Closed Bug 386794 Opened 17 years ago Closed 17 years ago

Crash [@ nsIScriptElement::IsMalformed] getting innerHTML due to <foo:script>

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files)

testcase (crashes Firefox when loaded)
269 bytes, text/html
Details
Fix
785 bytes, patch
sicking
: review+
sicking
: superreview+
Details | Diff | Splinter Review 
nsHTMLContentSerializer::AppendElementEnd assumes that any element whose tag name is "script" will implement nsIScriptElement, which isn't true for XUL or for a namespace Gecko doesn't recognize.  The code was introduced in bug 305873, "Unclosed script data should not be parsed as HTML".  (Other parts of the function appear to make similar assumptions about other tag names: "meta", "pre", etc.)

Loading the testcase triggers:

###!!! ASSERTION: What kind of weird script element is this?: 'script', file /Users/jruderman/trunk/mozilla/content/base/src/nsHTMLContentSerializer.cpp, line 778

###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../../dist/include/xpcom/nsCOMPtr.h, line 847

and a null-dereference crash.

    
    

    
  
WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

    
    

    
  
That makes sense, because bug 305873 hasn't been fixed on the branch yet.

    
    

    
  
crashes trunk build on Windows though
OS: Mac OS X → All

    
    

    
  

      
      
      
      

        Attached patch
          
          
        FixSplinter Review
      

    


  
If the script isn't an nsIScriptElement, we don't care about it.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED

        Attachment #270832 -
        Flags: superreview?(jonas)

        Attachment #270832 -
        Flags: review?(jonas)

        Attachment #270832 -
        Flags: superreview?(jonas)

        Attachment #270832 -
        Flags: superreview+

        Attachment #270832 -
        Flags: review?(jonas)

        Attachment #270832 -
        Flags: review+

    
    

    
  
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
  
Flags: in-testsuite?

    
    

    
  
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsIScriptElement::IsMalformed]
Component: DOM: Mozilla Extensions → DOM
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: