Changeset 69827 in webkit


Ignore:
Timestamp:
Oct 14, 2010 5:47:23 PM (13 years ago)
Author:
jamesr@google.com
Message:

2010-10-14 James Robinson <jamesr@chromium.org>

Reviewed by Simon Fraser.

SelectElement should check if its renderer exists after calling Element::focus()
https://bugs.webkit.org/show_bug.cgi?id=47696

Tests that clicking on a listbox select with an element has a blur listener that causes
the listbox to become display:none does not crash.

  • fast/forms/select-listbox-focus-displaynone.html: Added.

2010-10-14 James Robinson <jamesr@chromium.org>

Reviewed by Simon Fraser.

SelectElement should check if its renderer exists after calling Element::focus()
https://bugs.webkit.org/show_bug.cgi?id=47696

Adds null checks for element->renderer() after calling element->focus(), since focus()
can dispatch an event and run arbitrary javascript that may cause the select element
to lose its renderer.

Test: fast/forms/select-listbox-focus-displaynone.html

  • dom/SelectElement.cpp: (WebCore::SelectElement::menuListDefaultEventHandler): (WebCore::SelectElement::listBoxDefaultEventHandler):
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r69824 r69827  
     12010-10-14  James Robinson  <jamesr@chromium.org>
     2
     3        Reviewed by Simon Fraser.
     4
     5        SelectElement should check if its renderer exists after calling Element::focus()
     6        https://bugs.webkit.org/show_bug.cgi?id=47696
     7
     8        Tests that clicking on a listbox select with an element has a blur listener that causes
     9        the listbox to become display:none does not crash.
     10
     11        * fast/forms/select-listbox-focus-displaynone.html: Added.
     12
    1132010-10-14  Steve Block  <steveblock@google.com>
    214
  • trunk/WebCore/ChangeLog

    r69822 r69827  
     12010-10-14  James Robinson  <jamesr@chromium.org>
     2
     3        Reviewed by Simon Fraser.
     4
     5        SelectElement should check if its renderer exists after calling Element::focus()
     6        https://bugs.webkit.org/show_bug.cgi?id=47696
     7
     8        Adds null checks for element->renderer() after calling element->focus(), since focus()
     9        can dispatch an event and run arbitrary javascript that may cause the select element
     10        to lose its renderer.
     11
     12        Test: fast/forms/select-listbox-focus-displaynone.html
     13
     14        * dom/SelectElement.cpp:
     15        (WebCore::SelectElement::menuListDefaultEventHandler):
     16        (WebCore::SelectElement::listBoxDefaultEventHandler):
     17
    1182010-10-14  Beth Dakin  <bdakin@apple.com>
    219
  • trunk/WebCore/dom/SelectElement.cpp

    r69651 r69827  
    548548        if (keyIdentifier == "Down" || keyIdentifier == "Up") {
    549549            element->focus();
     550
     551            if (!element->renderer()) // Calling focus() may cause us to lose our renderer, in which case do not want to handle the event.
     552                return;
     553
    550554            // Save the selection so it can be compared to the new selection when dispatching change events during setSelectedIndex,
    551555            // which gets called from RenderMenuList::valueChanged, which gets called after the user makes a selection from the menu.
     
    606610        if (keyCode == ' ' || keyCode == '\r') {
    607611            element->focus();
     612
     613            if (!element->renderer()) // Calling focus() may cause us to lose our renderer, in which case do not want to handle the event.
     614                return;
     615
    608616            // Save the selection so it can be compared to the new selection when dispatching change events during setSelectedIndex,
    609617            // which gets called from RenderMenuList::valueChanged, which gets called after the user makes a selection from the menu.
     
    616624        if (keyCode == ' ') {
    617625            element->focus();
     626
     627            if (!element->renderer()) // Calling focus() may cause us to lose our renderer, in which case do not want to handle the event.
     628                return;
     629
    618630            // Save the selection so it can be compared to the new selection when dispatching change events during setSelectedIndex,
    619631            // which gets called from RenderMenuList::valueChanged, which gets called after the user makes a selection from the menu.
     
    711723        element->focus();
    712724
     725        if (!element->renderer()) // Calling focus() may cause us to lose our renderer, in which case do not want to handle the event.
     726            return;
     727
    713728        // Convert to coords relative to the list box if needed.
    714729        MouseEvent* mouseEvent = static_cast<MouseEvent*>(event);
Note: See TracChangeset for help on using the changeset viewer.