Changeset 252230 in webkit

Timestamp:

Nov 7, 2019 6:52:40 PM (4 years ago)

Author:

commit-queue@webkit.org

Message:

Default NamepaceURI must be gotten from the topmost parent before the SVG <foreignObject>
​https://bugs.webkit.org/show_bug.cgi?id=203868

Patch by Said Abou-Hallawa <​sabouhallawa@apple.com> on 2019-11-07
Reviewed by Ryosuke Niwa.

Source/WebCore:

Ensure that we don't cross boundaries from HTML to SVG when traversing
the tree of nodes upward. We need to stop at the foreignObject if it is
one of the ancestors of the contextElement.

Tests: svg/foreignObject/foreign-object-dynamic-parsing.svg

• html/HTMLTableCellElement.cpp:

(WebCore::HTMLTableCellElement::HTMLTableCellElement):
This assertion should not fire if the tag has a prefix like <h:th> or
<h:td> where 'h' is a defined namespace.

• xml/parser/XMLDocumentParser.cpp:

(WebCore::XMLDocumentParser::parseDocumentFragment):
Stop at the first SVG <foreignObject> ancestor when calculating the
defaultNamespaceURI.

• xml/parser/XMLDocumentParser.h:
• xml/parser/XMLDocumentParserLibxml2.cpp:

(WebCore::XMLDocumentParser::XMLDocumentParser):

(WebCore::XMLDocumentParser::startElementNs):
We need to special case setting the namespaceURI of the SVGElmenets. The
defaultNamespaceURI can be wrong for them if the context element is an
HTML element, <div> for example, and the innerHTML is set to something
like: '<svg><rect/></svg>'.

LayoutTests:

• svg/foreignObject/foreign-object-dynamic-parsing-expected.svg: Added.
• svg/foreignObject/foreign-object-dynamic-parsing.svg: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/svg/foreignObject/foreign-object-dynamic-parsing-expected.svg (added)
• LayoutTests/svg/foreignObject/foreign-object-dynamic-parsing.svg (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/HTMLTableCellElement.cpp (modified) (1 diff)
• Source/WebCore/xml/parser/XMLDocumentParser.cpp (modified) (4 diffs)
• Source/WebCore/xml/parser/XMLDocumentParser.h (modified) (3 diffs)
• Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2019-11-07  Said Abou-Hallawa  <sabouhallawa@apple.com>
+
+        Default NamepaceURI must be gotten from the topmost parent before the SVG <foreignObject>
+        https://bugs.webkit.org/show_bug.cgi?id=203868
+
+        Reviewed by Ryosuke Niwa.
+
+        * svg/foreignObject/foreign-object-dynamic-parsing-expected.svg: Added.
+        * svg/foreignObject/foreign-object-dynamic-parsing.svg: Added.
+
 2019-11-07  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-11-07  Said Abou-Hallawa  <sabouhallawa@apple.com>
+
+        Default NamepaceURI must be gotten from the topmost parent before the SVG <foreignObject>
+        https://bugs.webkit.org/show_bug.cgi?id=203868
+
+        Reviewed by Ryosuke Niwa.
+
+        Ensure that we don't cross boundaries from HTML to SVG when traversing
+        the tree of nodes upward. We need to stop at the foreignObject if it is
+        one of the ancestors of the contextElement.
+
+        Tests: svg/foreignObject/foreign-object-dynamic-parsing.svg
+
+        * html/HTMLTableCellElement.cpp:
+        (WebCore::HTMLTableCellElement::HTMLTableCellElement):
+        This assertion should not fire if the tag has a prefix like <h:th> or
+        <h:td> where 'h' is a defined namespace.
+
+        * xml/parser/XMLDocumentParser.cpp:
+        (WebCore::XMLDocumentParser::parseDocumentFragment):
+        Stop at the first SVG <foreignObject> ancestor when calculating the
+        defaultNamespaceURI.
+
+        * xml/parser/XMLDocumentParser.h:
+        * xml/parser/XMLDocumentParserLibxml2.cpp:
+        (WebCore::XMLDocumentParser::XMLDocumentParser):
+
+        (WebCore::XMLDocumentParser::startElementNs):
+        We need to special case setting the namespaceURI of the SVGElmenets. The
+        defaultNamespaceURI can be wrong for them if the context element is an
+        HTML element, <div> for example, and the innerHTML is set to something
+        like: '<svg><rect/></svg>'.
+
 2019-11-07  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/html/HTMLTableCellElement.cpp

@@ -58 +58 @@
     : HTMLTablePartElement(tagName, document)
 {
-    ASSERT(tagName == thTag || tagName == tdTag);
+    ASSERT(hasLocalName(thTag->localName()) || hasLocalName(tdTag->localName()));
 }
 

trunk/Source/WebCore/xml/parser/XMLDocumentParser.cpp

@@ -32 +32 @@
 #include "DocumentFragment.h"
 #include "DocumentType.h"
+#include "ElementAncestorIterator.h"
 #include "Frame.h"
 #include "FrameLoader.h"
@@ -44 +45 @@
 #include "ResourceRequest.h"
 #include "ResourceResponse.h"
+#include "SVGForeignObjectElement.h"
 #include "SVGNames.h"
 #include "SVGStyleElement.h"
@@ -51 +53 @@
 #include "TextResourceDecoder.h"
 #include "TreeDepthLimit.h"
+#include "XMLNSNames.h"
 #include <wtf/Ref.h>
 #include <wtf/Threading.h>
@@ -270 +273 @@
     }
 
-    auto parser = XMLDocumentParser::create(fragment, contextElement, parserContentPolicy);
+    HashMap<AtomString, AtomString> prefixToNamespaceMap;
+    AtomString defaultNamespaceURI;
+    bool stopLookingForDefaultNamespaceURI = false;
+    
+    for (auto& element : elementLineage(contextElement)) {
+        if (is<SVGForeignObjectElement>(element))
+            stopLookingForDefaultNamespaceURI = true;
+        else if (!stopLookingForDefaultNamespaceURI)
+            defaultNamespaceURI = element.namespaceURI();
+
+        if (!element.hasAttributes())
+            continue;
+
+        for (const Attribute& attribute : element.attributesIterator()) {
+            if (attribute.prefix() == xmlnsAtom())
+                prefixToNamespaceMap.set(attribute.localName(), attribute.value());
+            else if (!stopLookingForDefaultNamespaceURI && attribute.prefix() == xmlnsAtom())
+                defaultNamespaceURI = attribute.value();
+        }
+    }
+
+    auto parser = XMLDocumentParser::create(fragment, WTFMove(prefixToNamespaceMap), defaultNamespaceURI, parserContentPolicy);
     bool wellFormed = parser->appendFragmentSource(chunk);
     // Do not call finish(). The finish() and doEnd() implementations touch the main document and loader and can cause crashes in the fragment case.

trunk/Source/WebCore/xml/parser/XMLDocumentParser.h

@@ -68 +68 @@
         return adoptRef(*new XMLDocumentParser(document, view));
     }
-    static Ref<XMLDocumentParser> create(DocumentFragment& fragment, Element* element, ParserContentPolicy parserContentPolicy)
+    static Ref<XMLDocumentParser> create(DocumentFragment& fragment, HashMap<AtomString, AtomString>&& prefixToNamespaceMap, const AtomString& defaultNamespaceURI, ParserContentPolicy parserContentPolicy)
     {
-        return adoptRef(*new XMLDocumentParser(fragment, element, parserContentPolicy));
+        return adoptRef(*new XMLDocumentParser(fragment, WTFMove(prefixToNamespaceMap), defaultNamespaceURI, parserContentPolicy));
     }
 
@@ -90 +90 @@
 private:
     explicit XMLDocumentParser(Document&, FrameView* = nullptr);
-    XMLDocumentParser(DocumentFragment&, Element*, ParserContentPolicy);
+    XMLDocumentParser(DocumentFragment&, HashMap<AtomString, AtomString>&&, const AtomString&, ParserContentPolicy);
 
     void insert(SegmentedString&&) final;
@@ -181 +181 @@
 
     bool m_parsingFragment { false };
+
+    HashMap<AtomString, AtomString> m_prefixToNamespaceMap;
     AtomString m_defaultNamespaceURI;
 
-    HashMap<AtomString, AtomString> m_prefixToNamespaceMap;
     SegmentedString m_pendingSrc;
 };

trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

@@ -572 +572 @@
 }
 
-XMLDocumentParser::XMLDocumentParser(DocumentFragment& fragment, Element* parentElement, ParserContentPolicy parserContentPolicy)
+XMLDocumentParser::XMLDocumentParser(DocumentFragment& fragment, HashMap<AtomString, AtomString>&& prefixToNamespaceMap, const AtomString& defaultNamespaceURI, ParserContentPolicy parserContentPolicy)
     : ScriptableDocumentParser(fragment.document(), parserContentPolicy)
     , m_pendingCallbacks(makeUnique<PendingCallbacks>())
@@ -578 +578 @@
     , m_scriptStartPosition(TextPosition::belowRangePosition())
     , m_parsingFragment(true)
+    , m_prefixToNamespaceMap(WTFMove(prefixToNamespaceMap))
+    , m_defaultNamespaceURI(defaultNamespaceURI)
 {
     fragment.ref();
-
-    // Add namespaces based on the parent node
-    Vector<Element*> elemStack;
-    while (parentElement) {
-        elemStack.append(parentElement);
-
-        ContainerNode* node = parentElement->parentNode();
-        if (!is<Element>(node))
-            break;
-        parentElement = downcast<Element>(node);
-    }
-
-    if (elemStack.isEmpty())
-        return;
-
-    // FIXME: Share code with isDefaultNamespace() per http://www.whatwg.org/specs/web-apps/current-work/multipage/the-xhtml-syntax.html#parsing-xhtml-fragments
-    for (; !elemStack.isEmpty(); elemStack.removeLast()) {
-        Element* element = elemStack.last();
-        if (element->hasAttributes()) {
-            for (const Attribute& attribute : element->attributesIterator()) {
-                if (attribute.localName() == xmlnsAtom())
-                    m_defaultNamespaceURI = attribute.value();
-                else if (attribute.prefix() == xmlnsAtom())
-                    m_prefixToNamespaceMap.set(attribute.localName(), attribute.value());
-            }
-        }
-    }
-
-    if (m_defaultNamespaceURI.isNull())
-        m_defaultNamespaceURI = parentElement->namespaceURI();
 }
 
@@ -770 +742 @@
         if (!prefix.isNull())
             uri = m_prefixToNamespaceMap.get(prefix);
+        else if (is<SVGElement>(m_currentNode) || localName == SVGNames::svgTag->localName())
+            uri = SVGNames::svgNamespaceURI;
         else
             uri = m_defaultNamespaceURI;