Title: [105340] branches/chromium/912
- Revision
- 105340
- Author
- tse...@chromium.org
- Date
- 2012-01-18 16:18:57 -0800 (Wed, 18 Jan 2012)
Log Message
Merge 104275 - Fix a crash by importing an element of which local name ends with ":input".
BUG=108461
Review URL: https://chromiumcodereview.appspot.com/9249041
Modified Paths
Added Paths
Diff
Copied: branches/chromium/912/LayoutTests/fast/dom/importNode-confusing-localName-expected.txt (from rev 104275, trunk/LayoutTests/fast/dom/importNode-confusing-localName-expected.txt) (0 => 105340)
--- branches/chromium/912/LayoutTests/fast/dom/importNode-confusing-localName-expected.txt (rev 0)
+++ branches/chromium/912/LayoutTests/fast/dom/importNode-confusing-localName-expected.txt 2012-01-19 00:18:57 UTC (rev 105340)
@@ -0,0 +1,5 @@
+PASS imported.constructor is source.constructor
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/chromium/912/LayoutTests/fast/dom/importNode-confusing-localName.html (from rev 104275, trunk/LayoutTests/fast/dom/importNode-confusing-localName.html) (0 => 105340)
--- branches/chromium/912/LayoutTests/fast/dom/importNode-confusing-localName.html (rev 0)
+++ branches/chromium/912/LayoutTests/fast/dom/importNode-confusing-localName.html 2012-01-19 00:18:57 UTC (rev 105340)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<xht:input id="test"></xht:input>
+<script>
+var source = document.getElementById('test');
+var imported = document.importNode(source, true);
+shouldBe('imported.constructor', 'source.constructor');
+</script>
+<script src=""
+</body>
+</html>
Modified: branches/chromium/912/Source/WebCore/dom/Document.cpp (105339 => 105340)
--- branches/chromium/912/Source/WebCore/dom/Document.cpp 2012-01-19 00:16:50 UTC (rev 105339)
+++ branches/chromium/912/Source/WebCore/dom/Document.cpp 2012-01-19 00:18:57 UTC (rev 105340)
@@ -835,8 +835,13 @@
return createComment(importedNode->nodeValue());
case ELEMENT_NODE: {
Element* oldElement = static_cast<Element*>(importedNode);
- RefPtr<Element> newElement = createElementNS(oldElement->namespaceURI(), oldElement->tagQName().toString(), ec);
-
+ // FIXME: The following check might be unnecessary. Is it possible that
+ // oldElement has mismatched prefix/namespace?
+ if (hasPrefixNamespaceMismatch(oldElement->tagQName())) {
+ ec = NAMESPACE_ERR;
+ return 0;
+ }
+ RefPtr<Element> newElement = createElement(oldElement->tagQName(), ec);
if (ec)
return 0;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes