Handling of objects with both named and indexed properties is probably incorrect

Consider this testcase:

   <!DOCTYPE html>
   <form><input name="1"></form>
   <script>
     var list = document.forms[0].elements;
     alert(list[list.length])
   </script>

Browsers mostly interoperably alert "undefined" (well, at least Gecko, 
WebKit+V8, Presto, Trident all do; WebKit+JSC alerts "[object 
HTMLInputElement]").

However the current WebIDL spec plus the current HTML spec seem to 
require that "[object HTMLInputElement]" be alerted.  Indeed in WebIDL 
section 4.6.2 step 1 substep 2, ToUint32("1") is not a supported 
property index, so we move on to step 2.  form.elements supports named 
properties, so step 2 involves us calling the named property getter, and 
the HTML spec says the set of supported property names is "all the id 
and name attributes of all the elements represented by the collection".

I think that Safari's behavior here is buggy; in particular it would 
break loops of the form:

   for (var i = 0; list[i]; ++i) {
   }

which are in fact used in the wild (though possibly not on nodes with 
ids that look like integers).

If the specs want to align with the non-Safari behavior, I think there 
are two options.  Either HTML needs to exclude ids and names that look 
like integers from the set of supported property names, or WebIDL needs 
to be changed so that for objects which support indexed properties step 
2 of 4.6.2 is skipped if the given property name is an array index 
property name.

Personally, I would prefer this be changed in WebIDL.

-Boris

Received on Friday, 15 June 2012 17:46:25 UTC