAgfQogICAgPC9zdHlsZT4gICAgCjwvaGVhZD4KCjxib2R5Pgo8ZGl2PgogICAgPGgxPkV4YW1wbGUgRG9tYWluPC9oMT4KICAgIDxwPlRoaXMgZG9tYWluIGlzIGVzdGFibGlzaGVkIHRvIGJlIHVzZWQgZm9yIGlsbHVzdHJhdGl2ZSBleGFtcGxlcyBpbiBkb2N1bWVudHMuIFlvdSBtYXkgdXNlIHRoaXMKICAgIGRvbWFpbiBpbiBleGFtcGxlcyB3aXRob3V0IHByaW9yIGNvb3JkaW5hdGlvbiBvciBhc2tpbmcgZm9yIHBlcm1pc3Npb24uPC9wPgogICAgPHA+PGEgaHJlZj0iaHR0cDovL3d3dy5pYW5hLm9yZy9kb21haW5zL2V4YW1wbGUiPk1vcmUgaW5mb3JtYXRpb24uLi48L2E+PC9wPgo8L2Rpdj4KPC9ib2R5Pgo8L2h0bWw+Cg=="></iframe>
	</foreignObject>
</svg>

I should be able to use html with that attribute and JavaScript should remains disabled.
OS: Unspecified → All
Hardware: Unspecified → All
Two things:
 (1) I think you're missing "data:text/html;base64," at the beginning of your iframe src attribute here. (in comment 0 and in the attachment)

 (2) What do you mean by "strips HTML"? Just that the iframe fails to load?  The rest of the HTML renders fine to me.
(Ah, sorry -- I see what you mean now about "strips HTML". I'd been testing the source in comment 0, and hadn't tried using the actual attached file as an image.)

I think things are working as-expected here. If you have a requiredFeatures attribute which requires script, then things inside of that tag will not render.

(It looks like we *do* render the SVG 'background' property. Not sure if that's a bug or not. But it's absolutely correct that we skip rendering its contents (including the HTML) when its requiredFeatures check fails.)

See https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/requiredFeatures
As for #SVG, that feature is currently marked as "Unsupported" internally:
  http://mxr.mozilla.org/mozilla-central/source/dom/svg/nsSVGFeaturesList.h#57

...so that requiredFeatures check fails, regardless of whether you're in an image. (unlike #Script, which only fails if you're in an image)

I'm not sure why that's marked as unsupported -- that likely just needs an update.
Component: General → SVG
Product: Firefox → Core
Yes and the point of mr(In reply to Daniel Holbert [:dholbert] from comment #2)
> 
> I think things are working as-expected here. If you have a requiredFeatures
> attribute which requires script, then things inside of that tag will not
> render.
> 
And my point is that putting requiredFeatures="http://www.w3.org/TR/SVG11/feature#Script" or requiredFeatures="http://www.w3.org/TR/SVG11/feature#SVG" should only impact JavaScript, not other things like html.
In reply to Daniel Holbert [:dholbert] from comment #2)
> 
> I think things are working as-expected here. If you have a requiredFeatures
> attribute which requires script, then things inside of that tag will not
> render.
> 

And the point of that bug report is that putting requiredFeatures="http://www.w3.org/TR/SVG11/feature#Script" or requiredFeatures="http://www.w3.org/TR/SVG11/feature#SVG" should only affect JavaScript, not other things like html.
(In reply to ytrezq from comment #4)
> And my point is that putting
> requiredFeatures="..." should only impact JavaScript, not other things like html.

I'm not sure why you think that. Did you look at the description of requiredFeatures on the MDN page I linked to in comment 2?  It says that if the attribute fails, "the current element and its children are skipped and thus will not be rendered".

In your attachment, the HTML stuff is all children of the element that has a failing requiredFeatures attribute. So, it's not rendered.
The spec text on this is http://www.w3.org/TR/SVG/struct.html#RequiredFeaturesAttribute

# If all of the given features are supported, then
# the attribute evaluates to true; otherwise, the
# current element and its children are skipped and
# thus will not be rendered.

The "otherwise" is what's happening here -- the children (including all the HTML descendants) are skipped & not rendered.
(In reply to Daniel Holbert [:dholbert] from comment #7)
> The spec text on this is
> http://www.w3.org/TR/SVG/struct.html#RequiredFeaturesAttribute
> 
> # If all of the given features are supported, then
> # the attribute evaluates to true; otherwise, the
> # current element and its children are skipped and
> # thus will not be rendered.
> 
> The "otherwise" is what's happening here -- the children (including all the
> HTML descendants) are skipped & not rendered.

Ok, it’s the behavior of Webkit or blink based browsers which confused me *(where HTML is rendered)*.
Gotcha.  Yeah, I just noticed Blink/WebKit seem to be less strict here -- they behave as if the requiredFeatures test passed.

I think that's because they simply don't honor requiredFeatures at all. (i.e. requiredFeatures seems to be useless in Blink/WebKit -- it doesn't seem to actually test for anything). Here's a testcase demonstrating this, using <switch>, which renders the first child without a failing requiredFeatures test.

In Firefox, this testcase renders like so:
> We correctly failed requiredFeatures test for #BogusFeature.

In Chrome, this testcase renders like so:
> Um... somehow we PASSED a requiredFeatures test for nonexistant #BogusFeature.
There's a proposal that for SVG 2 all features would return true. I'm not sure that makes sense for Script but it does seem to be what Chrome have implemented.
I don't really see much valid in this bug TBH.
(In reply to Robert Longson from comment #10)
> There's a proposal that for SVG 2 all features would return true. I'm not
> sure that makes sense for Script but it does seem to be what Chrome have
> implemented.

Ah, ok. That makes Chrome's behavior on my attached testcase with a bogus feature make more sense.  (They seem to be the only browser with this behavior; I tested Edge 0.11 and Safari 9.)

Anyway -- yeah, per comment 8 I think this bug report was just inspired by confusion from Firefox differing from Chrome on this. (and we're correct per SVG 1.1)
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Resolution: FIXED → INVALID
Ok, then it’s definitely a bug if ᴄꜱꜱ is rendered in my example.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Summary: requiredFeatures="http://www.w3.org/TR/SVG11/feature#Script" or requiredFeatures="http://www.w3.org/TR/SVG11/feature#SVG" shouldn’t disable <foreignObject></foreignObject> for ꜱᴠɢ used as an image. → ᴄꜱꜱ tags are rendered in ꜱᴠɢ even if a required feature of parent is not supported.
I don't think so. (I was wondering about that in comment 2 -- but the spec says the children are not rendered, and <style> elements don't directly have anything to render. <style> impacts how *other* elements render, but it already doesn't have anything to render itself.)

Moreover, all browsers that usefully support requiredFeatures (Edge 0.11, Safari 9 (WebKit), Opera 12.16 [Presto], and Firefox) behave like we do in this respect.  So it's unlikely that we'd change away and switch to being un-interoperable with everyone else on this point -- and if the spec does require that we do that [which isn't clear to me], then it may be better that the spec should change.

Moreover, it seems like requiredFeatures may change soon anyway so that it'll always pass (per comment 10).

All of which I think makes this still INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → INVALID
For illustration purposes, here's a simple testcase with <style> inside of a failing requiredFeatures test. As noted above, all browsers which usefully support requiredFeatures behave interoperably on this & render it the same.

[Chrome renders it slightly differently than everyone else, in that it also renders the "BUT:" text because it spuriously passes the requiredFeatures test.]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: