User Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0a2) Gecko/20110819 Firefox/8.0a2
Build ID: 20110819142441
Steps to reproduce:
To implement a patch for bug #528661, I need to escape HTML entities on a custom string. hsivonen suggested that I create a title element with NS_NewHTMLTitleElement, stuff the unencoded text in it with SetInnerHTML and retrieve the decoded text with GetTextContent.
The reftest layout/reftests/svg/as-image/svg-stylesheet-datauri-1.html fails because it triggers the assertion:
"Want to fire DOMNodeRemoved event, but it's not safe");
sicking thinks that the caller (nsGenericHTMLElement::SetInnerHTML) should block DomNodeRemoved scripts from running using a nsAutoScriptBlockerSuppressNodeRemoved in the else-path that is taken when the document being modified is not an HTML5 document.
There shouldn't be any assertion. I don't know the code as well as Jonas, but aren't we checking whether it's safe to run a script too eagerly? In nsContentUtils::MaybeFireNodeRemoved, we are asserting this before we even check that any script would need to be run in this specific context. For example, in my code there would be no script fired for any mutation event on the title element. If we asserted that *after* we probed for event listeners, there would no assertion as the execution path would not even test the assertion.
sorry, the last paragraph should say "No assertion should fail", either because it does not get asserted when my code calls into setInnerHTML (because we check if there is any event handler before asserting whether it's safe to execute such handler) or because sDOMNodeRemovedSuppressionCount is > 0 (or something like that, mxr is taking a break right now...)
Created attachment 555886 [details]
Created attachment 555986 [details] [diff] [review]
Comment on attachment 555986 [details] [diff] [review]
Review of attachment 555986 [details] [diff] [review]: