Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4c43686c301aef17743728f6b428205b47296dd7
https://github.com/WebKit/WebKit/commit/4c43686c301aef17743728f6b428205b47296dd7
Author: Nathan Solomon <[email protected]>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M Source/WebCore/dom/ContainerNode.cpp
Log Message:
-----------
Fix ContainerNode::replaceAll not removing existing children when inserting
an Element
https://bugs.webkit.org/show_bug.cgi?id=315251
rdar://177576067
Reviewed by Ryosuke Niwa.
In ContainerNode::replaceAll, 288944@main inlined the
removeAllChildrenWithScriptAssertion()
call into the right-hand side of a || expression. When the newly inserted node
is an Element, the
short-circuit evaluation of auto replacedAllChildren = is<Element>(*node) ||
removeAllChildrenWithScriptAssertionMaybeAsync skips the call and the existing
children are never removed.
Split the removal back into its own statement so it executes unconditionally
regardless of the inserted node type. The bug is currently unreachable because
all
callers pass a Text node or nullptr, but this would break correctness if
replaceAll is ever called with an Element. There is even an existing FIXME in
HTMLElement::setInnerText() that states that the method should use
replaceAlll() on
elements, so the risk of causing correctness issues in the future without this
being
fixed is real.
No new tests. This obviously should not regress correctness. In its current
state this should technically not "fix" anything, but it can in the future.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::ContainerNode::replaceAll):
Canonical link: https://commits.webkit.org/313912@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
