Bug 45218

Summary: Move functions from Frame to Editor as planned
Product: WebKit Reporter: Darin Adler <darin>
Component: WebCore Misc.Assignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal CC: dglazkov, gustavo, webkit-ews, webkit.review.bot, xan.lopez, zecke
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch
none
Patch abarth: review+, abarth: commit-queue-

Description Darin Adler 2010-09-03 17:56:19 PDT 
Move functions from Frame to Editor as planned
Comment 1 Darin Adler 2010-09-08 17:36:01 PDT 
Created attachment 66972 [details]
Patch
Comment 2 Early Warning System Bot 2010-09-08 17:57:16 PDT 
Attachment 66972 [details] did not build on qt:
Build output: http://queues.webkit.org/results/3949295
Comment 3 WebKit Review Bot 2010-09-08 21:08:40 PDT 
Attachment 66972 [details] did not build on gtk:
Build output: http://queues.webkit.org/results/3979090
Comment 4 WebKit Review Bot 2010-09-08 21:47:14 PDT 
Attachment 66972 [details] did not build on chromium:
Build output: http://queues.webkit.org/results/3919332
Comment 5 WebKit Review Bot 2010-09-09 07:52:17 PDT 
Attachment 66972 [details] did not build on win:
Build output: http://queues.webkit.org/results/3985048
Comment 6 Darin Adler 2010-09-09 10:52:42 PDT 
Created attachment 67059 [details]
Patch
Comment 7 Adam Barth 2010-09-09 12:35:52 PDT 
Comment on attachment 67059 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=67059&action=prettypatch

> WebCore/editing/Editor.cpp:3366
> +    styleElement->appendChild(m_frame->document()->createEditingTextNode(""), ec);
> +    ASSERT(!ec);
This is a security vulnerability.  appendChild fires DOM mutation events, which run JavaScript, which can make |node| point off into unallocated memory.  Please RefPtr node.

> WebCore/editing/Editor.cpp:3394
> +    Node* shadowTreeRoot = selection.shadowTreeRootNode();
I bet this needs to be RefPtr for the same reason.
Comment 8 Darin Adler 2010-09-09 14:16:48 PDT 
(In reply to comment #7)
> (From update of attachment 67059 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=67059&action=prettypatch
> 
> > WebCore/editing/Editor.cpp:3366
> > +    styleElement->appendChild(m_frame->document()->createEditingTextNode(""), ec);
> > +    ASSERT(!ec);
> This is a security vulnerability.  appendChild fires DOM mutation events, which run JavaScript, which can make |node| point off into unallocated memory.  Please RefPtr node.

Glad you spotted it. But the node here came from position.node(); Position already holds the node in a RefPtr. I’ll change the code to use position.node() and eliminate the local variable for clarity on this point.

> > WebCore/editing/Editor.cpp:3394
> > +    Node* shadowTreeRoot = selection.shadowTreeRootNode();
> I bet this needs to be RefPtr for the same reason.

I put this in a RefPtr.
Comment 9 Darin Adler 2010-09-09 16:09:16 PDT 
Committed r67122: <http://trac.webkit.org/changeset/67122>
Comment 10 Ryosuke Niwa 2012-05-30 00:54:10 PDT 
*** Bug 23430 has been marked as a duplicate of this bug. ***