VirtualNode props getter throws in an AngularJS v1 edge case with hidden input elements #4316
Labels
fix
Bug fixes
Comments
dbjorge
added a commit
that referenced
this issue
Feb 1, 2024
…de types (#4317) Updates VirtualNode's `props` initialization path to avoid reading properties that we know based on `nodeType` won't be present anyway. This should mitigate #4316 by avoiding reading the problematic `value` prop present on certain text nodes. I also cleaned up some missing test coverage in the impacted code. Closes: #4316
straker
pushed a commit
that referenced
this issue
Feb 5, 2024
…de types (#4317) Updates VirtualNode's `props` initialization path to avoid reading properties that we know based on `nodeType` won't be present anyway. This should mitigate #4316 by avoiding reading the problematic `value` prop present on certain text nodes. I also cleaned up some missing test coverage in the impacted code. Closes: #4316
Merged
WilcoFiers
added a commit
that referenced
this issue
Mar 25, 2024
## [4.9.0](v4.8.4...v4.9.0) (2024-03-25) ### Features - adding the wcag131 tag to the aria-hidden-body rule ([#4349](#4349)) ([dd4c3c3](dd4c3c3)), closes [#4315](#4315) - **checks:** deprecate aria-busy check ([#4356](#4356)) ([be0b555](be0b555)), closes [#4347](#4347) [#4340](#4340) - **color:** add color channel values and luminosity, saturation, clip functions ([#4366](#4366)) ([9e70199](9e70199)), closes [/github.com//pull/4365/files#r1517706612](https://github.com/dequelabs//github.com/dequelabs/axe-core/pull/4365/files/issues/r1517706612) - **i18n:** add Greek Translations ([#3836](#3836)) ([3ea9a48](3ea9a48)) - **i18n:** Add Italian translation ([#4344](#4344)) ([de1baa9](de1baa9)) - **i18n:** Add Simplified Chinese translation ([#4379](#4379)) ([bda7c8d](bda7c8d)) - **i18n:** Add Taiwanese Mandarin translation ([#4299](#4299)) ([c5e11de](c5e11de)) ### Bug Fixes - Add LICENSE-3RD-PARTY.txt file ([#4304](#4304)) ([daa0fe6](daa0fe6)) - add Object.values polyfill for node <=6 ([#4274](#4274)) ([5eb867b](5eb867b)) - **aria-required-children:** avoid confusing aria-busy message in failures ([#4347](#4347)) ([591607d](591607d)), closes [#fail13](https://github.com/dequelabs/axe-core/issues/fail13) [#4340](#4340) - avoid reading element-specific node properties of non-element node types ([#4317](#4317)) ([b853b18](b853b18)), closes [#4316](#4316) [#4316](#4316) - **color-contrast:** handle text that is outside `overflow: hidden` ancestor ([#4357](#4357)) ([bdb7300](bdb7300)), closes [#4253](#4253) - **color-contrast:** support color blend modes hue, saturation, color, luminosity ([#4365](#4365)) ([7ae4761](7ae4761)) - **d.ts:** RawNodesResult issues ([#4229](#4229)) ([d660518](d660518)) - **d.ts:** RunOptions.reporter can be any string ([#4218](#4218)) ([e53f5c5](e53f5c5)) - **i18n:** update Italian translations ([#4377](#4377)) ([4d65d4b](4d65d4b)) - **listitem:** clarify roleNotValid message ([#4374](#4374)) ([0f8a9af](0f8a9af)) - **scrollable-region-focusable:** missing wcag213 tag ([#4201](#4201)) ([0080a72](0080a72)) - **target-size:** always pass 10x targets (avoid perf bottleneck) ([#4376](#4376)) ([be327c4](be327c4)) - **target-size:** do not crash for nodes with many overlapping widgets ([#4373](#4373)) ([1dbea83](1dbea83)), closes [#4359](#4359) [#4359](#4359) [#4360](#4360) - **utils/get-selector:** ignore 'xmlns' attribute when generating a selector ([#4303](#4303)) ([938b411](938b411)) This PR was opened by a robot 🤖 🎉
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We debugged a customer issue today involving an axe-core crash when running against a specific customer page. The page in question was using AngularJS 1.7.8 and included a DOM snippet with a structure similar to the following:
AngularJS v1.7.8 includes this hacky workaround that is intended to be applied to
<input type="hidden">elements to override the way theirvalueproperty getters work. However, in the customer page, for some reason this overridenvaluegetter ended up applied not just to theinputelements, but also to some of the textNodes representing the whitespace in between the two hidden inputs.This causes axe-core to throw an error in
/lib/core/base/virtual-node/virtual-node.jswhen it attempts to read thevalueof the text nodes in question - it expects that this operation should just harmlessly returnundefinedfor a text node, but the AngularJS override ends up trying to invoketheTextNode.getAttribute('value'), which throws because it's a text node.Unfortunately, we were unable to extract a minimal/standalone repro for this issue - the above code is structurally similar to what we saw in the customer's page, but not enough on its own to trigger the issue. We know that the override in question isn't present in newer/supported versions of angular, so we think it's probably not a good use of time to further debug the root cause of the override being applied to the unexpected nodes; it's unlikely that the issue would be fixed even if we identified the root cause. Instead, we can mitigate the customer impact by just being more defensive about when we read the
valueproperty - it (and a few other props) shouldn't need to be read at all for non-input elements.The text was updated successfully, but these errors were encountered: