Closed Bug 14986 Opened 25 years ago Closed 25 years ago

Browser crashes when I create <p> element with 'style' attribute.

Categories

(Core :: DOM: CSS Object Model, defect, P2)

Product:
Core
Component:
DOM: CSS Object Model
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: ramky, Assigned: peterl-retired)

Details

(Keywords: crash) 

Please look at the following code.

HTMLElement.prototype.insertAdjacentHTML = function (sWhere, sText) {
  var r = document.createRange();
  switch (sWhere) {
   case "beforeBegin":
    r.setStartBefore(this);
    this.parentNode.insertBefore(r.createContextualFragment(sText), this);
    break;

   case "afterBegin":
    r.setStartBefore(this.firstChild);
    this.insertBefore(r.createContextualFragment(sText), this.firstChild);
    break;

   case "beforeEnd":
    r.setStartAfter(this.lastChild);
    this.appendChild(r.createContextualFragment(sText));
    break;

   case "afterEnd":
    r.setStartAfter(this);
    this.parentNode.insertBefore(r.createContextualFragment(sText),
this.nextSibling);

    break;
  }
}

var s = '<p>Hello<br>';
var d = document.getElementById("Marker");
d.insertAdjacentHTML("afterEnd", s);

Look at the above code. It works fine as it is.
But if I say
var s = '<p style="color: #FF0000">Hello</p>'
mozilla crashes.

I am using nightly build of 09/24/1999.
This 'style' setting seems to be creating problem.

Element with id "Marker" is as follows.

<hr>
<div id="Marker" style="background-color: black; color: white">
<p>Hello</p>
</div>
<address><a href="mailto:ramky@ramky.jumpdata.com">ramky</a></address>

--
ramky.
Severity: normal → critical
Priority: P3 → P2
Assignee: vidur → peterl
The crash is a result of a missing null-check in
nsGenericHTMLElement::SetAttribute. The code attempts to dereference the
mDocument field which is null because the element hasn't yet been added to the
document. Adding in the null-check isn't quite enough since the style
information will never be incorporated into the inline style sheet.

Handing this one to peterl, since the real fix is style related.
Status: NEW → ASSIGNED
Target Milestone: M11
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Adding crash keyword
Keywords: crash
Component: DOM Level 2 → DOM Style
Taking QA Contact on all open or unverified DOM Style bugs...
QA Contact: vidur → ian
can no longer reproduce crash
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.