/[blink]
Chromium logo

Revision 200098


Jump to revision: Previous Next
Author: kouhei@chromium.org
Date: Thu Aug 6 06:10:13 2015 UTC (7 years, 9 months ago)
Changed paths: 3
Log Message:
parserRemoveChild: Avoid unintended DOM modifications after user script run.

Surprisingly, ContainerNode::parserRemoveChild may run arbitrary user script during its DOM modification if its target contained iframes.
Before this CL, this could lead to corrupt DOM tree, as the target node could be moved during parserRemoveChild execution.

This CL adds a bail-out if stmt after disconnecting child frame to abort if precondition has changed.

BUG=516377

Review URL: https://codereview.chromium.org/1277793002

Changed paths

Path Details
Directorytrunk/LayoutTests/fast/parser/scriptexec-during-parserRemoveChild-expected.txt added
Directorytrunk/LayoutTests/fast/parser/scriptexec-during-parserRemoveChild.html added
Directorytrunk/Source/core/dom/ContainerNode.cpp modified , text changed

Properties

Name Value
commit-bot commit-bot@chromium.org

Powered by ViewVC 1.1.26 ViewVC Help