Title: [146028] trunk
- Revision
- 146028
- Author
- rafa...@chromium.org
- Date
- 2013-03-17 16:58:31 -0700 (Sun, 17 Mar 2013)
Log Message
[HTMLTemplateElement] prevent </template> from matching "template" in a non-HTML tags on the stack of open elements
https://bugs.webkit.org/show_bug.cgi?id=112487
Reviewed by Adam Barth.
Source/WebCore:
When processing an end template tag, the parser now pops until a "template" tag is parsed, but now ensures that
the "template" it pops is in the HTML namespace.
Tests added to the html5lib test suite.
* html/parser/HTMLElementStack.cpp:
(WebCore::HTMLElementStack::popUntil):
(WebCore):
(WebCore::HTMLElementStack::popUntilPopped):
* html/parser/HTMLElementStack.h:
(HTMLElementStack):
* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processTemplateEndTag):
LayoutTests:
* html5lib/resources/template.dat:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (146027 => 146028)
--- trunk/LayoutTests/ChangeLog 2013-03-17 23:06:12 UTC (rev 146027)
+++ trunk/LayoutTests/ChangeLog 2013-03-17 23:58:31 UTC (rev 146028)
@@ -1,3 +1,12 @@
+2013-03-17 Rafael Weinstein <rafa...@chromium.org>
+
+ [HTMLTemplateElement] prevent </template> from matching "template" in a non-HTML tags on the stack of open elements
+ https://bugs.webkit.org/show_bug.cgi?id=112487
+
+ Reviewed by Adam Barth.
+
+ * html5lib/resources/template.dat:
+
2013-03-17 Simon Fraser <simon.fra...@apple.com>
fast/frames/flattening/frameset-flattening-subframesets.html is flakey
Modified: trunk/LayoutTests/html5lib/resources/template.dat (146027 => 146028)
--- trunk/LayoutTests/html5lib/resources/template.dat 2013-03-17 23:06:12 UTC (rev 146027)
+++ trunk/LayoutTests/html5lib/resources/template.dat 2013-03-17 23:58:31 UTC (rev 146028)
@@ -1230,3 +1230,31 @@
| <body>
| <span>
| "Foo"
+
+#data
+<template><svg><template>
+#errors
+#document
+| <html>
+| <head>
+| <template>
+| content
+| <svg svg>
+| <svg template>
+| <body>
+
+#data
+<template><svg><foo><template><foreignObject><div></template><div>
+#errors
+#document
+| <html>
+| <head>
+| <template>
+| content
+| <svg svg>
+| <svg foo>
+| <svg template>
+| <svg foreignObject>
+| <div>
+| <body>
+| <div>
Modified: trunk/Source/WebCore/ChangeLog (146027 => 146028)
--- trunk/Source/WebCore/ChangeLog 2013-03-17 23:06:12 UTC (rev 146027)
+++ trunk/Source/WebCore/ChangeLog 2013-03-17 23:58:31 UTC (rev 146028)
@@ -1,3 +1,24 @@
+2013-03-17 Rafael Weinstein <rafa...@chromium.org>
+
+ [HTMLTemplateElement] prevent </template> from matching "template" in a non-HTML tags on the stack of open elements
+ https://bugs.webkit.org/show_bug.cgi?id=112487
+
+ Reviewed by Adam Barth.
+
+ When processing an end template tag, the parser now pops until a "template" tag is parsed, but now ensures that
+ the "template" it pops is in the HTML namespace.
+
+ Tests added to the html5lib test suite.
+
+ * html/parser/HTMLElementStack.cpp:
+ (WebCore::HTMLElementStack::popUntil):
+ (WebCore):
+ (WebCore::HTMLElementStack::popUntilPopped):
+ * html/parser/HTMLElementStack.h:
+ (HTMLElementStack):
+ * html/parser/HTMLTreeBuilder.cpp:
+ (WebCore::HTMLTreeBuilder::processTemplateEndTag):
+
2013-03-17 Adam Barth <aba...@webkit.org>
Legacy CSS vendor prefixes should only work for Dashboard
Modified: trunk/Source/WebCore/html/parser/HTMLElementStack.cpp (146027 => 146028)
--- trunk/Source/WebCore/html/parser/HTMLElementStack.cpp 2013-03-17 23:06:12 UTC (rev 146027)
+++ trunk/Source/WebCore/html/parser/HTMLElementStack.cpp 2013-03-17 23:58:31 UTC (rev 146028)
@@ -220,18 +220,31 @@
void HTMLElementStack::popUntil(const AtomicString& tagName)
{
while (!topStackItem()->hasLocalName(tagName)) {
- // pop() will ASSERT at <body> if callers fail to check that there is an
- // element with localName |tagName| on the stack of open elements.
+ // pop() will ASSERT if a <body>, <head> or <html> will be popped.
pop();
}
}
+void HTMLElementStack::popUntil(const QualifiedName& tagName)
+{
+ while (!topStackItem()->hasTagName(tagName)) {
+ // pop() will ASSERT if a <body>, <head> or <html> will be popped.
+ pop();
+ }
+}
+
void HTMLElementStack::popUntilPopped(const AtomicString& tagName)
{
popUntil(tagName);
pop();
}
+void HTMLElementStack::popUntilPopped(const QualifiedName& tagName)
+{
+ popUntil(tagName);
+ pop();
+}
+
void HTMLElementStack::popUntilNumberedHeaderElementPopped()
{
while (!topStackItem()->isNumberedHeaderElement())
Modified: trunk/Source/WebCore/html/parser/HTMLElementStack.h (146027 => 146028)
--- trunk/Source/WebCore/html/parser/HTMLElementStack.h 2013-03-17 23:06:12 UTC (rev 146027)
+++ trunk/Source/WebCore/html/parser/HTMLElementStack.h 2013-03-17 23:58:31 UTC (rev 146028)
@@ -116,6 +116,11 @@
void popUntil(const AtomicString& tagName);
void popUntil(Element*);
void popUntilPopped(const AtomicString& tagName);
+
+ // FIXME: These are fixes for https://www.w3.org/Bugs/Public/show_bug.cgi?id=21292
+ void popUntil(const QualifiedName&);
+ void popUntilPopped(const QualifiedName&);
+
void popUntilPopped(Element*);
void popUntilNumberedHeaderElementPopped();
void popUntilTableScopeMarker(); // "clear the stack back to a table context" in the spec.
Modified: trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp (146027 => 146028)
--- trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp 2013-03-17 23:06:12 UTC (rev 146027)
+++ trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp 2013-03-17 23:58:31 UTC (rev 146028)
@@ -967,7 +967,7 @@
m_tree.generateImpliedEndTags();
if (!m_tree.currentStackItem()->hasLocalName(token->name()))
parseError(token);
- m_tree.openElements()->popUntilPopped(token->name());
+ m_tree.openElements()->popUntilPopped(templateTag);
m_tree.activeFormattingElements()->clearToLastMarker();
m_templateInsertionModes.removeLast();
resetInsertionModeAppropriately();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
