Bug 45218

Summary: Move functions from Frame to Editor as planned
Product: WebKit Reporter: Darin Adler <darin>
Component: WebCore Misc.Assignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal CC: dglazkov, gustavo, webkit-ews, webkit.review.bot, xan.lopez, zecke
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch
none
Patch abarth: review+, abarth: commit-queue-

Darin Adler
Reported 2010-09-03 17:56:19 PDT
Move functions from Frame to Editor as planned
Attachments
Patch (109.55 KB, patch)
2010-09-08 17:36 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
Patch (114.52 KB, patch)
2010-09-09 10:52 PDT, Darin Adler 		abarth: review+
abarth: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Darin Adler
Comment 1 2010-09-08 17:36:01 PDT
Created attachment 66972 [details] Patch
Early Warning System Bot
Comment 2 2010-09-08 17:57:16 PDT
Attachment 66972 [details] did not build on qt: Build output: http://queues.webkit.org/results/3949295
WebKit Review Bot
Comment 3 2010-09-08 21:08:40 PDT
Attachment 66972 [details] did not build on gtk: Build output: http://queues.webkit.org/results/3979090
WebKit Review Bot
Comment 4 2010-09-08 21:47:14 PDT
Attachment 66972 [details] did not build on chromium: Build output: http://queues.webkit.org/results/3919332
WebKit Review Bot
Comment 5 2010-09-09 07:52:17 PDT
Attachment 66972 [details] did not build on win: Build output: http://queues.webkit.org/results/3985048
Darin Adler
Comment 6 2010-09-09 10:52:42 PDT
Created attachment 67059 [details] Patch
Adam Barth
Comment 7 2010-09-09 12:35:52 PDT
Comment on attachment 67059 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=67059&action=prettypatch > WebCore/editing/Editor.cpp:3366 > + styleElement->appendChild(m_frame->document()->createEditingTextNode(""), ec); > + ASSERT(!ec); This is a security vulnerability. appendChild fires DOM mutation events, which run JavaScript, which can make |node| point off into unallocated memory. Please RefPtr node. > WebCore/editing/Editor.cpp:3394 > + Node* shadowTreeRoot = selection.shadowTreeRootNode(); I bet this needs to be RefPtr for the same reason.
Darin Adler
Comment 8 2010-09-09 14:16:48 PDT
(In reply to comment #7) > (From update of attachment 67059 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=67059&action=prettypatch > > > WebCore/editing/Editor.cpp:3366 > > + styleElement->appendChild(m_frame->document()->createEditingTextNode(""), ec); > > + ASSERT(!ec); > This is a security vulnerability. appendChild fires DOM mutation events, which run JavaScript, which can make |node| point off into unallocated memory. Please RefPtr node. Glad you spotted it. But the node here came from position.node(); Position already holds the node in a RefPtr. I’ll change the code to use position.node() and eliminate the local variable for clarity on this point. > > WebCore/editing/Editor.cpp:3394 > > + Node* shadowTreeRoot = selection.shadowTreeRootNode(); > I bet this needs to be RefPtr for the same reason. I put this in a RefPtr.
Darin Adler
Comment 9 2010-09-09 16:09:16 PDT
Committed r67122: <http://trac.webkit.org/changeset/67122>
Ryosuke Niwa
Comment 10 2012-05-30 00:54:10 PDT
*** Bug 23430 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.