Don't associate form-associated elements with forms in other trees.
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jul 2016 00:13:49 +0000 (00:13 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jul 2016 00:13:49 +0000 (00:13 +0000)
https://bugs.webkit.org/show_bug.cgi?id=119451
<rdar://problem/27382946>

Change is based on the Blink change (patch by <adamk@chromium.org>):
<https://chromium.googlesource.com/chromium/blink/+/0b33128be67e7845d495d5219614c02ccfe7a414>

Reviewed by Chris Dumez.

Source/WebCore:

Prevent elements from being associated with forms that are not part of the same home subtree.
This brings us in line with the WhatWG HTML specification as of September, 2013.

Tests: fast/forms/image-disconnected-during-parse.html
       fast/forms/input-disconnected-during-parse.html

* dom/Element.h:
(WebCore::Node::rootElement): Added.
* html/FormAssociatedElement.cpp:
(WebCore::FormAssociatedElement::insertedInto): If the element is associated with a form that
is not part of the same tree, remove the association.
* html/HTMLImageElement.cpp:
(WebCore::HTMLImageElement::insertedInto): Ditto.

LayoutTests:

* fast/forms/image-disconnected-during-parse-expected.txt: Added.
* fast/forms/image-disconnected-during-parse.html: Added.
* fast/forms/input-disconnected-during-parse-expected.txt: Added.
* fast/forms/input-disconnected-during-parse.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@203383 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/forms/image-disconnected-during-parse-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/image-disconnected-during-parse.html [new file with mode: 0644]
LayoutTests/fast/forms/input-disconnected-during-parse-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/input-disconnected-during-parse.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Element.h
Source/WebCore/html/FormAssociatedElement.cpp
Source/WebCore/html/HTMLImageElement.cpp

index 0221e5a..eee1d32 100644 (file)
@@ -1,3 +1,19 @@
+2016-07-18  Brent Fulgham  <bfulgham@apple.com>
+
+        Don't associate form-associated elements with forms in other trees.
+        https://bugs.webkit.org/show_bug.cgi?id=119451
+        <rdar://problem/27382946>
+
+        Change is based on the Blink change (patch by <adamk@chromium.org>):
+        <https://chromium.googlesource.com/chromium/blink/+/0b33128be67e7845d495d5219614c02ccfe7a414>
+
+        Reviewed by Chris Dumez.
+
+        * fast/forms/image-disconnected-during-parse-expected.txt: Added.
+        * fast/forms/image-disconnected-during-parse.html: Added.
+        * fast/forms/input-disconnected-during-parse-expected.txt: Added.
+        * fast/forms/input-disconnected-during-parse.html: Added.
+
 2016-07-18  Dean Jackson  <dino@apple.com>
 
         REGRESSION (r202950): Image zoom animations are broken at medium.com (159861)
diff --git a/LayoutTests/fast/forms/image-disconnected-during-parse-expected.txt b/LayoutTests/fast/forms/image-disconnected-during-parse-expected.txt
new file mode 100644 (file)
index 0000000..4706759
--- /dev/null
@@ -0,0 +1,10 @@
+Image elements should not be associated with forms in different trees
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.forms[0].myimage is undefined.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/forms/image-disconnected-during-parse.html b/LayoutTests/fast/forms/image-disconnected-during-parse.html
new file mode 100644 (file)
index 0000000..f5eafc1
--- /dev/null
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<form>
+    <div id="target">
+        <script>
+            var d = document.getElementById('target');
+            d.parentNode.removeChild(d);
+        </script>
+        <img name=myimage>
+    </div>
+</form>
+<script src="../../resources/js-test-pre.js"></script>
+<script>
+description('Image elements should not be associated with forms in different trees');
+shouldBeUndefined('document.forms[0].myimage');
+</script>
+<script src="../../resources/js-test-post.js"></script>
\ No newline at end of file
diff --git a/LayoutTests/fast/forms/input-disconnected-during-parse-expected.txt b/LayoutTests/fast/forms/input-disconnected-during-parse-expected.txt
new file mode 100644 (file)
index 0000000..ebd6071
--- /dev/null
@@ -0,0 +1,10 @@
+FormAssociatedElements should not be associated with forms in different trees (and should not crash)
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.forms[0].elements[0] is undefined.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/forms/input-disconnected-during-parse.html b/LayoutTests/fast/forms/input-disconnected-during-parse.html
new file mode 100644 (file)
index 0000000..c6620a3
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<form>
+    <div>
+        <script>
+            var d = document.querySelector('div');
+            d.parentNode.removeChild(d);
+        </script>
+        <input>
+    </div>
+</form>
+<script src="../../resources/js-test-pre.js"></script>
+<script>
+description('FormAssociatedElements should not be associated with forms in different trees (and should not crash)');
+var unused = document.forms[0].elements.length;
+d = null;
+gc();
+shouldBeUndefined('document.forms[0].elements[0]');
+</script>
+<script src="../../resources/js-test-post.js"></script>
index 239c58a..58c648a 100644 (file)
@@ -1,3 +1,28 @@
+2016-07-18  Brent Fulgham  <bfulgham@apple.com>
+
+        Don't associate form-associated elements with forms in other trees.
+        https://bugs.webkit.org/show_bug.cgi?id=119451
+        <rdar://problem/27382946>
+
+        Change is based on the Blink change (patch by <adamk@chromium.org>):
+        <https://chromium.googlesource.com/chromium/blink/+/0b33128be67e7845d495d5219614c02ccfe7a414>
+
+        Reviewed by Chris Dumez.
+
+        Prevent elements from being associated with forms that are not part of the same home subtree.
+        This brings us in line with the WhatWG HTML specification as of September, 2013.
+
+        Tests: fast/forms/image-disconnected-during-parse.html
+               fast/forms/input-disconnected-during-parse.html
+
+        * dom/Element.h:
+        (WebCore::Node::rootElement): Added.
+        * html/FormAssociatedElement.cpp:
+        (WebCore::FormAssociatedElement::insertedInto): If the element is associated with a form that
+        is not part of the same tree, remove the association.
+        * html/HTMLImageElement.cpp:
+        (WebCore::HTMLImageElement::insertedInto): Ditto.
+
 2016-07-18  Anders Carlsson  <andersca@apple.com>
 
         WebKit nightly fails to build on macOS Sierra
index be2177c..0c5b6c9 100644 (file)
@@ -3,7 +3,7 @@
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Peter Kelly (pmk@post.com)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2013, 2014, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2016 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ -147,6 +147,8 @@ public:
     // to the render layer and merge bindingsOffsetParent and offsetParent.
     Element* bindingsOffsetParent();
 
+    const Element* rootElement() const;
+
     Element* offsetParent();
     double clientLeft();
     double clientTop();
@@ -663,6 +665,17 @@ inline Element* Node::parentElement() const
     return is<Element>(parent) ? downcast<Element>(parent) : nullptr;
 }
 
+inline const Element* Element::rootElement() const
+{
+    if (inDocument())
+        return document().documentElement();
+
+    const Element* highest = this;
+    while (highest->parentElement())
+        highest = highest->parentElement();
+    return highest;
+}
+
 inline bool Element::hasAttributeWithoutSynchronization(const QualifiedName& name) const
 {
     ASSERT(fastAttributeLookupAllowed(name));
index 27069f7..30fcd48 100644 (file)
@@ -2,7 +2,7 @@
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004, 2005, 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
  *           (C) 2006 Alexey Proskuryakov (ap@nypop.com)
  *
  * This library is free software; you can redistribute it and/or
@@ -75,6 +75,9 @@ void FormAssociatedElement::insertedInto(ContainerNode& insertionPoint)
         m_formSetByParser = nullptr;
     }
 
+    if (m_form && element.rootElement() != m_form->rootElement())
+        setForm(nullptr);
+
     if (!insertionPoint.inDocument())
         return;
 
index d90827a..86b3338 100644 (file)
@@ -38,6 +38,7 @@
 #include "MIMETypeRegistry.h"
 #include "MediaList.h"
 #include "MediaQueryEvaluator.h"
+#include "NodeTraversal.h"
 #include "Page.h"
 #include "RenderImage.h"
 #include "Settings.h"
@@ -307,6 +308,11 @@ Node::InsertionNotificationRequest HTMLImageElement::insertedInto(ContainerNode&
         m_form->registerImgElement(this);
     }
 
+    if (m_form && rootElement() != m_form->rootElement()) {
+        m_form->removeImgElement(this);
+        m_form = nullptr;
+    }
+
     if (!m_form) {
         m_form = HTMLFormElement::findClosestFormAncestor(*this);
         if (m_form)