Closed
Bug 693551
Opened 12 years ago
Closed 12 years ago
removeChild(): unexpected title tooltip after removing SVG element at mouse position
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
RESOLVED
FIXED
Firefox 11
| Tracking | Status | |
|---|---|---|
| firefox10 | - | --- |
People
(Reporter: y.2020, Assigned: longsonr)
References
Details
(Keywords: regression)
Attachments
(2 files, 1 obsolete file)
|
134 bytes,
image/svg+xml
|
Details | |
|
2.36 KB,
patch
|
dao
:
review+
|
Details | Diff | Splinter Review |
testcase
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Build ID: 20110928134238 Steps to reproduce: Tested with Firefox 7.0.1 and current Nightly 10.0a1 on Windows: 1.) open a file (e.g. the attached one) containing code like this <circle cx="100" cy="100" r="50" onclick="this.parentNode.removeChild(this);" /> 2.) move mouse over circle and click left mouse button (don't stop moving before clicking!) Actual results: A title tooltip is shown that contains the text of the last tooltip, even from an other browser tab. If it is the first title tooltip after startup, the tooltip is shown without text. AFAICS this doesn't happen with HTML elements or if the mouse was not moved right before clicking.
|
||
Comment 1•12 years ago
|
||
Confirmed on http://hg.mozilla.org/mozilla-central/rev/e9c620a5c85f Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0a1) Gecko/20111010 Firefox/10.0a1 ID:20111010031016 Regression window(cached m-c hourly), Works: http://hg.mozilla.org/mozilla-central/rev/7898841a922a Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110630 Firefox/7.0a1 ID:20110702004346 Fails: http://hg.mozilla.org/mozilla-central/rev/7b44ed36faf3 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110702 Firefox/7.0a1 ID:20110702022656 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7898841a922a&tochange=7b44ed36faf3 Regression window(cached m-i hourly), Works: http://hg.mozilla.org/integration/mozilla-inbound/rev/4a7f8e181dd0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110630 Firefox/7.0a1 ID:20110701101456 Fails: http://hg.mozilla.org/integration/mozilla-inbound/rev/eb5866601f88 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110701 Firefox/7.0a1 ID:20110701132816 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4a7f8e181dd0&tochange=eb5866601f88 Triggered by: 74635b831e9e Robert Longson — Bug 639945 - tooltips are not displayed on inline svg elements. r=dao,bzbarsky
|
||
Updated•12 years ago
|
tracking-firefox10:
--- → ?
|
||
Comment 2•12 years ago
|
||
I came across this bug using FF8 in the wild when viewing a svg chart in one tab -- the tooltip showed data from another tab, which looks a little scary from a security perspective.
|
|
||
Comment 3•12 years ago
|
||
Updating platform, as I can reproduce in current nightly on linux: Mozilla/5.0 (X11; Linux x86_64; rv:11.0a1) Gecko/20111212 Firefox/11.0a1 though I needed this additional step in comment 0's STR: 0. Hover over any link with a tooltip (e.g. this one: attachment 566159 [details] )
OS: Windows 7 → All
Version: 10 Branch → Trunk
|
Assignee | |
Comment 4•12 years ago
|
||
(In reply to Adam Moore from comment #2) > I came across this bug using FF8 in the wild when viewing a svg chart in one > tab -- the tooltip showed data from another tab, which looks a little scary > from a security perspective. Not really, the page itself can't read the tooltip data.
|
|
||
Comment 5•12 years ago
|
||
But how does the typical user know this?
|
|
||
Comment 6•12 years ago
|
||
> which looks a little scary from a security perspective.
Agreed that it could look scary to a typical user, even if it's not actually dangerous. (The appearance of insecurity is worth avoiding. :) )|
|
Assignee | |
Comment 7•12 years ago
|
||
I don't know how to write a testcase as the existing case relies on the content being removed as the tooltip appears. The c++ embedding tooltip code already has a null check so it doesn't need to change.
Attachment #581618 -
Flags: review?(dao)
|
|
Assignee | |
Comment 8•12 years ago
|
||
Note the simplification in the first part of the patch is covered by the existing testcase.
|
||
Comment 9•12 years ago
|
||
Comment on attachment 581618 [details] [diff] [review] patch How about adding document.compareDocumentPosition(tipElement) == document.DOCUMENT_POSITION_DISCONNECTED right at the beginning of FillInHTMLTooltip? Could !tipElement.ownerDocument already be an (unsuccessful) attempt to do this?
|
|
||
Updated•12 years ago
|
Component: SVG → General
Product: Core → Firefox
QA Contact: general → general
|
|
||
Updated•12 years ago
|
Hardware: x86_64 → All
|
|
Assignee | |
Comment 10•12 years ago
|
||
(In reply to Dão Gottwald [:dao] from comment #9) > > How about adding document.compareDocumentPosition(tipElement) == > document.DOCUMENT_POSITION_DISCONNECTED right at the beginning of > FillInHTMLTooltip? Could !tipElement.ownerDocument already be an > (unsuccessful) attempt to do this? That comes from bug 520729
|
|
||
Comment 11•12 years ago
|
||
Ok, so that isn't broken. It would have helped if Ehsan had followed the "Maybe add a comment here that explains what cases this is handling (tipElement is a document)" suggestion. My example code however is broken... document needs to be tipElement.ownerDocument.
|
|
Assignee | |
Comment 12•12 years ago
|
||
Ehsan did do that on the comment line above the code.
|
|
Assignee | |
Comment 13•12 years ago
|
||
Attachment #581618 -
Attachment is obsolete: true
Attachment #581618 -
Flags: review?(dao)
Attachment #581959 -
Flags: review?(dao)
|
|
||
Updated•12 years ago
|
Attachment #581959 -
Flags: review?(dao) → review+
|
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → longsonr
|
|
Assignee | |
Comment 14•12 years ago
|
||
pushed https://hg.mozilla.org/integration/mozilla-inbound/rev/d9e8512aa9d4
Target Milestone: --- → Firefox 11
|
||
Comment 15•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d9e8512aa9d4
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Comment 16•12 years ago
|
||
This isn't a regression from 9, so unless we know of significant fallout, no need to uplift to FF10.
|
Reporter | |
Comment 17•12 years ago
|
||
(In reply to Matt Brubeck (:mbrubeck) from comment #15) > https://hg.mozilla.org/mozilla-central/rev/d9e8512aa9d4 When does the fix show up in the nightly builds? The issue is not fixed in 12.0a1 (2012-01-05).
|
|
||
Comment 18•12 years ago
|
||
Confirmed, this does not fixed on http://hg.mozilla.org/mozilla-central/rev/5413ba3ed406 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120105 Firefox/12.0a1 ID:20120105083933 and http://hg.mozilla.org/releases/mozilla-aurora/rev/e03d758c3c08 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0a2) Gecko/20120105 Firefox/11.0a2 ID:20120105042010 REOPENED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 20•12 years ago
|
||
Sorry s/I think this is related Bug 715882/I think this is related Bug 664058/
|
|
Assignee | |
Comment 21•12 years ago
|
||
Testcase in the bug works for me and the patch has not been backed out so the correct resolution is still fixed. If you still have issues raise another bug, this one is done.
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
|
|
||
Comment 22•12 years ago
|
||
(In reply to Robert Longson from comment #21) > Testcase in the bug works for me and the patch has not been backed out so > the correct resolution is still fixed. If you still have issues raise > another bug, this one is done. filed Bug 715999
You need to log in
before you can comment on or make changes to this bug.
Description
•