<script xmlns="http://www.w3.org/1999/xhtml"> leaks namespace to younger siblings

VERIFIED FIXED

Status

()

Product:
Core
Component:
XML
--
major
VERIFIED FIXED
Reported:
12 years ago
Modified:
12 years ago

People

(Reporter: bsmedberg, Assigned: peterv)

Tracking

({fixed1.8})

Version:
Trunk
x86
All
Keywords:
fixed1.8
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

Testcase
238 bytes, text/xml
Details
v1
3.41 KB, patch
bz
: review+
bz
: superreview+
asa
: approval1.8rc1+
Details | Diff | Splinter Review
Nonempty tag testcase
256 bytes, application/xml
Details
(Reporter)

Description

12 years ago 
See attached testcase, basically

<element xmlns="1">
  <script xmlns="xhtml" src="foo" />
  <foo />
</element>

Foo has the wrong namespace. Which ends up screwing some significant number of
published SVG examples and a lot of mixed XHTML+SVG content.
(Reporter)

Comment 1

12 years ago 
Created attachment 200350 [details]
Testcase

Comment 2

12 years ago 
This regressed between 2004-12-15-06 and 2004-12-16-08, so looks like we somehow
fail to pop off the default namespace after the expat landing...
 (Reporter)

Updated

12 years ago
Flags: blocking1.8rc1?

Comment 3

12 years ago 
At a guess, we're adding the namespace binding, then bailing out when we block,
and never removing the binding...

Perhaps this is xmlparse.c line 2324?  We call the endElementHandler in line
2321, but we want to make it down to line 2341 before returning the error, no? 
Or do we not want to clear the tempPool here?  We definitely want that loop over
the bindings, I'd think.
 (Assignee)

Comment 4

12 years ago 
Created attachment 200359 [details] [diff] [review]
v1

It's going to be hard for me to test this soon, so if anyone could verify that
this fixes the problem I'd be grateful.
Attachment #200359 - Flags: superreview?(bzbarsky)
Attachment #200359 - Flags: review?(bzbarsky)

Comment 5

12 years ago 
Created attachment 200363 [details]
Nonempty tag testcase

Comment 6

12 years ago 
Comment on attachment 200359 [details] [diff] [review]
v1

Yeah, that fixes both testcases. r+sr=bzbarsky.

Can you check this in, or do you want me to?
Attachment #200359 - Flags: superreview?(bzbarsky)
Attachment #200359 - Flags: superreview+
Attachment #200359 - Flags: review?(bzbarsky)
Attachment #200359 - Flags: review+

Comment 7

12 years ago 
please land and verify on the trunk.
(Assignee)

Comment 8

12 years ago 
If you could, I'm off for the night.

Comment 9

12 years ago 
Fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Comment 10

12 years ago 
Comment on attachment 200359 [details] [diff] [review]
v1

Requesting 1.8 branch approval.  This is a pretty serious regression in our XML
parsing.  The fix is pretty safe -- just move our early returns to be not quite
so early to allow expat to pop the namespaces associated with the just-closed
element.
Attachment #200359 - Flags: approval1.8rc1?
 (Reporter)

Comment 11

12 years ago 
Verified fixed on trunk, we should definitely take this on branch.
Status: RESOLVED → VERIFIED

Updated

12 years ago
Attachment #200359 - Flags: approval1.8rc1? → approval1.8rc1+
 (Assignee)

Comment 12

12 years ago 
Checked in on branch. Thanks bz for your help.
Keywords: fixed1.8

Updated

12 years ago
Flags: blocking1.8rc1?
You need to log in before you can comment on or make changes to this bug.