Title: [94832] trunk
- Revision
- 94832
- Author
- sulli...@chromium.org
- Date
- 2011-09-08 21:03:21 -0700 (Thu, 08 Sep 2011)
Log Message
Crashes in WebCore::InsertNodeBeforeCommand constructor.
https://bugs.webkit.org/show_bug.cgi?id=67763
Reviewed by Ryosuke Niwa.
Source/WebCore:
Changes editableRootForPosition() to use the position's containerNode instead of deprecatedNode so that
positions which are before or after a given node cannot return that node as the editable root.
Test: editing/inserting/insert-paragraph-selection-outside-contenteditable.html
* editing/htmlediting.cpp:
(WebCore::editableRootForPosition): use containerNode instead of deprecatedNode.
LayoutTests:
Tests for crash when the selection is outside the contenteditable node.
* editing/inserting/insert-paragraph-selection-outside-contenteditable-expected.txt: Added.
* editing/inserting/insert-paragraph-selection-outside-contenteditable.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (94831 => 94832)
--- trunk/LayoutTests/ChangeLog 2011-09-09 03:20:59 UTC (rev 94831)
+++ trunk/LayoutTests/ChangeLog 2011-09-09 04:03:21 UTC (rev 94832)
@@ -1,3 +1,15 @@
+2011-09-08 Annie Sullivan <sulli...@chromium.org>
+
+ Crashes in WebCore::InsertNodeBeforeCommand constructor.
+ https://bugs.webkit.org/show_bug.cgi?id=67763
+
+ Reviewed by Ryosuke Niwa.
+
+ Tests for crash when the selection is outside the contenteditable node.
+
+ * editing/inserting/insert-paragraph-selection-outside-contenteditable-expected.txt: Added.
+ * editing/inserting/insert-paragraph-selection-outside-contenteditable.html: Added.
+
2011-09-08 Daniel Bates <dba...@webkit.org>
XSS filter bypass via non-standard URL encoding
Added: trunk/LayoutTests/editing/inserting/insert-paragraph-selection-outside-contenteditable-expected.txt (0 => 94832)
--- trunk/LayoutTests/editing/inserting/insert-paragraph-selection-outside-contenteditable-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-paragraph-selection-outside-contenteditable-expected.txt 2011-09-09 04:03:21 UTC (rev 94832)
@@ -0,0 +1,3 @@
+This test ensures that WebKit does not crash or edit the content when the selection is outside of the contenteditable area.
+
+PASS
Added: trunk/LayoutTests/editing/inserting/insert-paragraph-selection-outside-contenteditable.html (0 => 94832)
--- trunk/LayoutTests/editing/inserting/insert-paragraph-selection-outside-contenteditable.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-paragraph-selection-outside-contenteditable.html 2011-09-09 04:03:21 UTC (rev 94832)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+ <meter id="root" contenteditable><span id="wrapper">xxx</span></meter>
+
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ var originalContent = root.outerHTML;
+ var sel = window.getSelection();
+ sel.setPosition(document.getElementById("wrapper"), 1);
+ document.execCommand("InsertParagraph", false, null);
+ var editedContent = root.outerHTML;
+ root.style.display = 'none'; // Remove from output.
+
+ document.writeln('This test ensures that WebKit does not crash or edit the content when the selection is outside of the contenteditable area.<br><br>');
+ document.writeln(originalContent == editedContent ? 'PASS' : 'FAIL: expected ' + originalContent + ' but was changed to ' + editedContent);
+ </script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (94831 => 94832)
--- trunk/Source/WebCore/ChangeLog 2011-09-09 03:20:59 UTC (rev 94831)
+++ trunk/Source/WebCore/ChangeLog 2011-09-09 04:03:21 UTC (rev 94832)
@@ -1,3 +1,18 @@
+2011-09-08 Annie Sullivan <sulli...@chromium.org>
+
+ Crashes in WebCore::InsertNodeBeforeCommand constructor.
+ https://bugs.webkit.org/show_bug.cgi?id=67763
+
+ Reviewed by Ryosuke Niwa.
+
+ Changes editableRootForPosition() to use the position's containerNode instead of deprecatedNode so that
+ positions which are before or after a given node cannot return that node as the editable root.
+
+ Test: editing/inserting/insert-paragraph-selection-outside-contenteditable.html
+
+ * editing/htmlediting.cpp:
+ (WebCore::editableRootForPosition): use containerNode instead of deprecatedNode.
+
2011-09-08 James Weatherall <w...@chromium.org>
Release the reference to the HTMLPlugInElement's script object, when the element is removed from the document. This breaks a cyclical reference that would otherwise cause the element to be retained until the document is torn down.
Modified: trunk/Source/WebCore/editing/htmlediting.cpp (94831 => 94832)
--- trunk/Source/WebCore/editing/htmlediting.cpp 2011-09-09 03:20:59 UTC (rev 94831)
+++ trunk/Source/WebCore/editing/htmlediting.cpp 2011-09-09 04:03:21 UTC (rev 94832)
@@ -176,7 +176,7 @@
Element* editableRootForPosition(const Position& p)
{
- Node* node = p.deprecatedNode();
+ Node* node = p.containerNode();
if (!node)
return 0;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes