/[blink]
Chromium logo

Revision 161598


Jump to revision: Previous Next
Author: yosin@chromium.org
Date: Fri Nov 8 10:06:18 2013 UTC (9 years, 6 months ago)
Changed paths: 4
Log Message:
Make "InsertHTML" and "Indent" commands to handle DOM tree modification during processing

This patch makes "InsertHTML" and "Indent" commands to handle DOM tree modification during processing. When calling Node::insertBefore(), JavaScript may be executed, e.g. <iframe src="javascript:...">, and it modifies DOM tree.

On issue 314469, use-after-free is caused at |startBlock| variable which holds raw Node pointer removed during script execution in ReplaceSelectionCommand::doApply().

Changes for CompositeEditCommand::cloneParagraphUnderNewElement() is similar to ReplaceSelectionCommand::doApply(). |outerNode| is removed during CompositeEditCommand::appendNode(), which inserts <iframe src="javascript:...">.

BUG=314469
TEST=LayoutTests/editing/inserting/insert-with-javascript-protocol-crash.html

Review URL: https://codereview.chromium.org/64103002

Changed paths

Path Details
Directorytrunk/LayoutTests/editing/inserting/insert-with-javascript-protocol-crash-expected.txt
(Copied from trunk/LayoutTests/editing/execCommand/indent-with-first-child-crash-expected.txt, r161597)
added , props changed
Directorytrunk/LayoutTests/editing/inserting/insert-with-javascript-protocol-crash.html added
Directorytrunk/Source/core/editing/CompositeEditCommand.cpp modified , text changed
Directorytrunk/Source/core/editing/ReplaceSelectionCommand.cpp modified , text changed

Properties

Name Value
commit-bot commit-bot@chromium.org

Powered by ViewVC 1.1.26 ViewVC Help