Commit f91bb620 authored by sullivan@chromium.org's avatar sullivan@chromium.org

Crashes in WebCore::InsertNodeBeforeCommand constructor.

https://bugs.webkit.org/show_bug.cgi?id=67763

Reviewed by Ryosuke Niwa.

Source/WebCore:

Changes editableRootForPosition() to use the position's containerNode instead of deprecatedNode so that
positions which are before or after a given node cannot return that node as the editable root.

Test: editing/inserting/insert-paragraph-selection-outside-contenteditable.html

* editing/htmlediting.cpp:
(WebCore::editableRootForPosition): use containerNode instead of deprecatedNode.

LayoutTests:

Tests for crash when the selection is outside the contenteditable node.

* editing/inserting/insert-paragraph-selection-outside-contenteditable-expected.txt: Added.
* editing/inserting/insert-paragraph-selection-outside-contenteditable.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@94832 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 0c6b1005
2011-09-08 Annie Sullivan <sullivan@chromium.org>
Crashes in WebCore::InsertNodeBeforeCommand constructor.
https://bugs.webkit.org/show_bug.cgi?id=67763
Reviewed by Ryosuke Niwa.
Tests for crash when the selection is outside the contenteditable node.
* editing/inserting/insert-paragraph-selection-outside-contenteditable-expected.txt: Added.
* editing/inserting/insert-paragraph-selection-outside-contenteditable.html: Added.
2011-09-08 Daniel Bates <dbates@webkit.org>
XSS filter bypass via non-standard URL encoding
This test ensures that WebKit does not crash or edit the content when the selection is outside of the contenteditable area.
PASS
<!DOCTYPE html>
<html>
<body>
<meter id="root" contenteditable><span id="wrapper">xxx</span></meter>
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
var originalContent = root.outerHTML;
var sel = window.getSelection();
sel.setPosition(document.getElementById("wrapper"), 1);
document.execCommand("InsertParagraph", false, null);
var editedContent = root.outerHTML;
root.style.display = 'none'; // Remove from output.
document.writeln('This test ensures that WebKit does not crash or edit the content when the selection is outside of the contenteditable area.<br><br>');
document.writeln(originalContent == editedContent ? 'PASS' : 'FAIL: expected ' + originalContent + ' but was changed to ' + editedContent);
</script>
</body>
</html>
2011-09-08 Annie Sullivan <sullivan@chromium.org>
Crashes in WebCore::InsertNodeBeforeCommand constructor.
https://bugs.webkit.org/show_bug.cgi?id=67763
Reviewed by Ryosuke Niwa.
Changes editableRootForPosition() to use the position's containerNode instead of deprecatedNode so that
positions which are before or after a given node cannot return that node as the editable root.
Test: editing/inserting/insert-paragraph-selection-outside-contenteditable.html
* editing/htmlediting.cpp:
(WebCore::editableRootForPosition): use containerNode instead of deprecatedNode.
2011-09-08 James Weatherall <wez@chromium.org>
Release the reference to the HTMLPlugInElement's script object, when the element is removed from the document. This breaks a cyclical reference that would otherwise cause the element to be retained until the document is torn down.
......@@ -176,7 +176,7 @@ bool isRichlyEditablePosition(const Position& p)
Element* editableRootForPosition(const Position& p)
{
Node* node = p.deprecatedNode();
Node* node = p.containerNode();
if (!node)
return 0;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment