document.importNode from standards to quirks mode document can result in broken selector matching

https://bugs.webkit.org/show_bug.cgi?id=289795
rdar://147548958

Reviewed by Ryosuke Niwa.

Avoid sharing ElementData when cloning if one document has case folding behavior, and
another doesn't.

* LayoutTests/fast/dom/importNode-quirks-class-sharing-expected.txt: Added.
* LayoutTests/fast/dom/importNode-quirks-class-sharing.html: Added.
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::cloneAttributesFromElement):

Canonical link: https://commits.webkit.org/292542@main

Author: aproskuryakov

LayoutTests/fast/dom/importNode-quirks-class-sharing-expected.txt

@@ -0,0 +1,18 @@
+Test that cloning elements between quirks and no-quirks document handles case folding properly
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.compatMode is 'CSS1Compat'
+PASS quirksFrame.contentDocument.compatMode is 'BackCompat'
+PASS noQuirksFrame.contentDocument.compatMode is 'CSS1Compat'
+PASS quirksFrame.contentDocument.querySelector('.pageContentClass') is sectionElementImportedToQuirksDocument
+PASS quirksFrame.contentDocument.querySelector('.pagecontentclass') is sectionElementImportedToQuirksDocument
+PASS document.querySelector('.pageContentClass') is sectionElement
+PASS noQuirksFrame.contentDocument.querySelector('.pageContentClass') is sectionElementImportedToNoQuirksDocument
+PASS quirksFrame.contentDocument.querySelector('.pageContentClass') is sectionElementImportedToQuirksDocument
+PASS quirksFrame.contentDocument.querySelector('.pagecontentclass') is sectionElementImportedToQuirksDocument
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/fast/dom/importNode-quirks-class-sharing.html

@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<script src="../../resources/js-test.js"></script>
+</head>
+<body>
+<section id="pageContent" class="pageContentClass"></section>
+<iframe id="quirksFrame" src="about:blank" style="display:none"></iframe>
+<script>
+
+description("Test that cloning elements between quirks and no-quirks document handles case folding properly");
+
+var quirksFrame = document.getElementById("quirksFrame");
+
+var noQuirksFrame = document.createElement("iframe");
+noQuirksFrame.srcdoc = "<!DOCTYPE html><html><head></head><body></body></html>";
+noQuirksFrame.style = "display:none";
+document.body.appendChild(noQuirksFrame);
+
+onload = function() {
+
+    // Sanity check.
+    shouldBe("document.compatMode", "'CSS1Compat'");
+    shouldBe("quirksFrame.contentDocument.compatMode", "'BackCompat'");
+    shouldBe("noQuirksFrame.contentDocument.compatMode", "'CSS1Compat'");
+
+    // Test that cloning from standards mode to quirks mode doesn't mutate the original.
+    sectionElement = document.getElementById("pageContent");
+    sectionElementImportedToQuirksDocument = quirksFrame.contentDocument.importNode(sectionElement);
+    quirksFrame.contentDocument.body.appendChild(sectionElementImportedToQuirksDocument);
+    shouldBe("quirksFrame.contentDocument.querySelector('.pageContentClass')", "sectionElementImportedToQuirksDocument");
+    shouldBe("quirksFrame.contentDocument.querySelector('.pagecontentclass')", "sectionElementImportedToQuirksDocument");
+    shouldBe("document.querySelector('.pageContentClass')", "sectionElement");
+
+    // Same for cloning from quirks to no-quirks.
+    sectionElementImportedToNoQuirksDocument = noQuirksFrame.contentDocument.importNode(sectionElementImportedToQuirksDocument);
+    noQuirksFrame.contentDocument.body.appendChild(sectionElementImportedToNoQuirksDocument);
+    shouldBe("noQuirksFrame.contentDocument.querySelector('.pageContentClass')", "sectionElementImportedToNoQuirksDocument");
+    shouldBe("quirksFrame.contentDocument.querySelector('.pageContentClass')", "sectionElementImportedToQuirksDocument");
+    shouldBe("quirksFrame.contentDocument.querySelector('.pagecontentclass')", "sectionElementImportedToQuirksDocument");
+}
+
+</script>
+</body>
+</html>

Source/WebCore/dom/Element.cpp

@@ -5650,7 +5650,10 @@ void Element::cloneAttributesFromElement(const Element& other)
         && (!uniqueElementData->inlineStyle() || !uniqueElementData->inlineStyle()->hasCSSOMWrapper()))
         const_cast<Element&>(other).m_elementData = uniqueElementData->makeShareableCopy();
 
-    if (!other.m_elementData->isUnique())
+    bool canShareElementData = !other.m_elementData->isUnique()
+        && (document().inQuirksMode() == other.document().inQuirksMode()); // Case folding in quirks mode documents can mutate element data.
+
+    if (canShareElementData)
         m_elementData = other.m_elementData;
     else
         m_elementData = other.m_elementData->makeUniqueCopy();