Closed Bug 392511 Opened 18 years ago Closed 18 years ago

[FIX]innerHTML getter fails to escape entities in attributes properly (so "innerHTML = innerHTML" has an unexpected side effect)

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla1.9beta1

People

(Reporter: bugzilla, Assigned: bzbarsky)

References

Details

(Keywords: testcase)

Attachments

(2 files)

testcase from comment 0 18 years ago Steve England [:stevee] 409 bytes, text/html		Details
Fix 18 years ago Boris Zbarsky [:bzbarsky] 5.48 KB, patch	peterv : review+ peterv : superreview+ jst : approval1.9+	Details \| Diff \| Splinter Review

Jonathan Davies

Reporter

Description

•

18 years ago

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 This simple page exhibits the problem: ---- <html> <head> <script language="JavaScript">  </script> </head> <body> <span id="sp"><input type="button" value="Click me" onclick="javascript:alert('&amp;')"/></span> <input type="button" value="Set" onclick="foo()"/> </body> </html> ----- Setting the span's innerHTML to itself causes '&' inside the onclick parameter of an element inside the span to be changed to '&'. Setting x.innerHTML = x.innerHTML is thus not side-effect free. Reproducible: Always Steps to Reproduce: 1. In the test page, click the "Click me" button. You should see '&'. 2. Click the "Set" button, which sets the span's innerHTML=innerHTML. 3. Now click the "Click me" button again. You now see '&'. Actual Results: '&' becomes '&' after setting innerHTML=innerHTML. Expected Results: '&' should be preserved as '&' after setting innerHTML=innerHTML.

Steve England [:stevee]

Comment 1

•

18 years ago

Attached file testcase from comment 0 — Details

Steve England [:stevee]

Updated

•

18 years ago

Keywords: testcase

Steve England [:stevee]

Comment 2

•

18 years ago

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a8pre) Gecko/2007081423 Minefield/3.0a8pre ID:2007081423 I see the same on trunk. Opera 9.22 shows & always. So does IE6

Steve England [:stevee]

Updated

•

18 years ago

Version: unspecified → Trunk

Steve England [:stevee]

Updated

•

18 years ago

Component: General → DOM

Product: Firefox → Core

QA Contact: general → general

Jesse Ruderman

Updated

•

18 years ago

Summary: setting innerHTML = innerHTML in JavaScript has side effect of HTML elements being interpreted → innerHTML getter fails to escape entities in attributes properly (so "innerHTML = innerHTML" has an unexpected side effect)

Jesse Ruderman

Comment 3

•

18 years ago

Confirmed, Mac Firefox trunk.

OS: Windows XP → All

Hardware: PC → All

Boris Zbarsky [:bzbarsky]

Assignee

Comment 4

•

18 years ago

Attached patch Fix — Details — Splinter Review

Assignee: nobody → bzbarsky

Status: UNCONFIRMED → ASSIGNED

Ever confirmed: true

Attachment #279219 - Flags: superreview?(peterv)

Attachment #279219 - Flags: review?(peterv)

Boris Zbarsky [:bzbarsky]

Assignee

Updated

•

18 years ago

Priority: -- → P2

Summary: innerHTML getter fails to escape entities in attributes properly (so "innerHTML = innerHTML" has an unexpected side effect) → [FIX]innerHTML getter fails to escape entities in attributes properly (so "innerHTML = innerHTML" has an unexpected side effect)

Target Milestone: --- → mozilla1.9 M9

Peter Van der Beken [:peterv]

Comment 5

•

18 years ago

Comment on attachment 279219 [details] [diff] [review] Fix >Index: content/base/src/nsXMLContentSerializer.cpp >=================================================================== >@@ -560,26 +562,29 @@ nsXMLContentSerializer::SerializeAttr(co > if (bIncludesDouble && bIncludesSingle) { > mInAttribute = PR_TRUE; > AppendToString(sValue, aStr, PR_FALSE); > mInAttribute = PR_FALSE; > } > else { > mInAttribute = PR_TRUE; >- AppendToString(aValue, aStr, PR_FALSE); >+ AppendToString(sValue, aStr, PR_FALSE); > mInAttribute = PR_FALSE; > } Move those three lines after the if (combining the identical blocks from if and else).

Attachment #279219 - Flags: superreview?(peterv)

Attachment #279219 - Flags: superreview+

Attachment #279219 - Flags: review?(peterv)

Attachment #279219 - Flags: review+

Boris Zbarsky [:bzbarsky]

Assignee

Comment 6

•

18 years ago

Comment on attachment 279219 [details] [diff] [review] Fix Requesting approval for HTML serialization bug that breaks round-tripping of script attributes. Risk is very low.

Attachment #279219 - Flags: approval1.9?

Johnny Stenback (:jst)

Updated

•

18 years ago

Attachment #279219 - Flags: approval1.9? → approval1.9+

Boris Zbarsky [:bzbarsky]

Assignee

Comment 7

•

18 years ago

Checked in, with the comment 5 code change made.

Status: ASSIGNED → RESOLVED

Closed: 18 years ago

Flags: in-testsuite+

Resolution: --- → FIXED

Jesse Ruderman

Updated

•

11 years ago

Blocks: innerhtml-roundtrip

Nobody; OK to take it and work on it

Updated

•

6 years ago

Component: DOM → DOM: Core & HTML

You need to log in before you can comment on or make changes to this bug.

Bugzilla

[FIX]innerHTML getter fails to escape entities in attributes properly (so "innerHTML = innerHTML" has an unexpected side effect)

Categories

(Core :: DOM: Core & HTML, defect, P2)

Tracking

()

People

(Reporter: bugzilla, Assigned: bzbarsky)

References

Details

(Keywords: testcase)

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Updated

Comment 2

Updated

Updated

Updated

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Updated

Comment 7

Updated

Updated

Attachment

General

Description

File Name

Content Type