appendChild should throw when inserting an ancestor of a template into its content...
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Mar 2019 20:26:18 +0000 (20:26 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Mar 2019 20:26:18 +0000 (20:26 +0000)
commit138c91c4df8fa0ab7f89363897dc8099c0f2c374
tree49dda44e9d7d2757a6417a57bcfb2863bef0fd0b
parenta819c99c1b9fe4729fe9eb6524ff434f8e930ecf
appendChild should throw when inserting an ancestor of a template into its content adopted to another document
https://bugs.webkit.org/show_bug.cgi?id=195984

Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Rebaselined the test that is not fully passing.

* web-platform-tests/html/semantics/scripting-1/the-template-element/template-element/template-content-hierarcy-expected.txt:

Source/WebCore:

The WPT test caught a bug that appendChild and other DOM insertion functions were incorrectly assuming that
any node that's in a HTML template element has the current document's template document as its owner.
The assumption is wrong when the template element's content DocumentFragment is adopted to another document.

Fixed the bug by always checking the ancestor host elements in checkAcceptChild. Also

Test: fast/dom/insert-template-parent-into-adopted-content.html

* dom/ContainerNode.cpp:
(WebCore::isInTemplateContent): Deleted. This code is simply wrong.
(WebCore::containsConsideringHostElements): Deleted. Call sites are updated to use containsIncludingHostElements.
(WebCore::containsIncludingHostElements): Moved from Node.cpp and optimized this code a bit. It's more efficient
to get the parent node and check for ShadowRoot and DocumentFragment only when the parent is null than to check
for those two node types before getting the parent node.
(WebCore::checkAcceptChild): Merged two code paths to call containsIncludingHostElements. The early return for
a pseudo element is there only to prevent tree corruption in release build even in the presence of a major bug
so it shouldn't be an spec compliance issue.
* dom/Node.cpp:
(WebCore::Node::containsIncludingHostElements const): Deleted.
* dom/Node.h:

LayoutTests:

Added a regression test.

* fast/dom/insert-template-parent-into-adopted-content-expected.txt: Added.
* fast/dom/insert-template-parent-into-adopted-content.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243233 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/dom/insert-template-parent-into-adopted-content-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/insert-template-parent-into-adopted-content.html [new file with mode: 0644]
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-template-element/template-element/template-content-hierarcy-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/dom/ContainerNode.cpp
Source/WebCore/dom/Node.cpp
Source/WebCore/dom/Node.h