Bug 596455 - Do not sanitize input's value while we are parsing. r=bz a=blocking

content/html/content/reftests/596455-1a.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html class='reftest-wait'>
+  <script>
+    function onLoadHandler()
+    {
+      document.getElementById('l').value = document.getElementById('i').value;
+      document.documentElement.className='';
+    }
+  </script>
+  <body onload="onLoadHandler();">
+    <input type='hidden' value='foo&#13;bar' id='i'>
+    <textarea id='l'></textarea>
+  </body>
+</html>

content/html/content/reftests/596455-1b.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html class='reftest-wait'>
+  <script>
+    function onLoadHandler()
+    {
+      document.getElementById('l').value = document.getElementById('i').value;
+      document.documentElement.className='';
+    }
+  </script>
+  <body onload="onLoadHandler();">
+    <input value='foo&#13;bar' type='hidden' id='i'>
+    <textarea id='l'></textarea>
+  </body>
+</html>

content/html/content/reftests/596455-2a.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html class='reftest-wait'>
+  <script>
+    function onLoadHandler()
+    {
+      document.getElementById('l').value = document.getElementById('i').value;
+      document.documentElement.className='';
+    }
+  </script>
+  <body onload="onLoadHandler();">
+    <input style="display:none;" type='text' value='foo&#13;bar' id='i'>
+    <textarea id='l'></textarea>
+  </body>
+</html>

content/html/content/reftests/596455-2b.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html class='reftest-wait'>
+  <script>
+    function onLoadHandler()
+    {
+      document.getElementById('l').value = document.getElementById('i').value;
+      document.documentElement.className='';
+    }
+  </script>
+  <body onload="onLoadHandler();">
+    <input style="display:none;" value='foo&#13;bar' type='text' id='i'>
+    <textarea id='l'></textarea>
+  </body>
+</html>

content/html/content/reftests/596455-ref-1.html

@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+  <body>
+    <textarea>foo&#13;bar</textarea>
+  </body>
+</html>

content/html/content/reftests/596455-ref-2.html

@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+  <body>
+    <textarea>foobar</textarea>
+  </body>
+</html>

content/html/content/reftests/reftest.list

@@ -13,6 +13,10 @@
 == 560059-video-dimensions.html 560059-video-dimensions-ref.html
 == 573322-quirks.html 573322-quirks-ref.html
 == 573322-no-quirks.html 573322-no-quirks-ref.html
+== 596455-1a.html 596455-ref-1.html
+== 596455-1b.html 596455-ref-1.html
+== 596455-2a.html 596455-ref-2.html
+== 596455-2b.html 596455-ref-2.html
 == hidden-1a.html hidden-1-ref.html
 == hidden-1b.html hidden-1-ref.html
 == hidden-1c.html hidden-1-ref.html

content/html/content/src/nsHTMLInputElement.cpp

@@ -1404,7 +1404,9 @@ nsHTMLInputElement::SetValueInternal(const nsAString& aValue,
     // Because we have to create a new string for that, we should prevent doing
     // it if it's useless.
     nsAutoString value(aValue);
-    SanitizeValue(value);
+    if (!GET_BOOLBIT(mBitField, BF_PARSER_CREATING)) {
+      SanitizeValue(value);
+    }
 
     if (aSetValueChanged) {
       SetValueChanged(PR_TRUE);
@@ -2546,7 +2548,10 @@ nsHTMLInputElement::HandleTypeChange(PRUint8 aNewType)
 {
   ValueModeType aOldValueMode = GetValueMode();
   nsAutoString aOldValue;
-  GetValue(aOldValue);
+
+  if (aOldValueMode == VALUE_MODE_VALUE && !GET_BOOLBIT(mBitField, BF_PARSER_CREATING)) {
+    GetValue(aOldValue);
+  }
 
   // Only single line text inputs have a text editor state.
   PRBool isNewTypeSingleLine =
@@ -2563,40 +2568,42 @@ nsHTMLInputElement::HandleTypeChange(PRUint8 aNewType)
 
   mType = aNewType;
 
-  /**
-   * The following code is trying to reproduce the algorithm described here:
-   * http://www.whatwg.org/specs/web-apps/current-work/complete.html#input-type-change
-   */
-  switch (GetValueMode()) {
-    case VALUE_MODE_DEFAULT:
-    case VALUE_MODE_DEFAULT_ON:
-      // If the previous value mode was value, we need to set the value content
-      // attribute to the previous value.
-      // There is no value sanitizing algorithm for elements in this mode.
-      if (aOldValueMode == VALUE_MODE_VALUE && !aOldValue.IsEmpty()) {
-        SetAttr(kNameSpaceID_None, nsGkAtoms::value, aOldValue, PR_TRUE);
-      }
-      break;
-    case VALUE_MODE_VALUE:
-      // If the previous value mode wasn't value, we have to set the value to
-      // the value content attribute.
-      // SetValueInternal is going to sanitize the value.
-      {
-        nsAutoString value;
-        if (aOldValueMode != VALUE_MODE_VALUE) {
-          GetAttr(kNameSpaceID_None, nsGkAtoms::value, value);
-        } else {
-          // We get the current value so we can sanitize it.
-          GetValue(value);
+  if (!GET_BOOLBIT(mBitField, BF_PARSER_CREATING)) {
+    /**
+     * The following code is trying to reproduce the algorithm described here:
+     * http://www.whatwg.org/specs/web-apps/current-work/complete.html#input-type-change
+     */
+    switch (GetValueMode()) {
+      case VALUE_MODE_DEFAULT:
+      case VALUE_MODE_DEFAULT_ON:
+        // If the previous value mode was value, we need to set the value content
+        // attribute to the previous value.
+        // There is no value sanitizing algorithm for elements in this mode.
+        if (aOldValueMode == VALUE_MODE_VALUE && !aOldValue.IsEmpty()) {
+          SetAttr(kNameSpaceID_None, nsGkAtoms::value, aOldValue, PR_TRUE);
         }
-        SetValueInternal(value, PR_FALSE, PR_FALSE);
-      }
-      break;
-    case VALUE_MODE_FILENAME:
-    default:
-      // We don't care about the value.
-      // There is no value sanitizing algorithm for elements in this mode.
-      break;
+        break;
+      case VALUE_MODE_VALUE:
+        // If the previous value mode wasn't value, we have to set the value to
+        // the value content attribute.
+        // SetValueInternal is going to sanitize the value.
+        {
+          nsAutoString value;
+          if (aOldValueMode != VALUE_MODE_VALUE) {
+            GetAttr(kNameSpaceID_None, nsGkAtoms::value, value);
+          } else {
+            // We get the current value so we can sanitize it.
+            GetValue(value);
+          }
+          SetValueInternal(value, PR_FALSE, PR_FALSE);
+        }
+        break;
+      case VALUE_MODE_FILENAME:
+      default:
+        // We don't care about the value.
+        // There is no value sanitizing algorithm for elements in this mode.
+        break;
+    }
   }
 
   // Do not notify, it will be done after if needed.
@@ -2606,6 +2613,9 @@ nsHTMLInputElement::HandleTypeChange(PRUint8 aNewType)
 void
 nsHTMLInputElement::SanitizeValue(nsAString& aValue)
 {
+  NS_ASSERTION(!GET_BOOLBIT(mBitField, BF_PARSER_CREATING),
+               "The element parsing should be finished!");
+
   switch (mType) {
     case NS_FORM_INPUT_TEXT:
     case NS_FORM_INPUT_SEARCH:
@@ -3228,6 +3238,13 @@ nsHTMLInputElement::DoneCreatingElement()
     DoSetCheckedChanged(PR_FALSE, PR_FALSE);
   }
 
+  // Sanitize the value.
+  if (GetValueMode() == VALUE_MODE_VALUE) {
+    nsAutoString aValue;
+    GetValue(aValue);
+    SetValueInternal(aValue, PR_FALSE, PR_FALSE);
+  }
+
   SET_BOOLBIT(mBitField, BF_SHOULD_INIT_CHECKED, PR_FALSE);
 }
 
@@ -4320,7 +4337,9 @@ nsHTMLInputElement::GetDefaultValueFromContent(nsAString& aValue)
     GetDefaultValue(aValue);
     // This is called by the frame to show the value.
     // We have to sanitize it when needed.
-    SanitizeValue(aValue);
+    if (!GET_BOOLBIT(mBitField, BF_PARSER_CREATING)) {
+      SanitizeValue(aValue);
+    }
   }
 }