Open Bug 1877971 Opened 2 years ago Updated 2 years ago

innerHTML does not strip form tags when used in a shadow tree whose host is nested in a form

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Version:
Firefox 122
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: peter, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0

Steps to reproduce:

Use innerHTML to add a form element on a shadow root that is hosted by an element already contained in a form element. See https://codepen.io/SirPepe/pen/rNRdBMK?editors=0010

Actual results:

A new form element was added to the shadow root.

Expected results:

If I am reading the standards correctly, innerHTML should strip the form tags and no form element should be added to the shadow root. IIUC, innerHTML invokes the fragment parsing algorithm with the shadow root's host as the context object. This sets the form pointer to this element's closest form ancestor, which should lead to the form element in the shadow root getting counted as a nested form element and thus ignored. Chrome and Safari both do this.

The Bugbug bot thinks this bug should belong to the 'Toolkit::Form Manager' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Form Manager
Product: Firefox → Toolkit

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(sgalich)

I think this should be in the HTML parsing component. Bad bot.

Component: Form Manager → DOM: HTML Parser
Flags: needinfo?(sgalich)
Product: Toolkit → Core

Sounds like a bug on our side, Henri do you mind confirm this?

Flags: needinfo?(hsivonen)

Confirming.

Flags: needinfo?(hsivonen)
Severity: -- → S3
You need to log in before you can comment on or make changes to this bug.