From b1a569c1c55e1c115e78869de8e9d24dfe66c769 Mon Sep 17 00:00:00 2001
From: Sam Atkins <atkinssj@serenityos.org>
Date: Sat, 9 Sep 2023 11:40:43 +0100
Subject: [PATCH] LibWeb: Stop crashing when textarea element is modified
 before insertion

If an element is created from JS, it might have its contents modified
before it is inserted into the document. In this case, we don't have a
shadow tree yet and so trying to set m_text_node's text content would
cause a null dereference. So let's not do that. :^)

That case also means that by the time we do create the shadow tree, we
have the text content already, so we can set it there.

Added a test to verify that we don't crash, and that the text content
appears in the textarea whether it was inserted by JS or by the HTML
parser.
---
 .../Layout/expected/textarea-content.txt      | 38 +++++++++++++++++++
 .../LibWeb/Layout/input/textarea-content.html |  9 +++++
 .../LibWeb/HTML/HTMLTextAreaElement.cpp       |  8 ++--
 3 files changed, 52 insertions(+), 3 deletions(-)
 create mode 100644 Tests/LibWeb/Layout/expected/textarea-content.txt
 create mode 100644 Tests/LibWeb/Layout/input/textarea-content.html

diff --git a/Tests/LibWeb/Layout/expected/textarea-content.txt b/Tests/LibWeb/Layout/expected/textarea-content.txt
new file mode 100644
index 0000000000..a5ad26030f
--- /dev/null
+++ b/Tests/LibWeb/Layout/expected/textarea-content.txt
@@ -0,0 +1,38 @@
+Viewport <#document> at (0,0) content-size 800x600 children: not-inline
+  BlockContainer <html> at (0,0) content-size 800x56.9375 [BFC] children: not-inline
+    BlockContainer <body> at (8,8) content-size 784x40.9375 children: inline
+      line 0 width: 403.75, height: 40.9375, bottom: 40.9375, baseline: 13.53125
+        frag 0 from BlockContainer start: 0, length: 0, rect: [11,11 191.875x34.9375]
+        frag 1 from TextNode start: 0, length: 1, rect: [206,8 8x17.46875]
+          " "
+        frag 2 from BlockContainer start: 0, length: 0, rect: [217,11 191.875x34.9375]
+      TextNode <#text>
+      BlockContainer <textarea> at (11,11) content-size 191.875x34.9375 inline-block [BFC] children: not-inline
+        BlockContainer <div> at (11,11) content-size 191.875x17.46875 children: not-inline
+          BlockContainer <div> at (11,11) content-size 191.875x17.46875 children: inline
+            line 0 width: 152.203125, height: 17.46875, bottom: 17.46875, baseline: 13.53125
+              frag 0 from TextNode start: 0, length: 17, rect: [11,11 152.203125x17.46875]
+                "Bonjour mon amis!"
+            TextNode <#text>
+      TextNode <#text>
+      BlockContainer <textarea> at (217,11) content-size 191.875x34.9375 inline-block [BFC] children: not-inline
+        BlockContainer <div> at (217,11) content-size 191.875x17.46875 children: not-inline
+          BlockContainer <div> at (217,11) content-size 191.875x17.46875 children: inline
+            line 0 width: 142.140625, height: 17.46875, bottom: 17.46875, baseline: 13.53125
+              frag 0 from TextNode start: 0, length: 19, rect: [217,11 142.140625x17.46875]
+                "Well hello friends!"
+            TextNode <#text>
+      TextNode <#text>
+
+ViewportPaintable (Viewport<#document>) [0,0 800x600]
+  PaintableWithLines (BlockContainer<HTML>) [0,0 800x56.9375]
+    PaintableWithLines (BlockContainer<BODY>) [8,8 784x40.9375]
+      PaintableWithLines (BlockContainer<TEXTAREA>) [8,8 197.875x40.9375]
+        PaintableWithLines (BlockContainer<DIV>) [11,11 191.875x17.46875]
+          PaintableWithLines (BlockContainer<DIV>) [11,11 191.875x17.46875]
+            TextPaintable (TextNode<#text>)
+      TextPaintable (TextNode<#text>)
+      PaintableWithLines (BlockContainer<TEXTAREA>) [214,8 197.875x40.9375]
+        PaintableWithLines (BlockContainer<DIV>) [217,11 191.875x17.46875]
+          PaintableWithLines (BlockContainer<DIV>) [217,11 191.875x17.46875]
+            TextPaintable (TextNode<#text>)
diff --git a/Tests/LibWeb/Layout/input/textarea-content.html b/Tests/LibWeb/Layout/input/textarea-content.html
new file mode 100644
index 0000000000..daaf12f8c8
--- /dev/null
+++ b/Tests/LibWeb/Layout/input/textarea-content.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<body>
+<textarea>Bonjour mon amis!</textarea>
+<script>
+    const textarea = document.createElement("textarea");
+    textarea.innerText = "Well hello friends!";
+    document.body.appendChild(textarea);
+</script>
+</body>
diff --git a/Userland/Libraries/LibWeb/HTML/HTMLTextAreaElement.cpp b/Userland/Libraries/LibWeb/HTML/HTMLTextAreaElement.cpp
index af348fdf95..8e813be978 100644
--- a/Userland/Libraries/LibWeb/HTML/HTMLTextAreaElement.cpp
+++ b/Userland/Libraries/LibWeb/HTML/HTMLTextAreaElement.cpp
@@ -101,11 +101,12 @@ void HTMLTextAreaElement::create_shadow_tree_if_needed()
 
     m_inner_text_element = MUST(DOM::create_element(document(), HTML::TagNames::div, Namespace::HTML));
 
-    // NOTE: The text content of the <textarea> element is not available to us yet.
-    //       It gets filled in by `children_changed()`.
     m_text_node = heap().allocate<DOM::Text>(realm(), document(), String {});
     m_text_node->set_always_editable(true);
     m_text_node->set_editable_text_node_owner(Badge<HTMLTextAreaElement> {}, *this);
+    // NOTE: If `children_changed()` was called before now, `m_raw_value` will hold the text content.
+    //       Otherwise, it will get filled in whenever that does get called.
+    m_text_node->set_text_content(m_raw_value);
 
     MUST(m_inner_text_element->append_child(*m_text_node));
     MUST(element->append_child(*m_inner_text_element));
@@ -120,7 +121,8 @@ void HTMLTextAreaElement::children_changed()
     // set the element's raw value to its child text content.
     if (!m_dirty) {
         m_raw_value = child_text_content();
-        m_text_node->set_text_content(m_raw_value);
+        if (m_text_node)
+            m_text_node->set_text_content(m_raw_value);
     }
 }