Open Bug 1720669 Opened 4 years ago Updated 1 year ago

Incorrect parsing of <select> in <table> in foreign content

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Version:
Firefox 89
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: michal.bentkowski, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

Steps to reproduce:

Try to parse the following HTML document:

<div><table><svg><foreignObject><select><table><s>

Actual results:

It is parsed into the following DOM tree by Firefox:

└─ #document
   └─ html
      ├─ head
      └─ body
         └─ div
            ├─ svg
            │  └─ foreignobject
            │     ├─ select
            │     ├─ s
            │     └─ table
            └─ table

Expected results:

While Chromium and Safari parse it differently:

└─ #document
   └─ html
      ├─ head
      └─ body
         └─ div
            ├─ svg
            │  └─ foreignobject
            │     └─ select
            ├─ table
            ├─ s
            └─ table

I believe that Chrome's and Safari's behavior is correct and match the spec in this case.

Here's my understanding of the spec:

  1. While being inside <div>, the insertion mode is "in body".
  2. After <table>, the insertion mode is "in table".
  3. <svg> and <foreignObject> are foster-parented, so they end up before the table.
  4. <svg> starts "in foreign content" mode but <foreignObject> is HTML integration point so next token should be processed according to the current insertion mode in HTML content, which is "in table".
  5. After <select>, the mode is switched to "in select in table".
  6. In this mode, after encountering <table>, <select> is closed and the insertion mode should be reset. ​According to the "reset the insertion mode appropriately" algorithm, insertion mode should be reset to "in table".
  7. When being "in table", a new <table> should close the previous <table> and open a new one. So at this point the foreign content should be exited.
  8. Afterwards, <s> should be foster parented and end up before the second <table>.
Component: Untriaged → DOM: HTML Parser
Product: Firefox → Core

For the record, it seems that foreign content is the reason for confusion of the parser. Compare parsing of the following two documents:

Without foreign content:

<table><div><select><table><s>

parsed into:

└─ #document
   └─ html
      ├─ head
      └─ body
         ├─ div
         │  └─ select
         ├─ table
         ├─ s
         └─ table

With foreign content:

<table><math><mi><select><table><s>

parsed into:

└─ #document
   └─ html
      ├─ head
      └─ body
         ├─ math
         │  └─ mi
         │     ├─ select
         │     ├─ s
         │     └─ table
         └─ table

Hi Henri, Could you help to take a look? Thank you.

Flags: needinfo?(hsivonen)
Severity: -- → S3
Flags: needinfo?(hsivonen)
You need to log in before you can comment on or make changes to this bug.