Fix for bug 10385, add more support for crappy pseudo-XML-in-HTML.

        Reviewed by ggaren

        Added fast/parser/bad-xml-slash.html

        * html/HTMLTokenizer.cpp:
        (WebCore::HTMLTokenizer::parseTag):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@15862 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/fast/parser/bad-xml-slash-expected.checksum b/LayoutTests/fast/parser/bad-xml-slash-expected.checksum
new file mode 100644 (file)
index 0000000..1e0988a
--- /dev/null
+++ b/LayoutTests/fast/parser/bad-xml-slash-expected.checksum
@@ -0,0 +1 @@
+8a1530b9dfddc07f2217781cb6fc4dfe
\ No newline at end of file

diff --git a/LayoutTests/fast/parser/bad-xml-slash-expected.png b/LayoutTests/fast/parser/bad-xml-slash-expected.png
new file mode 100644 (file)
index 0000000..d8efd4a
Binary files /dev/null and b/LayoutTests/fast/parser/bad-xml-slash-expected.png differ

diff --git a/LayoutTests/fast/parser/bad-xml-slash-expected.txt b/LayoutTests/fast/parser/bad-xml-slash-expected.txt
new file mode 100644 (file)
index 0000000..57a57ff
--- /dev/null
+++ b/LayoutTests/fast/parser/bad-xml-slash-expected.txt
@@ -0,0 +1,8 @@
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+  RenderBlock {HTML} at (0,0) size 800x600
+    RenderBody {BODY} at (8,8) size 784x584
+      RenderBlock {INPUT} at (3,4) size 12x12
+      RenderText {#text} at (18,0) size 218x18
+        text run at (18,0) width 218: "This checkbox should be checked."

diff --git a/LayoutTests/fast/parser/bad-xml-slash.html b/LayoutTests/fast/parser/bad-xml-slash.html
new file mode 100644 (file)
index 0000000..561306a
--- /dev/null
+++ b/LayoutTests/fast/parser/bad-xml-slash.html
@@ -0,0 +1 @@
+<input type=checkbox checked/>This checkbox should be checked.

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 44904d2d403194d2ee988ba020c2bb5d9229ae4d..3495272e59230ffcb716e3e620efc80a94a2ba6f 100644 (file)
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,14 @@
+2006-08-14  David Hyatt  <hyatt@apple.com>
+
+        Fix for bug 10385, add more support for crappy pseudo-XML-in-HTML.
+
+        Reviewed by ggaren
+
+        Added fast/parser/bad-xml-slash.html
+
+        * html/HTMLTokenizer.cpp:
+        (WebCore::HTMLTokenizer::parseTag):
+
 2006-08-14  Darin Adler  <darin@apple.com>
 
         Reviewed by John Sullivan.

diff --git a/WebCore/html/HTMLTokenizer.cpp b/WebCore/html/HTMLTokenizer.cpp
index 968fcf18fde863a312dd25547121a551a83f314e..68a9b54ff0b50dd7c4f3477b914e9cc258981bfb 100644 (file)
--- a/WebCore/html/HTMLTokenizer.cpp
+++ b/WebCore/html/HTMLTokenizer.cpp
@@ -928,7 +928,10 @@ HTMLTokenizer::State HTMLTokenizer::parseTag(SegmentedString &src, State state)
             int ll = min(src.length(), CBUFLEN-cBufferPos);
             while(ll--) {
                 UChar curchar = *src;
-                if (curchar <= '>' && (curchar >= '=' || curchar <= ' ')) {
+                // If we encounter a "/" when scanning an attribute name, treat it as a delimiter.  However, we only do
+                // this if we have actual attribute contents.  This allows the degenerate case of <input type=checkbox checked/>
+                // to work (despite it being utterly invalid).
+                if (curchar <= '>' && (curchar >= '=' || curchar <= ' ' || (curchar == '/' && attrName.length() > 0))) {
                     cBuffer[cBufferPos] = '\0';
                     attrName = AtomicString(cBuffer);
                     dest = buffer;