Open Bug 1754727 Opened 3 years ago Updated 2 years ago

SVG onload event not working if <svg onload=""> is loaded using innerHTML

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 97
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox97 --- wontfix
firefox98 --- wontfix
firefox99 --- wontfix
firefox100 --- wontfix

People

(Reporter: jmsanchez275, Unassigned, NeedInfo)

References

(Regression)

Details

(Keywords: regression)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36

Steps to reproduce:

I loaded an SVG using document.body.innerHTML in javascript. All event-handlers of the svg does not work. I tried this with other tags like <img> but they work as intended. I found this issue only in svg

Here is an example code

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Test</title>
</head>
<body>

<script>
document.body.innerHTML = <svg onload="alert()">
</script>
</body>
</html>

Actual results:

alert() won't be triggered here. I tested in other browsers and the alert() gets triggered.

Expected results:

if you change the tag into something like
<img src=x onerror="alert()"> in the innerHTML it works as intended

This works on other browsers

<!DOCTYPE html>
<html>
<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Test</title>
</head>
<body>

<script>
	document.body.innerHTML = `<svg onload=alert()>`
</script>
</body>
</html>

The Bugbug bot thinks this bug should belong to the 'Core::SVG' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → SVG
Product: Firefox → Core

Mozregression says this was caused by bug 1646140.

Component: SVG → DOM: Core & HTML
Flags: needinfo?(krosylight)

I'm not sure I'll have time to look at this, pinging hsivonen who should be more familiar with this. (I'm on PTO anyway)

Flags: needinfo?(hsivonen)

Setting the regression info per comment #3.

Keywords: regression
Regressed by: CVE-2020-15676

Set release status flags based on info from the regressing bug 1646140

status-firefox97: --- → affected
status-firefox98: --- → affected
status-firefox99: --- → affected
status-firefox-esr91: --- → affected
Has Regression Range: --- → yes

PinkDraconian elaborates more about this issue in his new video https://www.youtube.com/watch?v=75O_d845cAk

It's not just SVG , it also affects more tags like input

(In reply to Echidonut from comment #7)

PinkDraconian elaborates more about this issue in his new video https://www.youtube.com/watch?v=75O_d845cAk

It's not just SVG , it also affects more tags like input

That's another issue, could you file a new report?

Flags: needinfo?(krosylight)

Apart from this being a difference relative to Chrome, does not executing SVG onload in the innerHTML context break some legitimate use on a real site?

Flags: needinfo?(hsivonen) → needinfo?(jmsanchez275)

The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.

Status: UNCONFIRMED → NEW
Ever confirmed: true

Setting S3/P3 based on the current information that we haven't heard real issues on websites in the wild for now.

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.