Closed
Bug 394534
Opened 17 years ago
Closed 17 years ago
[FIX]First attribute doesn't win in misplaced content
Categories
(Core :: DOM: HTML Parser, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha8
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
()
Details
(Keywords: fixed1.8.0.14, verified1.8.1.8, Whiteboard: baking on trunk (9/10))
Attachments
(2 files)
|
7.39 KB,
patch
|
mrbkap
:
review+
peterv
:
superreview+
dveditz
:
approval1.8.1.8+
dveditz
:
approval1.8.0.14+
sicking
:
approval1.9+
|
Details | Diff | Splinter Review |
|
5.92 KB,
patch
|
Details | Diff | Splinter Review |
Problem is also mentioned at http://sla.ckers.org/forum/read.php?2,15336 and http://ha.ckers.org/blog/20070830/overwriting-attributes/
Fix is coming up. Writing tests now.
|
Assignee | |
Comment 1•17 years ago
|
||
Makes sure to not reverse the order of tokens when moving them to and from the misplaced content nsDeque.
Attachment #279208 -
Flags: superreview?(peterv)
Attachment #279208 -
Flags: review?(mrbkap)
|
|
Assignee | |
Updated•17 years ago
|
Flags: blocking1.9?
Priority: -- → P1
Target Milestone: --- → mozilla1.9 M8
|
||
Comment 2•17 years ago
|
||
Comment on attachment 279208 [details] [diff] [review]
Fix
Index: parser/htmlparser/src/CNavDTD.cpp
+ // XXXbz would it be faster to get the tokens out with ObjectAt and
+ // the PopFront them all?
"then"
Attachment #279208 -
Flags: review?(mrbkap) → review+
|
||
Comment 3•17 years ago
|
||
Comment on attachment 279208 [details] [diff] [review]
Fix
>Index: parser/htmlparser/src/CNavDTD.cpp
>===================================================================
>+ // XXXbz would it be faster to get the tokens out with ObjectAt and
>+ // the PopFront them all?
then PushFront ...?
Attachment #279208 -
Flags: superreview?(peterv) → superreview+
|
|
Assignee | |
Comment 4•17 years ago
|
||
Comment on attachment 279208 [details] [diff] [review]
Fix
No, "then PopFront". Maybe I should say "then PopFront them all from mMisplacedContent".
Requesting approval for trunk and branches. This is bug apparently being used for content-injection attacks... Risk is as low as it gets in parser code, which is probably "medium to large", so we might want to bake on the trunk for a week or so before landing on the branches.
Attachment #279208 -
Flags: approval1.9?
Attachment #279208 -
Flags: approval1.8.1.7?
Attachment #279208 -
Flags: approval1.8.0.14?
|
|
||
Comment 5•17 years ago
|
||
(In reply to comment #4)
> (From update of attachment 279208 [details] [diff] [review])
> No, "then PopFront". Maybe I should say "then PopFront them all from
> mMisplacedContent".
Ah, and use PushTokenFront again? (which is what I meant instead of PushFront)
|
|
Assignee | |
Comment 6•17 years ago
|
||
Right. That approach would be to ObjectAt() and PushTokenFront() starting at the _end_ of the things I want to move, then pop them all off.
|
||
Comment 7•17 years ago
|
||
You might want to check if this piece of html:
<table><input type="password">
crashes with the patch.
It seems to crash in my debug build, but I might have done something wrong.
It seems to crash at:
CToken* theAttrToken = theAttrNode.PopAttributeTokenFront();
in PushMisplacedAttributes
|
||
Updated•17 years ago
|
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.14?
|
|
Assignee | |
Comment 8•17 years ago
|
||
Doesn't seem to crash over here....
Attachment #279208 -
Flags: approval1.9? → approval1.9+
Flags: blocking1.9?
|
|
||
Comment 9•17 years ago
|
||
Would be nice to fix on the branch, but probably not a stop-ship. We'll look at approvals after it's landed on the trunk.
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.9?
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.14?
|
||
Comment 10•17 years ago
|
||
Fix landed on the trunk (by manually applying the change to reftest.list as that part of the patch had bit-rotted). Marking FIXED.
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: blocking1.9? → blocking1.9+
Resolution: --- → FIXED
|
||
Comment 11•17 years ago
|
||
It looks like the test file itself didn't land, so I reverted the reftest.list change to fix the orange.
Flags: in-testsuite?
|
|
||
Updated•17 years ago
|
Whiteboard: baking on trunk (9/10)
|
|
||
Comment 12•17 years ago
|
||
I checked the test in now that I was able to verify that it passed.
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 13•17 years ago
|
||
Duh, must have forgotten to cvs add that file. Thanks for dealing with it!
|
|
Assignee | |
Comment 14•17 years ago
|
||
Checked in a followup patch addressing the review comments too.
|
|
||
Comment 15•17 years ago
|
||
Apparently there is something wrong with my vc build, so you can just ignore comment 7 any further (which you already did).
|
|
||
Comment 16•17 years ago
|
||
Comment on attachment 279208 [details] [diff] [review]
Fix
approved for 1.8.1.8 and 1.8.0.14, a=dveditz for release-drivers
Attachment #279208 -
Flags: approval1.8.1.8?
Attachment #279208 -
Flags: approval1.8.1.8+
Attachment #279208 -
Flags: approval1.8.0.14?
Attachment #279208 -
Flags: approval1.8.0.14+
|
|
Assignee | |
Comment 17•17 years ago
|
||
|
|
Assignee | |
Comment 18•17 years ago
|
||
Checked in on both branches.
Keywords: fixed1.8.0.14,
fixed1.8.1.8
|
|
||
Comment 19•17 years ago
|
||
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8pre) Gecko/20071004 BonEcho/2.0.0.8pre
I now get green text and a checkbox input, while I got red text and a text input with Firefox2.0.0.7, testing:
http://lxr.mozilla.org/seamonkey/source/layout/reftests/bugs/394534-1.html
Keywords: fixed1.8.1.8 → verified1.8.1.8
You need to log in
before you can comment on or make changes to this bug.
Description
•