Changeset 117731 in webkit
- Timestamp:
- May 20, 2012 11:11:02 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 28 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r117726 r117731 1 2012-05-20 Ryosuke Niwa <rniwa@webkit.org> 2 3 Using createContextualFragment to insert a <script> does not cause the script to execute 4 https://bugs.webkit.org/show_bug.cgi?id=12234 5 6 Reviewed by Adam Barth. 7 8 Added regressions tests to ensure createContextualFragment doesn't execute script elements 9 immediately as they are parsed and it doesn't mark those script elements as already started. 10 11 The behavior of innerHTML is tested elsewhere and this patch does not affect its behavior. 12 13 * fast/dom/Range/create-contextual-fragment-script-not-ran-expected.txt: Added. 14 * fast/dom/Range/create-contextual-fragment-script-not-ran.html: Added. 15 * fast/dom/Range/create-contextual-fragment-script-unmark-already-started-expected.txt: Added. 16 * fast/dom/Range/create-contextual-fragment-script-unmark-already-started.html: Added. 17 1 18 2012-05-20 Keishi Hattori <keishi@webkit.org> 2 19 -
trunk/Source/WebCore/ChangeLog
r117730 r117731 1 2012-05-20 Ryosuke Niwa <rniwa@webkit.org> 2 3 Using createContextualFragment to insert a <script> does not cause the script to execute 4 https://bugs.webkit.org/show_bug.cgi?id=12234 5 6 Reviewed by Adam Barth. 7 8 Renamed FragmentScriptingAllowed and FragmentScriptingNotAllowed to DisallowScriptingContent 9 and AllowScriptingContent as these two flags are used in code for non-fragment cases and they 10 indicate whether attributes and elements that can invoke scripting should be removed or not. 11 12 To fix the bug, added a new value AllowScriptingContentAndDoNotMarkAlreadyStarted unset 13 already-started and parser-inserted flags [1] on script elements in addition to allowing 14 scripting contents. 15 16 While the HTML5 specification and the DOM Parsing and Serialization specification [2] state that 17 we should set these flags in the parser and later unset them, doing so would require traversing 18 the parsed fragment to find relevant script elements. We short circuit this logic by simply not 19 setting parser-inserted and already-started flags in createContextualFragment. 20 21 [1] http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1.html#already-started 22 [2] http://html5.org/specs/dom-parsing.html#dom-range-createcontextualfragment 23 24 Tests: fast/dom/Range/create-contextual-fragment-script-not-ran.html 25 fast/dom/Range/create-contextual-fragment-script-unmark-already-started.html 26 27 * dom/DocumentFragment.h: 28 (DocumentFragment): 29 * dom/Element.cpp: 30 (WebCore::Element::parserSetAttributes): 31 (WebCore::Element::setAttributeNS): 32 * dom/Element.h: 33 (Element): 34 * dom/FragmentScriptingPermission.h: 35 * dom/Range.cpp: 36 (WebCore::Range::createContextualFragment): Removed FragmentScriptingPermission from the argument 37 list since no one uses it. Always use AllowScriptingContentAndDoNotMarkAlreadyStarted instead. 38 * dom/Range.h: 39 * editing/markup.h: 40 * html/parser/HTMLConstructionSite.cpp: 41 (WebCore::HTMLConstructionSite::HTMLConstructionSite): 42 (WebCore::HTMLConstructionSite::insertScriptElement): Pass false to both parserInserted and 43 alreadyStarted when the scripting permission is AllowScriptingContentAndDoNotMarkAlreadyStarted. 44 Also call parserSetAttributes when the scripting permission is either AllowScriptingContent or 45 AllowScriptingContentAndDoNotMarkAlreadyStarted. 46 * html/parser/HTMLDocumentParser.h: 47 (HTMLDocumentParser): 48 * html/parser/HTMLTreeBuilder.cpp: 49 (WebCore::HTMLTreeBuilder::FragmentParsingContext::FragmentParsingContext): 50 (WebCore::HTMLTreeBuilder::processEndTag): 51 * html/parser/HTMLTreeBuilder.h: 52 (FragmentParsingContext): 53 * platform/blackberry/PasteboardBlackBerry.cpp: 54 (WebCore::Pasteboard::documentFragment): 55 * platform/chromium/DragDataChromium.cpp: 56 (WebCore::DragData::asFragment): 57 * platform/chromium/PasteboardChromium.cpp: 58 (WebCore::Pasteboard::documentFragment): 59 * platform/gtk/PasteboardGtk.cpp: 60 (WebCore::Pasteboard::documentFragment): 61 * platform/mac/PasteboardMac.mm: 62 (WebCore::Pasteboard::documentFragment): 63 * platform/qt/DragDataQt.cpp: 64 (WebCore::DragData::asFragment): 65 * platform/qt/PasteboardQt.cpp: 66 (WebCore::Pasteboard::documentFragment): 67 * platform/win/ClipboardUtilitiesWin.cpp: 68 (WebCore::fragmentFromCFHTML): 69 (WebCore::fragmentFromHTML): 70 * xml/XMLErrors.cpp: 71 (WebCore::createXHTMLParserErrorHeader): 72 (WebCore::XMLErrors::insertErrorMessageBlock): 73 * xml/parser/NewXMLDocumentParser.h: 74 (NewXMLDocumentParser): 75 * xml/parser/XMLDocumentParser.h: 76 (XMLDocumentParser): 77 * xml/parser/XMLDocumentParserLibxml2.cpp: 78 (WebCore::XMLDocumentParser::XMLDocumentParser): 79 (WebCore::XMLDocumentParser::endElementNs): 80 * xml/parser/XMLDocumentParserQt.cpp: 81 (WebCore::XMLDocumentParser::XMLDocumentParser): 82 (WebCore::XMLDocumentParser::parseEndElement): 83 1 84 2012-05-20 Kentaro Hara <haraken@chromium.org> 2 85 -
trunk/Source/WebCore/dom/DocumentFragment.h
r106530 r117731 34 34 static PassRefPtr<DocumentFragment> create(Document*); 35 35 36 void parseHTML(const String&, Element* contextElement, FragmentScriptingPermission = FragmentScriptingAllowed);37 bool parseXML(const String&, Element* contextElement, FragmentScriptingPermission = FragmentScriptingAllowed);36 void parseHTML(const String&, Element* contextElement, FragmentScriptingPermission = AllowScriptingContent); 37 bool parseXML(const String&, Element* contextElement, FragmentScriptingPermission = AllowScriptingContent); 38 38 39 39 virtual bool canContainRangeEndPoint() const { return true; } -
trunk/Source/WebCore/dom/Element.cpp
r117353 r117731 778 778 // If the element is created as result of a paste or drag-n-drop operation 779 779 // we want to remove all the script and event handlers. 780 if (scriptingPermission == FragmentScriptingNotAllowed) {780 if (scriptingPermission == DisallowScriptingContent) { 781 781 unsigned i = 0; 782 782 while (i < m_attributeData->length()) { … … 1461 1461 } 1462 1462 1463 if (scriptingPermission == FragmentScriptingNotAllowed&& (isEventHandlerAttribute(qName) || isAttributeToRemove(qName, value)))1463 if (scriptingPermission == DisallowScriptingContent && (isEventHandlerAttribute(qName) || isAttributeToRemove(qName, value))) 1464 1464 return; 1465 1465 -
trunk/Source/WebCore/dom/Element.h
r117323 r117731 147 147 148 148 void setAttribute(const AtomicString& name, const AtomicString& value, ExceptionCode&); 149 void setAttributeNS(const AtomicString& namespaceURI, const AtomicString& qualifiedName, const AtomicString& value, ExceptionCode&, FragmentScriptingPermission = FragmentScriptingAllowed);149 void setAttributeNS(const AtomicString& namespaceURI, const AtomicString& qualifiedName, const AtomicString& value, ExceptionCode&, FragmentScriptingPermission = AllowScriptingContent); 150 150 151 151 bool isIdAttributeName(const QualifiedName&) const; -
trunk/Source/WebCore/dom/FragmentScriptingPermission.h
r95901 r117731 32 32 // generating DocumentFragments for paste in platform/*/Pasteboard.*. 33 33 enum FragmentScriptingPermission { 34 FragmentScriptingAllowed, 35 FragmentScriptingNotAllowed, 34 DisallowScriptingContent, 35 AllowScriptingContent, 36 AllowScriptingContentAndDoNotMarkAlreadyStarted, 36 37 }; 37 38 -
trunk/Source/WebCore/dom/Range.cpp
r117210 r117731 1163 1163 } 1164 1164 1165 PassRefPtr<DocumentFragment> Range::createContextualFragment(const String& markup, ExceptionCode& ec , FragmentScriptingPermission scriptingPermission)1165 PassRefPtr<DocumentFragment> Range::createContextualFragment(const String& markup, ExceptionCode& ec) 1166 1166 { 1167 1167 if (!m_start.container()) { … … 1176 1176 } 1177 1177 1178 RefPtr<DocumentFragment> fragment = createDocumentFragmentForElement(markup, toElement(element), scriptingPermission);1178 RefPtr<DocumentFragment> fragment = createDocumentFragmentForElement(markup, toElement(element), AllowScriptingContentAndDoNotMarkAlreadyStarted); 1179 1179 1180 1180 if (!fragment) { -
trunk/Source/WebCore/dom/Range.h
r117210 r117731 90 90 String text() const; 91 91 92 PassRefPtr<DocumentFragment> createContextualFragment(const String& html, ExceptionCode& , FragmentScriptingPermission = FragmentScriptingAllowed);93 static PassRefPtr<DocumentFragment> createDocumentFragmentForElement(const String& markup, Element*, FragmentScriptingPermission = FragmentScriptingAllowed);92 PassRefPtr<DocumentFragment> createContextualFragment(const String& html, ExceptionCode&); 93 static PassRefPtr<DocumentFragment> createDocumentFragmentForElement(const String& markup, Element*, FragmentScriptingPermission = AllowScriptingContent); 94 94 95 95 void detach(ExceptionCode&); -
trunk/Source/WebCore/editing/markup.h
r116685 r117731 49 49 50 50 PassRefPtr<DocumentFragment> createFragmentFromText(Range* context, const String& text); 51 PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document*, const String& markup, const String& baseURL, FragmentScriptingPermission = FragmentScriptingAllowed);51 PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document*, const String& markup, const String& baseURL, FragmentScriptingPermission = AllowScriptingContent); 52 52 PassRefPtr<DocumentFragment> createFragmentFromMarkupWithContext(Document*, const String& markup, unsigned fragmentStart, unsigned fragmentEnd, const String& baseURL, FragmentScriptingPermission); 53 53 PassRefPtr<DocumentFragment> createFragmentFromNodes(Document*, const Vector<Node*>&); -
trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp
r117611 r117731 146 146 : m_document(document) 147 147 , m_attachmentRoot(document) 148 , m_fragmentScriptingPermission( FragmentScriptingAllowed)148 , m_fragmentScriptingPermission(AllowScriptingContent) 149 149 , m_isParsingFragment(false) 150 150 , m_redirectAttachToFosterParent(false) … … 336 336 void HTMLConstructionSite::insertScriptElement(AtomicHTMLToken& token) 337 337 { 338 RefPtr<HTMLScriptElement> element = HTMLScriptElement::create(scriptTag, currentNode()->document(), true, m_isParsingFragment); 339 if (m_fragmentScriptingPermission == FragmentScriptingAllowed) 338 // http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1.html#already-started 339 // http://html5.org/specs/dom-parsing.html#dom-range-createcontextualfragment 340 // For createContextualFragment, the specifications say to mark it parser-inserted and already-started and later unmark them. 341 // However, we short circuit that logic to avoid the subtree traversal to find script elements since scripts can never see 342 // those flags or effects thereof. 343 const bool parserInserted = m_fragmentScriptingPermission != AllowScriptingContentAndDoNotMarkAlreadyStarted; 344 const bool alreadyStarted = m_isParsingFragment && parserInserted; 345 RefPtr<HTMLScriptElement> element = HTMLScriptElement::create(scriptTag, currentNode()->document(), parserInserted, alreadyStarted); 346 if (m_fragmentScriptingPermission != DisallowScriptingContent) 340 347 element->parserSetAttributes(token.attributes(), m_fragmentScriptingPermission); 341 348 attachLater(currentNode(), element); -
trunk/Source/WebCore/html/parser/HTMLDocumentParser.h
r95901 r117731 71 71 void resumeParsingAfterYield(); 72 72 73 static void parseDocumentFragment(const String&, DocumentFragment*, Element* contextElement, FragmentScriptingPermission = FragmentScriptingAllowed);73 static void parseDocumentFragment(const String&, DocumentFragment*, Element* contextElement, FragmentScriptingPermission = AllowScriptingContent); 74 74 75 75 static bool usePreHTML5ParserQuirks(Document*); -
trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp
r115763 r117731 412 412 : m_fragment(0) 413 413 , m_contextElement(0) 414 , m_scriptingPermission( FragmentScriptingAllowed)414 , m_scriptingPermission(AllowScriptingContent) 415 415 { 416 416 } … … 2136 2136 m_scriptToProcessStartPosition = m_lastScriptElementStartPosition; 2137 2137 m_tree.openElements()->pop(); 2138 if (isParsingFragment() && m_fragmentContext.scriptingPermission() == FragmentScriptingNotAllowed)2138 if (isParsingFragment() && m_fragmentContext.scriptingPermission() == DisallowScriptingContent) 2139 2139 m_scriptToProcess->removeAllChildren(); 2140 2140 setInsertionMode(m_originalInsertionMode); -
trunk/Source/WebCore/html/parser/HTMLTreeBuilder.h
r115645 r117731 207 207 Element* m_contextElement; 208 208 209 // FragmentScriptingNotAllowed causes the Parser to remove children 210 // from <script> tags (so javascript doesn't show up in pastes). 209 // DisallowScriptingContent causes the Parser to remove children from <script> tags (so javascript doesn't show up in pastes). 211 210 FragmentScriptingPermission m_scriptingPermission; 212 211 }; -
trunk/Source/WebCore/platform/blackberry/PasteboardBlackBerry.cpp
r109803 r117731 98 98 if (!html.isEmpty()) { 99 99 String url = String::fromUTF8(BlackBerry::Platform::Clipboard::readURL().c_str()); 100 if (fragment = createFragmentFromMarkup(frame->document(), html, url, FragmentScriptingNotAllowed))100 if (fragment = createFragmentFromMarkup(frame->document(), html, url, DisallowScriptingContent)) 101 101 return fragment.release(); 102 102 } -
trunk/Source/WebCore/platform/chromium/DragDataChromium.cpp
r117327 r117731 147 147 KURL baseURL; 148 148 m_platformDragData->htmlAndBaseURL(html, baseURL); 149 RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, baseURL, FragmentScriptingNotAllowed);149 RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, baseURL, DisallowScriptingContent); 150 150 return fragment.release(); 151 151 } -
trunk/Source/WebCore/platform/chromium/PasteboardChromium.cpp
r104655 r117731 185 185 if (!markup.isEmpty()) { 186 186 RefPtr<DocumentFragment> fragment = 187 createFragmentFromMarkupWithContext(frame->document(), markup, fragmentStart, fragmentEnd, srcURL, FragmentScriptingNotAllowed);187 createFragmentFromMarkupWithContext(frame->document(), markup, fragmentStart, fragmentEnd, srcURL, DisallowScriptingContent); 188 188 if (fragment) 189 189 return fragment.release(); -
trunk/Source/WebCore/platform/gtk/PasteboardGtk.cpp
r100817 r117731 171 171 172 172 if (dataObject->hasMarkup()) { 173 RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), dataObject->markup(), "", FragmentScriptingNotAllowed);173 RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), dataObject->markup(), "", DisallowScriptingContent); 174 174 if (fragment) 175 175 return fragment.release(); -
trunk/Source/WebCore/platform/mac/PasteboardMac.mm
r115249 r117731 459 459 loader->addAllArchiveResources(coreArchive.get()); 460 460 461 fragment = createFragmentFromMarkup(frame->document(), markupString, mainResource->url(), FragmentScriptingNotAllowed);461 fragment = createFragmentFromMarkup(frame->document(), markupString, mainResource->url(), DisallowScriptingContent); 462 462 [markupString release]; 463 463 } else if (MIMETypeRegistry::isSupportedImageMIMEType(MIMEType)) … … 498 498 } 499 499 if ([HTMLString length] != 0 && 500 (fragment = createFragmentFromMarkup(frame->document(), HTMLString, "", FragmentScriptingNotAllowed)))500 (fragment = createFragmentFromMarkup(frame->document(), HTMLString, "", DisallowScriptingContent))) 501 501 return fragment.release(); 502 502 } -
trunk/Source/WebCore/platform/qt/DragDataQt.cpp
r99108 r117731 138 138 { 139 139 if (m_platformDragData && m_platformDragData->hasHtml()) 140 return createFragmentFromMarkup(frame->document(), m_platformDragData->html(), "", FragmentScriptingNotAllowed);140 return createFragmentFromMarkup(frame->document(), m_platformDragData->html(), "", DisallowScriptingContent); 141 141 142 142 return 0; -
trunk/Source/WebCore/platform/qt/PasteboardQt.cpp
r99924 r117731 112 112 QString html = mimeData->html(); 113 113 if (!html.isEmpty()) { 114 RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, "", FragmentScriptingNotAllowed);114 RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, "", DisallowScriptingContent); 115 115 if (fragment) 116 116 return fragment.release(); -
trunk/Source/WebCore/platform/win/ClipboardUtilitiesWin.cpp
r116408 r117731 643 643 644 644 String markup = extractMarkupFromCFHTML(cfhtml); 645 return createFragmentFromMarkup(doc, markup, srcURL, FragmentScriptingNotAllowed);645 return createFragmentFromMarkup(doc, markup, srcURL, DisallowScriptingContent); 646 646 } 647 647 … … 660 660 String srcURL; 661 661 if (!html.isEmpty()) 662 return createFragmentFromMarkup(doc, html, srcURL, FragmentScriptingNotAllowed);662 return createFragmentFromMarkup(doc, html, srcURL, DisallowScriptingContent); 663 663 664 664 return 0; … … 678 678 String srcURL; 679 679 if (getDataMapItem(data, texthtmlFormat(), stringData)) 680 return createFragmentFromMarkup(document, stringData, srcURL, FragmentScriptingNotAllowed);680 return createFragmentFromMarkup(document, stringData, srcURL, DisallowScriptingContent); 681 681 682 682 return 0; -
trunk/Source/WebCore/xml/XMLErrors.cpp
r115645 r117731 94 94 Vector<Attribute> reportAttributes; 95 95 reportAttributes.append(Attribute(styleAttr, "display: block; white-space: pre; border: 2px solid #c77; padding: 0 1em 0 1em; margin: 1em; background-color: #fdd; color: black")); 96 reportElement->parserSetAttributes(reportAttributes, FragmentScriptingNotAllowed);96 reportElement->parserSetAttributes(reportAttributes, DisallowScriptingContent); 97 97 98 98 RefPtr<Element> h3 = doc->createElement(h3Tag, true); … … 103 103 Vector<Attribute> fixedAttributes; 104 104 fixedAttributes.append(Attribute(styleAttr, "font-family:monospace;font-size:12px")); 105 fixed->parserSetAttributes(fixedAttributes, FragmentScriptingNotAllowed);105 fixed->parserSetAttributes(fixedAttributes, DisallowScriptingContent); 106 106 reportElement->parserAddChild(fixed.get()); 107 107 … … 162 162 attributes.append(Attribute(styleAttr, "white-space: normal")); 163 163 RefPtr<Element> paragraph = m_document->createElement(pTag, true); 164 paragraph->parserSetAttributes(attributes, FragmentScriptingNotAllowed);164 paragraph->parserSetAttributes(attributes, DisallowScriptingContent); 165 165 paragraph->parserAddChild(m_document->createTextNode("This document was created as the result of an XSL transformation. The line and column numbers given are from the transformed result.")); 166 166 reportElement->parserAddChild(paragraph.release()); -
trunk/Source/WebCore/xml/parser/NewXMLDocumentParser.h
r95901 r117731 56 56 } 57 57 58 static bool parseDocumentFragment(const String&, DocumentFragment*, Element* parent = 0, FragmentScriptingPermission = FragmentScriptingAllowed);58 static bool parseDocumentFragment(const String&, DocumentFragment*, Element* parent = 0, FragmentScriptingPermission = AllowScriptingContent); 59 59 60 60 void pauseParsing() { m_parserPaused = true; } -
trunk/Source/WebCore/xml/parser/XMLDocumentParser.h
r113542 r117731 93 93 bool isXHTMLDocument() const { return m_isXHTMLDocument; } 94 94 95 static bool parseDocumentFragment(const String&, DocumentFragment*, Element* parent = 0, FragmentScriptingPermission = FragmentScriptingAllowed);95 static bool parseDocumentFragment(const String&, DocumentFragment*, Element* parent = 0, FragmentScriptingPermission = AllowScriptingContent); 96 96 97 97 // FIXME: This function used to be used by WML. Can we remove it? -
trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
r115136 r117731 560 560 , m_scriptStartPosition(TextPosition::belowRangePosition()) 561 561 , m_parsingFragment(false) 562 , m_scriptingPermission( FragmentScriptingAllowed)562 , m_scriptingPermission(AllowScriptingContent) 563 563 { 564 564 } … … 844 844 setDepthTriggeringEntityExpansion(-1); 845 845 846 if (m_scriptingPermission == FragmentScriptingNotAllowed&& n->isElementNode() && toScriptElement(static_cast<Element*>(n.get()))) {846 if (m_scriptingPermission == DisallowScriptingContent && n->isElementNode() && toScriptElement(static_cast<Element*>(n.get()))) { 847 847 popCurrentNode(); 848 848 ExceptionCode ec; -
trunk/Source/WebCore/xml/parser/XMLDocumentParserQt.cpp
r115136 r117731 97 97 , m_scriptStartPosition(TextPosition::belowRangePosition()) 98 98 , m_parsingFragment(false) 99 , m_scriptingPermission( FragmentScriptingAllowed)99 , m_scriptingPermission(AllowScriptingContent) 100 100 { 101 101 m_stream.setEntityResolver(new EntityResolver); … … 493 493 n->finishParsingChildren(); 494 494 495 if (m_scriptingPermission == FragmentScriptingNotAllowed&& n->isElementNode() && toScriptElement(static_cast<Element*>(n.get()))) {495 if (m_scriptingPermission == DisallowScriptingContent && n->isElementNode() && toScriptElement(static_cast<Element*>(n.get()))) { 496 496 popCurrentNode(); 497 497 ExceptionCode ec; -
trunk/Source/WebKit/mac/ChangeLog
r117695 r117731 1 2012-05-20 Ryosuke Niwa <rniwa@webkit.org> 2 3 Using createContextualFragment to insert a <script> does not cause the script to execute 4 https://bugs.webkit.org/show_bug.cgi?id=12234 5 6 Reviewed by Adam Barth. 7 8 Renamed FragmentScriptingNotAllowed to DisallowScriptingContent. 9 10 * WebView/WebFrame.mm: 11 (-[WebFrame _documentFragmentWithMarkupString:baseURLString:]): 12 1 13 2012-05-19 Andy Estes <aestes@apple.com> 2 14 -
trunk/Source/WebKit/mac/WebView/WebFrame.mm
r117695 r117731 737 737 return nil; 738 738 739 return kit(createFragmentFromMarkup(_private->coreFrame->document(), markupString, baseURLString, FragmentScriptingNotAllowed).get());739 return kit(createFragmentFromMarkup(_private->coreFrame->document(), markupString, baseURLString, DisallowScriptingContent).get()); 740 740 } 741 741
Note: See TracChangeset
for help on using the changeset viewer.