Closed Bug 29917 Opened 25 years ago Closed 24 years ago

A HREF Target with "/" or "*" symbol causes crash

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: jeromekwok, Assigned: mike+mozilla)

References

Details

(Keywords: crash, relnote, Whiteboard: [nsbeta2+][6/01])

Attachments

(1 file)

target with "/" symbol
114 bytes, text/html
Details 
1. Target with "/" character will crash Mozilla.  Make a page with the following 
code.  Click on it and Mozilla M14 will crash.  M13 does not have this problem.

<a href="http://www.mozillazine.org/" target="mozilla/zine">MozillaZine</a>


2. Location box of the parent window updated incorrectly.  Make a page with the 
following code.  Click on it and Mozilla will open a new window browsing 
Mozilla.org.  Back to the parent Mozilla window, and the location box will show 
the URL "http://www.mozilla.org" instead of the URL of the page viewing.  Click 
"View Source" the Mozilla will view the source of mozilla.org instead of the 
page viewing.  M13 does not have this problem.

<a href="http://www.mozilla.org" target="_blank">Mozilla</a>


3. Visit http://compuwise.home.dhs.org using resolution 800x600 or higher.  
Click on any link on the page (all links in the page will open a new window).  
Then back to the parent window, you'll find the alignments are shift right.  I 
don't know what particular code causes this problem.  But M13 does not have this 
problem.
target is dom/layout? don would know...
Assignee: gagan → don
Problem 3 will also occur when right-clicking any links.
http://www.firingsquad.com/news also has the similar problem.  Right click any
link in the page, the ad banner will float.
Component: Networking → Layout
reporter - are oyu stills eeing this with m15 builds?

thanks

Problem 3 has been resolved.

Problem 1 & 2 still exists using the 2000040215 build win32.  For problem 2, the
parent window's location box will be, still, incorrectly updated when clicking
links which open new windows.  But the view source is OK.

Problem 2 appears to be bug 31211, "Session History "inherited" from spawned 
window", M16.

jeromekwok@netscape.net, please report only one issue per bug report...
please consider using the bugzilla helper at 
http://www.mozilla.org/quality/help/bug-form.html to file bugs.
It helps ensure that the bug report you submit will be immediately useful.

Also, it helps to provide a sample page including the code you are referring
to, either by pointing to such a page in the URL field, or by creating
an attachment that contains a short testcase. That's the next step here,
to be able to test and confirm the presence of problem 1.
Attached file target with "/" symbol 

    
    

    
  
Thanks for your guideline. 

I made a sample page demostrating problem 1.  I filed these bugs together 
because it seems that they are caused by one checkin.  These 3 bugs exist since 
one day's nightly build.

Yes, problem 2 seems to be the same or similar as 31211.  Then let's focus on 
problem 1 in this record.
URL: http://compuwise.home.dhs.org/
Summary: Open Links in New Windows Crashes M14 → A HREF Target with "/" symbol

    
    

    
  
Problem 1 still exists in build 2000041409, tested with the attachment page.

    
    

    
  
I was a bit surprised to come to this conclusion, but examining the HTML 4.01
spec, it appears that a value like "mozilla/zine" for the target attribute
is valid.

The spec for the <A> element,
http://www.w3.org/TR/REC-html40/struct/links.html#h-12.2 points to 
http://www.w3.org/TR/REC-html40/present/frames.html#target-info which points to
http://www.w3.org/TR/REC-html40/types.html#type-frame-target which points to
http://www.w3.org/TR/REC-html40/sgml/loosedtd.html#FrameTarget

It appears that %FrameTarget is CDATA.
http://www.w3.org/TR/REC-html40/types.html#h-6.2 says
 > For some HTML 4 attributes with CDATA attribute values, the specification 
 > imposes further constraints on the set of legal values for the attribute 
 > that may not be expressed by the DTD.
The restictions appear to be
1. must start with an alphabetic character:
   http://www.w3.org/TR/REC-html40/types.html#type-frame-target
2. the value is case-insensitive:
   http://www.w3.org/TR/REC-html40/present/frames.html#h-16.3

I'm surprised that %FrameTarget was not defined to be ID or NAME, but it looks 
like that wasn't possible if "_blank", etc, were to be allowed.

    
    

    
  
Confirming with the 2000-04-16-16-M16 nightly binary on WinNT.

Sorry, missed doing this with the last comment, but moving to the "HTML Element"
component
Assignee: don → rickg
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: Layout → HTML Element
Ever confirmed: true
Keywords: crash
QA Contact: tever → petersen
Summary: A HREF Target with "/" symbol → A HREF Target with "/" symbol causes crash

    
    

    
  
Here's the stack trace:

NTDLL! 77f7629c()
js_ErrorToException(JSContext * 0x031d9b50, const char * 0x0320bdf0, 
JSErrorReport * 0x00000000) line 554 + 35 bytes
ReportError(JSContext * 0x031d9b50, const char * 0x0320bdf0, JSErrorReport * 
0x00000000) line 264 + 17 bytes
js_ReportErrorVA(JSContext * 0x031d9b50, unsigned int 0, const char * 
0x015ed2a8, char * 0x0012f5cc) line 313 + 17 bytes
JS_ReportError(JSContext * 0x031d9b50, const char * 0x015ed2a8) line 2977 + 19 
bytes
GlobalWindowImpl::CheckWindowName(GlobalWindowImpl * const 0x031d6860, JSContext 
* 0x031d9b50, nsString & {???}) line 2817 + 38 bytes
GlobalWindowImpl::OpenInternal(GlobalWindowImpl * const 0x031d6860, JSContext * 
0x031d9b50, long * 0x0115ade0, unsigned int 2, int 0, nsIDOMWindow * * 
0x0012fa08) line 2401 + 23 bytes
GlobalWindowImpl::Open(GlobalWindowImpl * const 0x031d6864, JSContext * 
0x031d9b50, long * 0x0115ade0, unsigned int 2, nsIDOMWindow * * 0x0012fa08) line 
1527
nsBrowserContentHandler::HandleContent(nsBrowserContentHandler * const 
0x0320c1d0, const char * 0x0320c410, const char * 0x0270f42c, const char * 
0x0320e210, nsISupports * 0x02937260, nsIChannel * 0x0320f210) line 2085 + 84 
bytes
nsURILoader::DispatchContent(nsURILoader * const 0x028bdf60, const char * 
0x0320c410, int 1, const char * 0x0320e210, nsIChannel * 0x0320f210, nsISupports 
* 0x00000000, nsIURIContentListener * 0x00000000, nsISupports * 0x02937260, char 
* * 0x0012fc78, nsIURIContentListener * * 0x0012fc80, int * 0x0012fc70) line 810 
+ 53 bytes
nsDocumentOpenInfo::DispatchContent(nsIChannel * 0x0320f210, nsISupports * 
0x00000000) line 312 + 165 bytes
nsDocumentOpenInfo::OnStartRequest(nsDocumentOpenInfo * const 0x0320e0e0, 
nsIChannel * 0x0320f210, nsISupports * 0x00000000) line 255 + 16 bytes
InterceptStreamListener::OnStartRequest(InterceptStreamListener * const 
0x0320c480, nsIChannel * 0x0320f210, nsISupports * 0x00000000) line 1118
nsHTTPServerListener::FinishedResponseHeaders() line 974 + 48 bytes
nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x0320cf90, 
nsIChannel * 0x0320d6f4, nsISupports * 0x0320f210, nsIInputStream * 0x0320f80c, 
unsigned int 0, unsigned int 1231) line 384 + 8 bytes
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x0320ddf0) 
line 406 + 47 bytes
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x0320e040) line 97 + 12 bytes
PL_HandleEvent(PLEvent * 0x0320e040) line 575 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x02933340) line 520 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00010894, unsigned int 49403, unsigned int 0, 
long 43201344) line 1030 + 9 bytes
USER32! 77e71820()

Back to travis, since it appears to be his code (via cvs-blame).
Assignee: rickg → travis

    
    

    
  
Most likely due to changes mccabe made in the JS Error Script reporting.  
Flipping over to him.
Assignee: travis → mccabe

    
    

    
  
Since TARGET is a commonly used attribute, I suggest that this problem should be 
fixed in beta 2.

Keywords: nsbeta2

    
    

    
  
*** Bug 38431 has been marked as a duplicate of this bug. ***

    
  
Summary: A HREF Target with "/" symbol causes crash → A HREF Target with "/" or "*" symbol causes crash

    
    

    
  
*** Bug 35063 has been marked as a duplicate of this bug. ***

    
    

    
  
Testcases from other, duplicate reports: 

target="nav,main"
   http://bugzilla.mozilla.org/showattachment.cgi?attach_id=7474

target=*_blank*
   http://bugzilla.mozilla.org/showattachment.cgi?attach_id=8398

I note that duplicate bug #35063 was [nsbeta2+]; I assume that this should 
get the same designation (although I disagree with that rating -- unless 
someone has data to show otherwise, I think this is a rare crash. However, 
I expect the fix is not too difficult anyways).

    
    

    
  
This crash is currently shadowed by bug 38644 ``<A TARGET="foo" ...> crashes in
nsURILoader::SetupLoadCookie''. That bug has been introduced between 5/5 and
5/7, it's stack trace is completely different, and it is triggered by a much
larger set of target values. Marking dependency.
Depends on: 38644

    
    

    
  
Putting on [nsbeta2+][6/01] radar.  This work must be done by 06/01 or we may 
pull this for PR2.  We could release note for beta2 if we had too.
Keywords: relnote
Whiteboard: [nsbeta2+][6/01]

    
    

    
  
The dependency to bug 38644 is obsolete now since the testcase there does not
crash any more, thanks to pollmann for his fix to bug 32898 on 5/10.
Also bug 38476 (which contains the same stack trace as this bug) is has been
fixed, probably due to the other part of pollmann's fix on that day.

On PC/Linux, build 2000052109, neither the attachment to this bug nor the 
attachments from John's comment seem to be crashers any more.
Can this bug be closed out, or is anyone still seeing this?

    
    

    
  
Worksforme...

WARNING: Illegal character in window name a/b, file nsGlobalWindow.cpp, line
3022

petersen, can you confirm?  If so, let's close this.

    
    

    
  
This problem isn't occuring in the May 22 builds (2000052208) for Mac, Win 98, 
and Linux.


    
    

    
  
Great!  Resolving as WORKSFORME.

I've checked the code and confirmed that this does *not* attempt to write to the
console service.  Instead, it uses NS_WARNING() from nsDebug.h... which calls
nsDebug::Warning...

It might make sense for nsDebug.cpp to use the console service to report some
warnings that make sense to expose to the user.  Different bug, though.  Added
comment to 6211.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME

    
    

    
  
This problem is no longer occuring in the May 30th builds. Marking verified works 
for me.

Status: RESOLVED → VERIFIED

    
    

    
  
SPAM. HTML Element component deprecated, changing component to Layout. See bug
88132 for details.
Component: HTML Element → Layout

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: