Changeset 117731 in webkit

Timestamp:

May 20, 2012 11:11:02 PM (12 years ago)

Author:

rniwa@webkit.org

Message:

Using createContextualFragment to insert a <script> does not cause the script to execute
​https://bugs.webkit.org/show_bug.cgi?id=12234

Reviewed by Adam Barth.

Source/WebCore:

Renamed FragmentScriptingAllowed and FragmentScriptingNotAllowed to DisallowScriptingContent
and AllowScriptingContent as these two flags are used in code for non-fragment cases and they
indicate whether attributes and elements that can invoke scripting should be removed or not.

To fix the bug, added a new value AllowScriptingContentAndDoNotMarkAlreadyStarted unset
already-started and parser-inserted flags [1] on script elements in addition to allowing
scripting contents.

While the HTML5 specification and the DOM Parsing and Serialization specification [2] state that
we should set these flags in the parser and later unset them, doing so would require traversing
the parsed fragment to find relevant script elements. We short circuit this logic by simply not
setting parser-inserted and already-started flags in createContextualFragment.

[1] ​http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1.html#already-started
[2] ​http://html5.org/specs/dom-parsing.html#dom-range-createcontextualfragment

Tests: fast/dom/Range/create-contextual-fragment-script-not-ran.html

fast/dom/Range/create-contextual-fragment-script-unmark-already-started.html

• dom/DocumentFragment.h:

(DocumentFragment):

• dom/Element.cpp:

(WebCore::Element::parserSetAttributes):
(WebCore::Element::setAttributeNS):

• dom/Element.h:

(Element):

• dom/FragmentScriptingPermission.h:
• dom/Range.cpp:

(WebCore::Range::createContextualFragment): Removed FragmentScriptingPermission from the argument
list since no one uses it. Always use AllowScriptingContentAndDoNotMarkAlreadyStarted instead.

• dom/Range.h:
• editing/markup.h:
• html/parser/HTMLConstructionSite.cpp:

(WebCore::HTMLConstructionSite::HTMLConstructionSite):
(WebCore::HTMLConstructionSite::insertScriptElement): Pass false to both parserInserted and
alreadyStarted when the scripting permission is AllowScriptingContentAndDoNotMarkAlreadyStarted.
Also call parserSetAttributes when the scripting permission is either AllowScriptingContent or
AllowScriptingContentAndDoNotMarkAlreadyStarted.

• html/parser/HTMLDocumentParser.h:

(HTMLDocumentParser):

• html/parser/HTMLTreeBuilder.cpp:

(WebCore::HTMLTreeBuilder::FragmentParsingContext::FragmentParsingContext):
(WebCore::HTMLTreeBuilder::processEndTag):

• html/parser/HTMLTreeBuilder.h:

(FragmentParsingContext):

• platform/blackberry/PasteboardBlackBerry.cpp:

(WebCore::Pasteboard::documentFragment):

• platform/chromium/DragDataChromium.cpp:

(WebCore::DragData::asFragment):

• platform/chromium/PasteboardChromium.cpp:

(WebCore::Pasteboard::documentFragment):

• platform/gtk/PasteboardGtk.cpp:

(WebCore::Pasteboard::documentFragment):

• platform/mac/PasteboardMac.mm:

(WebCore::Pasteboard::documentFragment):

• platform/qt/DragDataQt.cpp:

(WebCore::DragData::asFragment):

• platform/qt/PasteboardQt.cpp:

(WebCore::Pasteboard::documentFragment):

• platform/win/ClipboardUtilitiesWin.cpp:

(WebCore::fragmentFromCFHTML):
(WebCore::fragmentFromHTML):

• xml/XMLErrors.cpp:

(WebCore::createXHTMLParserErrorHeader):
(WebCore::XMLErrors::insertErrorMessageBlock):

• xml/parser/NewXMLDocumentParser.h:

(NewXMLDocumentParser):

• xml/parser/XMLDocumentParser.h:

(XMLDocumentParser):

• xml/parser/XMLDocumentParserLibxml2.cpp:

(WebCore::XMLDocumentParser::XMLDocumentParser):
(WebCore::XMLDocumentParser::endElementNs):

• xml/parser/XMLDocumentParserQt.cpp:

(WebCore::XMLDocumentParser::XMLDocumentParser):
(WebCore::XMLDocumentParser::parseEndElement):

Source/WebKit/mac:

Renamed FragmentScriptingNotAllowed to DisallowScriptingContent.

• WebView/WebFrame.mm:

(-[WebFrame _documentFragmentWithMarkupString:baseURLString:]):

LayoutTests:

Added regressions tests to ensure createContextualFragment doesn't execute script elements
immediately as they are parsed and it doesn't mark those script elements as already started.

The behavior of innerHTML is tested elsewhere and this patch does not affect its behavior.

• fast/dom/Range/create-contextual-fragment-script-not-ran-expected.txt: Added.
• fast/dom/Range/create-contextual-fragment-script-not-ran.html: Added.
• fast/dom/Range/create-contextual-fragment-script-unmark-already-started-expected.txt: Added.
• fast/dom/Range/create-contextual-fragment-script-unmark-already-started.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Range/create-contextual-fragment-script-not-ran-expected.txt (added)
• LayoutTests/fast/dom/Range/create-contextual-fragment-script-not-ran.html (added)
• LayoutTests/fast/dom/Range/create-contextual-fragment-script-unmark-already-started-expected.txt (added)
• LayoutTests/fast/dom/Range/create-contextual-fragment-script-unmark-already-started.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/DocumentFragment.h (modified) (1 diff)
• Source/WebCore/dom/Element.cpp (modified) (2 diffs)
• Source/WebCore/dom/Element.h (modified) (1 diff)
• Source/WebCore/dom/FragmentScriptingPermission.h (modified) (1 diff)
• Source/WebCore/dom/Range.cpp (modified) (2 diffs)
• Source/WebCore/dom/Range.h (modified) (1 diff)
• Source/WebCore/editing/markup.h (modified) (1 diff)
• Source/WebCore/html/parser/HTMLConstructionSite.cpp (modified) (2 diffs)
• Source/WebCore/html/parser/HTMLDocumentParser.h (modified) (1 diff)
• Source/WebCore/html/parser/HTMLTreeBuilder.cpp (modified) (2 diffs)
• Source/WebCore/html/parser/HTMLTreeBuilder.h (modified) (1 diff)
• Source/WebCore/platform/blackberry/PasteboardBlackBerry.cpp (modified) (1 diff)
• Source/WebCore/platform/chromium/DragDataChromium.cpp (modified) (1 diff)
• Source/WebCore/platform/chromium/PasteboardChromium.cpp (modified) (1 diff)
• Source/WebCore/platform/gtk/PasteboardGtk.cpp (modified) (1 diff)
• Source/WebCore/platform/mac/PasteboardMac.mm (modified) (2 diffs)
• Source/WebCore/platform/qt/DragDataQt.cpp (modified) (1 diff)
• Source/WebCore/platform/qt/PasteboardQt.cpp (modified) (1 diff)
• Source/WebCore/platform/win/ClipboardUtilitiesWin.cpp (modified) (3 diffs)
• Source/WebCore/xml/XMLErrors.cpp (modified) (3 diffs)
• Source/WebCore/xml/parser/NewXMLDocumentParser.h (modified) (1 diff)
• Source/WebCore/xml/parser/XMLDocumentParser.h (modified) (1 diff)
• Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp (modified) (2 diffs)
• Source/WebCore/xml/parser/XMLDocumentParserQt.cpp (modified) (2 diffs)
• Source/WebKit/mac/ChangeLog (modified) (1 diff)
• Source/WebKit/mac/WebView/WebFrame.mm (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-05-20  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Using createContextualFragment to insert a <script> does not cause the script to execute
+        https://bugs.webkit.org/show_bug.cgi?id=12234
+
+        Reviewed by Adam Barth.
+
+        Added regressions tests to ensure createContextualFragment doesn't execute script elements
+        immediately as they are parsed and it doesn't mark those script elements as already started.
+
+        The behavior of innerHTML is tested elsewhere and this patch does not affect its behavior.
+
+        * fast/dom/Range/create-contextual-fragment-script-not-ran-expected.txt: Added.
+        * fast/dom/Range/create-contextual-fragment-script-not-ran.html: Added.
+        * fast/dom/Range/create-contextual-fragment-script-unmark-already-started-expected.txt: Added.
+        * fast/dom/Range/create-contextual-fragment-script-unmark-already-started.html: Added.
+
 2012-05-20  Keishi Hattori  <keishi@webkit.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-05-20  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Using createContextualFragment to insert a <script> does not cause the script to execute
+        https://bugs.webkit.org/show_bug.cgi?id=12234
+
+        Reviewed by Adam Barth.
+
+        Renamed FragmentScriptingAllowed and FragmentScriptingNotAllowed to DisallowScriptingContent
+        and AllowScriptingContent as these two flags are used in code for non-fragment cases and they
+        indicate whether attributes and elements that can invoke scripting should be removed or not.
+
+        To fix the bug, added a new value AllowScriptingContentAndDoNotMarkAlreadyStarted unset
+        already-started and parser-inserted flags [1] on script elements in addition to allowing
+        scripting contents.
+
+        While the HTML5 specification and the DOM Parsing and Serialization specification [2] state that
+        we should set these flags in the parser and later unset them, doing so would require traversing
+        the parsed fragment to find relevant script elements. We short circuit this logic by simply not
+        setting parser-inserted and already-started flags in createContextualFragment.
+
+        [1] http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1.html#already-started
+        [2] http://html5.org/specs/dom-parsing.html#dom-range-createcontextualfragment
+
+        Tests: fast/dom/Range/create-contextual-fragment-script-not-ran.html
+               fast/dom/Range/create-contextual-fragment-script-unmark-already-started.html
+
+        * dom/DocumentFragment.h:
+        (DocumentFragment):
+        * dom/Element.cpp:
+        (WebCore::Element::parserSetAttributes):
+        (WebCore::Element::setAttributeNS):
+        * dom/Element.h:
+        (Element):
+        * dom/FragmentScriptingPermission.h:
+        * dom/Range.cpp:
+        (WebCore::Range::createContextualFragment): Removed FragmentScriptingPermission from the argument
+        list since no one uses it. Always use AllowScriptingContentAndDoNotMarkAlreadyStarted instead.
+        * dom/Range.h:
+        * editing/markup.h:
+        * html/parser/HTMLConstructionSite.cpp:
+        (WebCore::HTMLConstructionSite::HTMLConstructionSite):
+        (WebCore::HTMLConstructionSite::insertScriptElement): Pass false to both parserInserted and
+        alreadyStarted when the scripting permission is AllowScriptingContentAndDoNotMarkAlreadyStarted.
+        Also call parserSetAttributes when the scripting permission is either AllowScriptingContent or
+        AllowScriptingContentAndDoNotMarkAlreadyStarted.
+        * html/parser/HTMLDocumentParser.h:
+        (HTMLDocumentParser):
+        * html/parser/HTMLTreeBuilder.cpp:
+        (WebCore::HTMLTreeBuilder::FragmentParsingContext::FragmentParsingContext):
+        (WebCore::HTMLTreeBuilder::processEndTag):
+        * html/parser/HTMLTreeBuilder.h:
+        (FragmentParsingContext):
+        * platform/blackberry/PasteboardBlackBerry.cpp:
+        (WebCore::Pasteboard::documentFragment):
+        * platform/chromium/DragDataChromium.cpp:
+        (WebCore::DragData::asFragment):
+        * platform/chromium/PasteboardChromium.cpp:
+        (WebCore::Pasteboard::documentFragment):
+        * platform/gtk/PasteboardGtk.cpp:
+        (WebCore::Pasteboard::documentFragment):
+        * platform/mac/PasteboardMac.mm:
+        (WebCore::Pasteboard::documentFragment):
+        * platform/qt/DragDataQt.cpp:
+        (WebCore::DragData::asFragment):
+        * platform/qt/PasteboardQt.cpp:
+        (WebCore::Pasteboard::documentFragment):
+        * platform/win/ClipboardUtilitiesWin.cpp:
+        (WebCore::fragmentFromCFHTML):
+        (WebCore::fragmentFromHTML):
+        * xml/XMLErrors.cpp:
+        (WebCore::createXHTMLParserErrorHeader):
+        (WebCore::XMLErrors::insertErrorMessageBlock):
+        * xml/parser/NewXMLDocumentParser.h:
+        (NewXMLDocumentParser):
+        * xml/parser/XMLDocumentParser.h:
+        (XMLDocumentParser):
+        * xml/parser/XMLDocumentParserLibxml2.cpp:
+        (WebCore::XMLDocumentParser::XMLDocumentParser):
+        (WebCore::XMLDocumentParser::endElementNs):
+        * xml/parser/XMLDocumentParserQt.cpp:
+        (WebCore::XMLDocumentParser::XMLDocumentParser):
+        (WebCore::XMLDocumentParser::parseEndElement):
+
 2012-05-20  Kentaro Hara  <haraken@chromium.org>
 

trunk/Source/WebCore/dom/DocumentFragment.h

@@ -34 +34 @@
     static PassRefPtr<DocumentFragment> create(Document*);
 
-    void parseHTML(const String&, Element* contextElement, FragmentScriptingPermission = FragmentScriptingAllowed);
-    bool parseXML(const String&, Element* contextElement, FragmentScriptingPermission = FragmentScriptingAllowed);
+    void parseHTML(const String&, Element* contextElement, FragmentScriptingPermission = AllowScriptingContent);
+    bool parseXML(const String&, Element* contextElement, FragmentScriptingPermission = AllowScriptingContent);
     
     virtual bool canContainRangeEndPoint() const { return true; }

trunk/Source/WebCore/dom/Element.cpp

@@ -778 +778 @@
     // If the element is created as result of a paste or drag-n-drop operation
     // we want to remove all the script and event handlers.
-    if (scriptingPermission == FragmentScriptingNotAllowed) {
+    if (scriptingPermission == DisallowScriptingContent) {
         unsigned i = 0;
         while (i < m_attributeData->length()) {
@@ -1461 +1461 @@
     }
 
-    if (scriptingPermission == FragmentScriptingNotAllowed && (isEventHandlerAttribute(qName) || isAttributeToRemove(qName, value)))
+    if (scriptingPermission == DisallowScriptingContent && (isEventHandlerAttribute(qName) || isAttributeToRemove(qName, value)))
         return;
 

trunk/Source/WebCore/dom/Element.h

@@ -147 +147 @@
 
     void setAttribute(const AtomicString& name, const AtomicString& value, ExceptionCode&);
-    void setAttributeNS(const AtomicString& namespaceURI, const AtomicString& qualifiedName, const AtomicString& value, ExceptionCode&, FragmentScriptingPermission = FragmentScriptingAllowed);
+    void setAttributeNS(const AtomicString& namespaceURI, const AtomicString& qualifiedName, const AtomicString& value, ExceptionCode&, FragmentScriptingPermission = AllowScriptingContent);
 
     bool isIdAttributeName(const QualifiedName&) const;

trunk/Source/WebCore/dom/FragmentScriptingPermission.h

@@ -32 +32 @@
 // generating DocumentFragments for paste in platform/*/Pasteboard.*.
 enum FragmentScriptingPermission {
-    FragmentScriptingAllowed,
-    FragmentScriptingNotAllowed,
+    DisallowScriptingContent,
+    AllowScriptingContent,
+    AllowScriptingContentAndDoNotMarkAlreadyStarted,
 };
 

trunk/Source/WebCore/dom/Range.cpp

@@ -1163 +1163 @@
 }
 
-PassRefPtr<DocumentFragment> Range::createContextualFragment(const String& markup, ExceptionCode& ec, FragmentScriptingPermission scriptingPermission)
+PassRefPtr<DocumentFragment> Range::createContextualFragment(const String& markup, ExceptionCode& ec)
 {
     if (!m_start.container()) {
@@ -1176 +1176 @@
     }
 
-    RefPtr<DocumentFragment> fragment = createDocumentFragmentForElement(markup, toElement(element), scriptingPermission);
+    RefPtr<DocumentFragment> fragment = createDocumentFragmentForElement(markup, toElement(element), AllowScriptingContentAndDoNotMarkAlreadyStarted);
 
     if (!fragment) {

trunk/Source/WebCore/dom/Range.h

@@ -90 +90 @@
     String text() const;
 
-    PassRefPtr<DocumentFragment> createContextualFragment(const String& html, ExceptionCode&, FragmentScriptingPermission = FragmentScriptingAllowed);
-    static PassRefPtr<DocumentFragment> createDocumentFragmentForElement(const String& markup, Element*,  FragmentScriptingPermission = FragmentScriptingAllowed);
+    PassRefPtr<DocumentFragment> createContextualFragment(const String& html, ExceptionCode&);
+    static PassRefPtr<DocumentFragment> createDocumentFragmentForElement(const String& markup, Element*,  FragmentScriptingPermission = AllowScriptingContent);
 
     void detach(ExceptionCode&);

trunk/Source/WebCore/editing/markup.h

@@ -49 +49 @@
 
     PassRefPtr<DocumentFragment> createFragmentFromText(Range* context, const String& text);
-    PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document*, const String& markup, const String& baseURL, FragmentScriptingPermission = FragmentScriptingAllowed);
+    PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document*, const String& markup, const String& baseURL, FragmentScriptingPermission = AllowScriptingContent);
     PassRefPtr<DocumentFragment> createFragmentFromMarkupWithContext(Document*, const String& markup, unsigned fragmentStart, unsigned fragmentEnd, const String& baseURL, FragmentScriptingPermission);
     PassRefPtr<DocumentFragment> createFragmentFromNodes(Document*, const Vector<Node*>&);

trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp

@@ -146 +146 @@
     : m_document(document)
     , m_attachmentRoot(document)
-    , m_fragmentScriptingPermission(FragmentScriptingAllowed)
+    , m_fragmentScriptingPermission(AllowScriptingContent)
     , m_isParsingFragment(false)
     , m_redirectAttachToFosterParent(false)
@@ -336 +336 @@
 void HTMLConstructionSite::insertScriptElement(AtomicHTMLToken& token)
 {
-    RefPtr<HTMLScriptElement> element = HTMLScriptElement::create(scriptTag, currentNode()->document(), true, m_isParsingFragment);
-    if (m_fragmentScriptingPermission == FragmentScriptingAllowed)
+    // http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1.html#already-started
+    // http://html5.org/specs/dom-parsing.html#dom-range-createcontextualfragment
+    // For createContextualFragment, the specifications say to mark it parser-inserted and already-started and later unmark them.
+    // However, we short circuit that logic to avoid the subtree traversal to find script elements since scripts can never see
+    // those flags or effects thereof.
+    const bool parserInserted = m_fragmentScriptingPermission != AllowScriptingContentAndDoNotMarkAlreadyStarted;
+    const bool alreadyStarted = m_isParsingFragment && parserInserted;
+    RefPtr<HTMLScriptElement> element = HTMLScriptElement::create(scriptTag, currentNode()->document(), parserInserted, alreadyStarted);
+    if (m_fragmentScriptingPermission != DisallowScriptingContent)
         element->parserSetAttributes(token.attributes(), m_fragmentScriptingPermission);
     attachLater(currentNode(), element);

trunk/Source/WebCore/html/parser/HTMLDocumentParser.h

@@ -71 +71 @@
     void resumeParsingAfterYield();
 
-    static void parseDocumentFragment(const String&, DocumentFragment*, Element* contextElement, FragmentScriptingPermission = FragmentScriptingAllowed);
+    static void parseDocumentFragment(const String&, DocumentFragment*, Element* contextElement, FragmentScriptingPermission = AllowScriptingContent);
     
     static bool usePreHTML5ParserQuirks(Document*);

trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp

@@ -412 +412 @@
     : m_fragment(0)
     , m_contextElement(0)
-    , m_scriptingPermission(FragmentScriptingAllowed)
+    , m_scriptingPermission(AllowScriptingContent)
 {
 }
@@ -2136 +2136 @@
             m_scriptToProcessStartPosition = m_lastScriptElementStartPosition;
             m_tree.openElements()->pop();
-            if (isParsingFragment() && m_fragmentContext.scriptingPermission() == FragmentScriptingNotAllowed)
+            if (isParsingFragment() && m_fragmentContext.scriptingPermission() == DisallowScriptingContent)
                 m_scriptToProcess->removeAllChildren();
             setInsertionMode(m_originalInsertionMode);

trunk/Source/WebCore/html/parser/HTMLTreeBuilder.h

@@ -207 +207 @@
         Element* m_contextElement;
 
-        // FragmentScriptingNotAllowed causes the Parser to remove children
-        // from <script> tags (so javascript doesn't show up in pastes).
+        // DisallowScriptingContent causes the Parser to remove children from <script> tags (so javascript doesn't show up in pastes).
         FragmentScriptingPermission m_scriptingPermission;
     };

trunk/Source/WebCore/platform/blackberry/PasteboardBlackBerry.cpp

@@ -98 +98 @@
     if (!html.isEmpty()) {
         String url = String::fromUTF8(BlackBerry::Platform::Clipboard::readURL().c_str());
-        if (fragment = createFragmentFromMarkup(frame->document(), html, url, FragmentScriptingNotAllowed))
+        if (fragment = createFragmentFromMarkup(frame->document(), html, url, DisallowScriptingContent))
             return fragment.release();
     }

trunk/Source/WebCore/platform/chromium/DragDataChromium.cpp

@@ -147 +147 @@
         KURL baseURL;
         m_platformDragData->htmlAndBaseURL(html, baseURL);
-        RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, baseURL, FragmentScriptingNotAllowed);
+        RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, baseURL, DisallowScriptingContent);
         return fragment.release();
     }

trunk/Source/WebCore/platform/chromium/PasteboardChromium.cpp

@@ -185 +185 @@
         if (!markup.isEmpty()) {
           RefPtr<DocumentFragment> fragment =
-              createFragmentFromMarkupWithContext(frame->document(), markup, fragmentStart, fragmentEnd, srcURL, FragmentScriptingNotAllowed);
+              createFragmentFromMarkupWithContext(frame->document(), markup, fragmentStart, fragmentEnd, srcURL, DisallowScriptingContent);
           if (fragment)
               return fragment.release();

trunk/Source/WebCore/platform/gtk/PasteboardGtk.cpp

@@ -171 +171 @@
 
     if (dataObject->hasMarkup()) {
-        RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), dataObject->markup(), "", FragmentScriptingNotAllowed);
+        RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), dataObject->markup(), "", DisallowScriptingContent);
         if (fragment)
             return fragment.release();

trunk/Source/WebCore/platform/mac/PasteboardMac.mm

@@ -459 +459 @@
                         loader->addAllArchiveResources(coreArchive.get());
                     
-                    fragment = createFragmentFromMarkup(frame->document(), markupString, mainResource->url(), FragmentScriptingNotAllowed);
+                    fragment = createFragmentFromMarkup(frame->document(), markupString, mainResource->url(), DisallowScriptingContent);
                     [markupString release];
                 } else if (MIMETypeRegistry::isSupportedImageMIMEType(MIMEType))
@@ -498 +498 @@
         }
         if ([HTMLString length] != 0 &&
-            (fragment = createFragmentFromMarkup(frame->document(), HTMLString, "", FragmentScriptingNotAllowed)))
+            (fragment = createFragmentFromMarkup(frame->document(), HTMLString, "", DisallowScriptingContent)))
             return fragment.release();
     }

trunk/Source/WebCore/platform/qt/DragDataQt.cpp

@@ -138 +138 @@
 {
     if (m_platformDragData && m_platformDragData->hasHtml())
-        return createFragmentFromMarkup(frame->document(), m_platformDragData->html(), "", FragmentScriptingNotAllowed);
+        return createFragmentFromMarkup(frame->document(), m_platformDragData->html(), "", DisallowScriptingContent);
 
     return 0;

trunk/Source/WebCore/platform/qt/PasteboardQt.cpp

@@ -112 +112 @@
         QString html = mimeData->html();
         if (!html.isEmpty()) {
-            RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, "", FragmentScriptingNotAllowed);
+            RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, "", DisallowScriptingContent);
             if (fragment)
                 return fragment.release();

trunk/Source/WebCore/platform/win/ClipboardUtilitiesWin.cpp

@@ -643 +643 @@
 
     String markup = extractMarkupFromCFHTML(cfhtml);
-    return createFragmentFromMarkup(doc, markup, srcURL, FragmentScriptingNotAllowed);
+    return createFragmentFromMarkup(doc, markup, srcURL, DisallowScriptingContent);
 }
 
@@ -660 +660 @@
     String srcURL;
     if (!html.isEmpty())
-        return createFragmentFromMarkup(doc, html, srcURL, FragmentScriptingNotAllowed);
+        return createFragmentFromMarkup(doc, html, srcURL, DisallowScriptingContent);
 
     return 0;
@@ -678 +678 @@
     String srcURL;
     if (getDataMapItem(data, texthtmlFormat(), stringData))
-        return createFragmentFromMarkup(document, stringData, srcURL, FragmentScriptingNotAllowed);
+        return createFragmentFromMarkup(document, stringData, srcURL, DisallowScriptingContent);
 
     return 0;

trunk/Source/WebCore/xml/XMLErrors.cpp

@@ -94 +94 @@
     Vector<Attribute> reportAttributes;
     reportAttributes.append(Attribute(styleAttr, "display: block; white-space: pre; border: 2px solid #c77; padding: 0 1em 0 1em; margin: 1em; background-color: #fdd; color: black"));
-    reportElement->parserSetAttributes(reportAttributes, FragmentScriptingNotAllowed);
+    reportElement->parserSetAttributes(reportAttributes, DisallowScriptingContent);
 
     RefPtr<Element> h3 = doc->createElement(h3Tag, true);
@@ -103 +103 @@
     Vector<Attribute> fixedAttributes;
     fixedAttributes.append(Attribute(styleAttr, "font-family:monospace;font-size:12px"));
-    fixed->parserSetAttributes(fixedAttributes, FragmentScriptingNotAllowed);
+    fixed->parserSetAttributes(fixedAttributes, DisallowScriptingContent);
     reportElement->parserAddChild(fixed.get());
 
@@ -162 +162 @@
         attributes.append(Attribute(styleAttr, "white-space: normal"));
         RefPtr<Element> paragraph = m_document->createElement(pTag, true);
-        paragraph->parserSetAttributes(attributes, FragmentScriptingNotAllowed);
+        paragraph->parserSetAttributes(attributes, DisallowScriptingContent);
         paragraph->parserAddChild(m_document->createTextNode("This document was created as the result of an XSL transformation. The line and column numbers given are from the transformed result."));
         reportElement->parserAddChild(paragraph.release());

trunk/Source/WebCore/xml/parser/NewXMLDocumentParser.h

@@ -56 +56 @@
     }
 
-    static bool parseDocumentFragment(const String&, DocumentFragment*, Element* parent = 0, FragmentScriptingPermission = FragmentScriptingAllowed);
+    static bool parseDocumentFragment(const String&, DocumentFragment*, Element* parent = 0, FragmentScriptingPermission = AllowScriptingContent);
 
     void pauseParsing() { m_parserPaused = true; }

trunk/Source/WebCore/xml/parser/XMLDocumentParser.h

@@ -93 +93 @@
         bool isXHTMLDocument() const { return m_isXHTMLDocument; }
 
-        static bool parseDocumentFragment(const String&, DocumentFragment*, Element* parent = 0, FragmentScriptingPermission = FragmentScriptingAllowed);
+        static bool parseDocumentFragment(const String&, DocumentFragment*, Element* parent = 0, FragmentScriptingPermission = AllowScriptingContent);
 
         // FIXME: This function used to be used by WML. Can we remove it?

trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

@@ -560 +560 @@
     , m_scriptStartPosition(TextPosition::belowRangePosition())
     , m_parsingFragment(false)
-    , m_scriptingPermission(FragmentScriptingAllowed)
+    , m_scriptingPermission(AllowScriptingContent)
 {
 }
@@ -844 +844 @@
         setDepthTriggeringEntityExpansion(-1);
 
-    if (m_scriptingPermission == FragmentScriptingNotAllowed && n->isElementNode() && toScriptElement(static_cast<Element*>(n.get()))) {
+    if (m_scriptingPermission == DisallowScriptingContent && n->isElementNode() && toScriptElement(static_cast<Element*>(n.get()))) {
         popCurrentNode();
         ExceptionCode ec;

trunk/Source/WebCore/xml/parser/XMLDocumentParserQt.cpp

@@ -97 +97 @@
     , m_scriptStartPosition(TextPosition::belowRangePosition())
     , m_parsingFragment(false)
-    , m_scriptingPermission(FragmentScriptingAllowed)
+    , m_scriptingPermission(AllowScriptingContent)
 {
     m_stream.setEntityResolver(new EntityResolver);
@@ -493 +493 @@
     n->finishParsingChildren();
 
-    if (m_scriptingPermission == FragmentScriptingNotAllowed && n->isElementNode() && toScriptElement(static_cast<Element*>(n.get()))) {
+    if (m_scriptingPermission == DisallowScriptingContent && n->isElementNode() && toScriptElement(static_cast<Element*>(n.get()))) {
         popCurrentNode();
         ExceptionCode ec;

trunk/Source/WebKit/mac/ChangeLog

@@ +1 @@
+2012-05-20  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Using createContextualFragment to insert a <script> does not cause the script to execute
+        https://bugs.webkit.org/show_bug.cgi?id=12234
+
+        Reviewed by Adam Barth.
+
+        Renamed FragmentScriptingNotAllowed to DisallowScriptingContent.
+
+        * WebView/WebFrame.mm:
+        (-[WebFrame _documentFragmentWithMarkupString:baseURLString:]):
+
 2012-05-19  Andy Estes  <aestes@apple.com>
 

trunk/Source/WebKit/mac/WebView/WebFrame.mm

@@ -737 +737 @@
         return nil;
 
-    return kit(createFragmentFromMarkup(_private->coreFrame->document(), markupString, baseURLString, FragmentScriptingNotAllowed).get());
+    return kit(createFragmentFromMarkup(_private->coreFrame->document(), markupString, baseURLString, DisallowScriptingContent).get());
 }