mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-27 23:02:20 +00:00
Bug 1330294 - Fixing disabled script tags that cause crashes in disabled SVG nodes r=hsivonen,smaug
MozReview-Commit-ID: Lr4s98aZM4W --HG-- extra : rebase_source : 6dca1899d3b69a8eb7e82a02a60fd59f6a9a335e
This commit is contained in:
parent
1b60bc19eb
commit
673d193089
@ -476,8 +476,12 @@ nsXMLContentSink::CreateElement(const char16_t** aAtts, uint32_t aAttsCount,
|
||||
|| aNodeInfo->Equals(nsGkAtoms::script, kNameSpaceID_SVG)
|
||||
) {
|
||||
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(content);
|
||||
sele->SetScriptLineNumber(aLineNumber);
|
||||
sele->SetCreatorParser(GetParser());
|
||||
if (sele) {
|
||||
sele->SetScriptLineNumber(aLineNumber);
|
||||
sele->SetCreatorParser(GetParser());
|
||||
} else {
|
||||
MOZ_ASSERT(nsNameSpaceManager::GetInstance()->mSVGDisabled, "Node didn't QI to script, but SVG wasn't disabled.");
|
||||
}
|
||||
}
|
||||
|
||||
// XHTML needs some special attention
|
||||
@ -555,6 +559,10 @@ nsXMLContentSink::CloseElement(nsIContent* aContent)
|
||||
|| nodeInfo->Equals(nsGkAtoms::script, kNameSpaceID_SVG)
|
||||
) {
|
||||
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aContent);
|
||||
if (!sele) {
|
||||
MOZ_ASSERT(nsNameSpaceManager::GetInstance()->mSVGDisabled, "Node didn't QI to script, but SVG wasn't disabled.");
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
if (mPreventScriptExecution) {
|
||||
sele->PreventExecution();
|
||||
|
@ -227,8 +227,11 @@ nsXMLFragmentContentSink::CloseElement(nsIContent* aContent)
|
||||
(aContent->IsHTMLElement(nsGkAtoms::script),
|
||||
aContent->IsSVGElement(nsGkAtoms::script))) {
|
||||
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aContent);
|
||||
NS_ASSERTION(sele, "script did QI correctly!");
|
||||
sele->PreventExecution();
|
||||
if (sele) {
|
||||
sele->PreventExecution();
|
||||
} else {
|
||||
NS_ASSERTION(nsNameSpaceManager::GetInstance()->mSVGDisabled, "Script did QI correctly, but wasn't a disabled SVG!");
|
||||
}
|
||||
}
|
||||
return NS_OK;
|
||||
}
|
||||
|
@ -296,13 +296,16 @@ txMozillaXMLOutput::endElement()
|
||||
} else if (element->IsSVGElement(nsGkAtoms::script) ||
|
||||
element->IsHTMLElement(nsGkAtoms::script)) {
|
||||
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(element);
|
||||
MOZ_ASSERT(sele, "script elements need to implement nsIScriptElement");
|
||||
bool block = sele->AttemptToExecute();
|
||||
// If the act of insertion evaluated the script, we're fine.
|
||||
// Else, add this script element to the array of loading scripts.
|
||||
if (block) {
|
||||
rv = mNotifier->AddScriptElement(sele);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
if (sele) {
|
||||
bool block = sele->AttemptToExecute();
|
||||
// If the act of insertion evaluated the script, we're fine.
|
||||
// Else, add this script element to the array of loading scripts.
|
||||
if (block) {
|
||||
rv = mNotifier->AddScriptElement(sele);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
}
|
||||
} else {
|
||||
MOZ_ASSERT(nsNameSpaceManager::GetInstance()->mSVGDisabled, "Script elements need to implement nsIScriptElement and SVG wasn't disabled.");
|
||||
}
|
||||
} else if (element->IsAnyOfHTMLElements(nsGkAtoms::input,
|
||||
nsGkAtoms::button,
|
||||
|
@ -2,5 +2,6 @@
|
||||
|
||||
support-files =
|
||||
svg_example_test.html
|
||||
svg_example_script.svg
|
||||
|
||||
[test_disabled_chrome.html]
|
||||
|
7
layout/svg/tests/svg_example_script.svg
Normal file
7
layout/svg/tests/svg_example_script.svg
Normal file
@ -0,0 +1,7 @@
|
||||
<svg version="1.1">
|
||||
<script>
|
||||
document.documentElement.style.backgroundColor = 'rebeccapurple';
|
||||
throw "badment, should never fire.";
|
||||
</script>
|
||||
<g><circle cx="25.8" cy="9.3" r="1.5"/></g>
|
||||
</svg>
|
After Width: | Height: | Size: 207 B |
@ -34,6 +34,15 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=744830
|
||||
`;
|
||||
is(t.firstChild.tagName.toLowerCase(), 'svg');
|
||||
|
||||
// This test crashes if the script tags are not handled correctly
|
||||
t.innerHTML = `<svg version="1.1">
|
||||
<scri` + `pt>
|
||||
throw "badment, should never fire.";
|
||||
</scri` + `pt>
|
||||
<g><circle cx="25.8" cy="9.3" r="1.5"/></g>
|
||||
</svg>`;
|
||||
is(t.firstChild.tagName.toLowerCase(), 'svg');
|
||||
|
||||
t.innerHTML = null;
|
||||
t.appendChild(document.createElementNS("http://www.w3.org/2000/svg", "svg"));
|
||||
is(t.firstChild.namespaceURI, "http://www.w3.org/2000/svg");
|
||||
|
@ -37,13 +37,19 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=744830
|
||||
yield loadPromise;
|
||||
|
||||
const contentBR = iframeEl.contentDocument.body.getBoundingClientRect();
|
||||
|
||||
yield new Promise(_ => setTimeout(_, 1000));
|
||||
ok(chromeBR.height > contentBR.height, "Chrome content height should be bigger than content due to layout");
|
||||
|
||||
ok(!("hasExtension" in iframeEl.contentDocument.getElementById('svgel')), 'SVG is disabled so no hasExtension support is available in content iframe');
|
||||
ok(chromeIframeEl.contentDocument.getElementById('svgel').hasExtension("http://www.w3.org/1998/Math/MathML"), 'SVG namespace support is enabled in chrome iframe');
|
||||
|
||||
url = "http://mochi.test:8888/chrome/layout/svg/tests/svg_example_script.svg";
|
||||
const iframeElScript = document.createElement("iframe");
|
||||
let loadPromiseScript = ContentTaskUtils.waitForEvent(iframeElScript, "load", false);
|
||||
iframeElScript.src = url;
|
||||
t.appendChild(iframeElScript);
|
||||
yield loadPromiseScript;
|
||||
ok(!iframeElScript.contentDocument.documentElement.style, "Content should not be styled");
|
||||
|
||||
SpecialPowers.setBoolPref("svg.disabled", initialPrefValue);
|
||||
});
|
||||
</script>
|
||||
|
@ -647,6 +647,10 @@ nsHtml5TreeOpExecutor::RunScript(nsIContent* aScriptElement)
|
||||
|
||||
NS_ASSERTION(aScriptElement, "No script to run");
|
||||
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aScriptElement);
|
||||
if (!sele) {
|
||||
MOZ_ASSERT(nsNameSpaceManager::GetInstance()->mSVGDisabled, "Node didn't QI to script, but SVG wasn't disabled.");
|
||||
return;
|
||||
}
|
||||
|
||||
if (!mParser) {
|
||||
NS_ASSERTION(sele->IsMalformed(), "Script wasn't marked as malformed.");
|
||||
|
@ -596,8 +596,11 @@ void
|
||||
nsHtml5TreeOperation::PreventScriptExecution(nsIContent* aNode)
|
||||
{
|
||||
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aNode);
|
||||
MOZ_ASSERT(sele);
|
||||
sele->PreventExecution();
|
||||
if (sele) {
|
||||
sele->PreventExecution();
|
||||
} else {
|
||||
MOZ_ASSERT(nsNameSpaceManager::GetInstance()->mSVGDisabled, "Node didn't QI to script, but SVG wasn't disabled.");
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
@ -834,9 +837,12 @@ nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor* aBuilder,
|
||||
case eTreeOpSetScriptLineNumberAndFreeze: {
|
||||
nsIContent* node = *(mOne.node);
|
||||
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(node);
|
||||
NS_ASSERTION(sele, "Node didn't QI to script.");
|
||||
sele->SetScriptLineNumber(mFour.integer);
|
||||
sele->FreezeUriAsyncDefer();
|
||||
if (sele) {
|
||||
sele->SetScriptLineNumber(mFour.integer);
|
||||
sele->FreezeUriAsyncDefer();
|
||||
} else {
|
||||
MOZ_ASSERT(nsNameSpaceManager::GetInstance()->mSVGDisabled, "Node didn't QI to script, but SVG wasn't disabled.");
|
||||
}
|
||||
return NS_OK;
|
||||
}
|
||||
case eTreeOpSvgLoad: {
|
||||
|
Loading…
Reference in New Issue
Block a user