Changeset 24936 in webkit


Ignore:
Timestamp:
Aug 8, 2007, 10:37:24 AM (18 years ago)
Author:
antti
Message:

LayoutTests:

Reviewed by Darin.


Test for <rdar://problem/5391576>
Malformed table innerHTML causes Safari to crash in HTMLParser::handleError (14894)

  • fast/table/incomplete-table-in-fragment-2-expected.txt: Added.
  • fast/table/incomplete-table-in-fragment-2.html: Added.

WebCore:

Reviewed by Darin.


Fix for <rdar://problem/5391576>
Malformed table innerHTML causes Safari to crash in HTMLParser::handleError (14894)


Add null checks to protect against


e.innerHTML = "<tr>text</tr>";


type cases. Normal assumptions about document tree structure don't hold when parsing
fragments. Results don't match Firefox in all cases. It seems to have some sort of
anything-goes fragment parsing mode.


  • html/HTMLParser.cpp: (WebCore::HTMLParser::handleError):
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r24935 r24936  
     12007-08-08  Antti Koivisto  <antti@apple.com>
     2
     3        Reviewed by Darin.
     4       
     5        Test for <rdar://problem/5391576>
     6        Malformed table innerHTML causes Safari to crash in HTMLParser::handleError (14894)
     7
     8        * fast/table/incomplete-table-in-fragment-2-expected.txt: Added.
     9        * fast/table/incomplete-table-in-fragment-2.html: Added.
     10
    1112007-08-07  Kevin McCullough  <kmccullough@apple.com>
    212

  • trunk/WebCore/ChangeLog

    r24935 r24936  
     12007-08-08  Antti Koivisto  <antti@apple.com>
     2
     3        Reviewed by Darin.
     4       
     5        Fix for <rdar://problem/5391576>
     6        Malformed table innerHTML causes Safari to crash in HTMLParser::handleError (14894)
     7       
     8        Add null checks to protect against
     9       
     10        e.innerHTML = "<tr>text</tr>";
     11       
     12        type cases. Normal assumptions about document tree structure don't hold when parsing
     13        fragments. Results don't match Firefox in all cases. It seems to have some sort of
     14        anything-goes fragment parsing mode.
     15       
     16        * html/HTMLParser.cpp:
     17        (WebCore::HTMLParser::handleError):
     18
    1192007-08-07  Kevin McCullough  <kmccullough@apple.com>
    220

  • trunk/WebCore/html/HTMLParser.cpp

    r24831 r24936  
    529529                if (n->isTextNode() ||
    530530                    (h->hasLocalName(trTag) &&
    531                      isTableSection(parent) && grandparent->hasTagName(tableTag)) ||
     531                     isTableSection(parent) && grandparent && grandparent->hasTagName(tableTag)) ||
    532532                     ((!n->hasTagName(tdTag) && !n->hasTagName(thTag) &&
    533533                       !n->hasTagName(formTag) && !n->hasTagName(scriptTag)) && isTableSection(node) &&
     
    535535                    node = (node->hasTagName(tableTag)) ? node :
    536536                            ((node->hasTagName(trTag)) ? grandparent : parent);
     537                    // This can happen with fragments
     538                    if (!node)
     539                        return false;
    537540                    Node* parent = node->parentNode();
    538541                    if (!parent)
Note: See TracChangeset for help on using the changeset viewer.