LayoutTests:

        Reviewed by Oliver.

        - test for <rdar://problem/5340603> REGRESSION: javascript being written to the screen in Safari

        * fast/tokenizer/badscript-expected.txt: Added.
        * fast/tokenizer/badscript.html: Added.

WebCore:

        Reviewed by Oliver.

        - fixed <rdar://problem/5340603> REGRESSION: javascript being written to the screen in Safari

        Test Case: fast/tokenizer/badscript.html

        * html/HTMLTokenizer.cpp:
        (WebCore::HTMLTokenizer::parseTag): Don't apply our self-closing
        <script> quirk in cases where the / appears in a mangled attribtue
        value.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@24405 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 8b3b890..a3a1cbd 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,12 @@
+2007-07-18  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Oliver.
+        
+        - test for <rdar://problem/5340603> REGRESSION: javascript being written to the screen in Safari
+
+        * fast/tokenizer/badscript-expected.txt: Added.
+        * fast/tokenizer/badscript.html: Added.
+
 2007-07-17  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Geoff Garen.

diff --git a/LayoutTests/fast/tokenizer/badscript-expected.txt b/LayoutTests/fast/tokenizer/badscript-expected.txt
new file mode 100644 (file)
index 0000000..cf06d0e
--- /dev/null
+++ b/LayoutTests/fast/tokenizer/badscript-expected.txt
@@ -0,0 +1 @@
+This tests that bad attribute syntax doesn't mistakenly trigger the self-closing script quirk.

diff --git a/LayoutTests/fast/tokenizer/badscript.html b/LayoutTests/fast/tokenizer/badscript.html
new file mode 100644 (file)
index 0000000..d4abab2
--- /dev/null
+++ b/LayoutTests/fast/tokenizer/badscript.html
@@ -0,0 +1,9 @@
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+This tests that bad attribute syntax doesn't mistakenly trigger the self-closing script quirk.
+<script type"text/javascript">
+var thisShouldNotShowUp;
+</script>
+

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 39df657..dddf33a 100644 (file)
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2007-07-18  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Oliver.
+
+        - fixed <rdar://problem/5340603> REGRESSION: javascript being written to the screen in Safari
+
+        Test Case: fast/tokenizer/badscript.html
+        
+        * html/HTMLTokenizer.cpp:
+        (WebCore::HTMLTokenizer::parseTag): Don't apply our self-closing
+        <script> quirk in cases where the / appears in a mangled attribtue
+        value.
+
 2007-07-17  Peter Kasting  <zerodpx@gmail.com>
 
         Reviewed by Hyatt.

diff --git a/WebCore/html/HTMLTokenizer.cpp b/WebCore/html/HTMLTokenizer.cpp
index 52c1321..95f7b1c 100644 (file)
--- a/WebCore/html/HTMLTokenizer.cpp
+++ b/WebCore/html/HTMLTokenizer.cpp
@@ -828,6 +828,7 @@ HTMLTokenizer::State HTMLTokenizer::parseTag(SegmentedString &src, State state)
     unsigned cBufferPos = m_cBufferPos;
 
     int* lineNoPtr = lineNumberPtr();
+    bool lastIsSlash = false;
 
     while (!src.isEmpty()) {
         checkBuffer();
@@ -1000,6 +1001,15 @@ HTMLTokenizer::State HTMLTokenizer::parseTag(SegmentedString &src, State state)
 #endif
             while(!src.isEmpty()) {
                 UChar curchar = *src;
+
+                if (lastIsSlash && curchar == '>') {
+                    // This is a quirk (with a long sad history).  We have to do this
+                    // since widgets do <script src="foo.js"/> and expect the tag to close.
+                    if (currToken.tagName == scriptTag)
+                        currToken.flat = true;
+                    currToken.brokenXMLStyle = true;
+                }
+
                 // In this mode just ignore any quotes or slashes we encounter and treat them like spaces.
                 if (curchar > ' ' && curchar != '\'' && curchar != '"' && curchar != '/') {
                     if(curchar == '=') {
@@ -1015,19 +1025,15 @@ HTMLTokenizer::State HTMLTokenizer::parseTag(SegmentedString &src, State state)
                         currToken.addAttribute(m_doc, attrName, emptyAtom, inViewSourceMode());
                         dest = buffer;
                         state.setTagState(SearchAttribute);
+                        lastIsSlash = false;
                     }
                     break;
                 }
                 if (inViewSourceMode())
                     currToken.addViewSourceChar(curchar);
                     
-                if (curchar == '/') {
-                    // This is a quirk (with a long sad history).  We have to do this
-                    // since widgets do <script src="foo.js"/> and expect the tag to close.
-                    if (currToken.tagName == scriptTag)
-                        currToken.flat = true;
-                    currToken.brokenXMLStyle = true;
-                }
+                lastIsSlash = curchar == '/';
+
                 src.advance(lineNoPtr);
             }
             break;