Title: [286309] trunk/Source/WebCore
- Revision
- 286309
- Author
- [email protected]
- Date
- 2021-11-30 11:25:08 -0800 (Tue, 30 Nov 2021)
Log Message
Use scriptDisallowedScope in FrameSelection::updateAppearance
https://bugs.webkit.org/show_bug.cgi?id=233644
Patch by Gabriel Nava Marino <[email protected]> on 2021-11-30
Reviewed by Ryosuke Niwa.
Use scriptDisallowedScope in FrameSelection::updateAppearance to avoid re-entrancy
RenderView problems when a downstream function executes a JS callback.
* editing/FrameSelection.cpp:
(WebCore::FrameSelection::validateSelection const):
(WebCore::FrameSelection::updateAppearance):
* editing/FrameSelection.h:
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (286308 => 286309)
--- trunk/Source/WebCore/ChangeLog 2021-11-30 19:24:15 UTC (rev 286308)
+++ trunk/Source/WebCore/ChangeLog 2021-11-30 19:25:08 UTC (rev 286309)
@@ -1,3 +1,18 @@
+2021-11-30 Gabriel Nava Marino <[email protected]>
+
+ Use scriptDisallowedScope in FrameSelection::updateAppearance
+ https://bugs.webkit.org/show_bug.cgi?id=233644
+
+ Reviewed by Ryosuke Niwa.
+
+ Use scriptDisallowedScope in FrameSelection::updateAppearance to avoid re-entrancy
+ RenderView problems when a downstream function executes a JS callback.
+
+ * editing/FrameSelection.cpp:
+ (WebCore::FrameSelection::validateSelection const):
+ (WebCore::FrameSelection::updateAppearance):
+ * editing/FrameSelection.h:
+
2021-11-30 Chris Dumez <[email protected]>
Scripting attributes are sometimes not properly stripped from elements when JS is disabled
Modified: trunk/Source/WebCore/editing/FrameSelection.cpp (286308 => 286309)
--- trunk/Source/WebCore/editing/FrameSelection.cpp 2021-11-30 19:24:15 UTC (rev 286308)
+++ trunk/Source/WebCore/editing/FrameSelection.cpp 2021-11-30 19:25:08 UTC (rev 286309)
@@ -2182,10 +2182,6 @@
}
#endif
- RenderView* view = m_document->renderView();
- if (!view)
- return;
-
// Construct a new VisibleSolution, since m_selection is not necessarily valid, and the following steps
// assume a valid selection. See <https://bugs.webkit.org/show_bug.cgi?id=69563> and <rdar://problem/10232866>.
#if ENABLE(TEXT_CARET)
@@ -2195,9 +2191,15 @@
VisibleSelection selection(oldSelection.visibleStart(), oldSelection.visibleEnd());
#endif
- if (!selection.isRange()) {
- view->selection().clear();
- return;
+ {
+ ScriptDisallowedScope scriptDisallowedScope;
+ auto* view = m_document->renderView();
+ if (!view)
+ return;
+ if (!selection.isRange()) {
+ view->selection().clear();
+ return;
+ }
}
// Use the rightmost candidate for the start of the selection, and the leftmost candidate for the end of the selection.
@@ -2215,7 +2217,7 @@
// We can get into a state where the selection endpoints map to the same VisiblePosition when a selection is deleted
// because we don't yet notify the FrameSelection of text removal.
- if (startPos.isNotNull() && endPos.isNotNull() && selection.visibleStart() != selection.visibleEnd()) {
+ if (auto* view = m_document->renderView(); startPos.isNotNull() && endPos.isNotNull() && selection.visibleStart() != selection.visibleEnd()) {
RenderObject* startRenderer = startPos.deprecatedNode()->renderer();
int startOffset = startPos.deprecatedEditingOffset();
RenderObject* endRenderer = endPos.deprecatedNode()->renderer();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
