Bug 293347: Disable document.write for XSLT result docs. r/sr=jst

2025-02-11 18:24:02 +00:00 · 2009-11-05 20:27:30 -08:00 · 2009-11-05 20:27:30 -08:00 · 7272bafa07
commit 7272bafa07
parent 33e5c576e0
8 changed files with 81 additions and 5 deletions
--- a/content/html/document/src/nsHTMLDocument.cpp
+++ b/content/html/document/src/nsHTMLDocument.cpp
@ -1806,7 +1806,7 @@ nsHTMLDocument::SetCookie(const nsAString& aCookie)
 nsresult
 nsHTMLDocument::OpenCommon(const nsACString& aContentType, PRBool aReplace)
 {
-  if (!IsHTML()) {
+  if (!IsHTML() || mDisableDocWrite) {
    // No calling document.open() on XHTML

    return NS_ERROR_DOM_INVALID_ACCESS_ERR;
@ -2131,7 +2131,7 @@ nsHTMLDocument::WriteCommon(const nsAString& aText,
    (mWriteLevel > NS_MAX_DOCUMENT_WRITE_DEPTH || mTooDeepWriteRecursion);
  NS_ENSURE_STATE(!mTooDeepWriteRecursion);

-  if (!IsHTML()) {
+  if (!IsHTML() || mDisableDocWrite) {
    // No calling document.write*() on XHTML!

    return NS_ERROR_DOM_INVALID_ACCESS_ERR;
--- a/content/html/document/src/nsHTMLDocument.h
+++ b/content/html/document/src/nsHTMLDocument.h
@ -177,6 +177,10 @@ public:
  virtual PRInt32 GetNumFormsSynchronous();
  virtual void TearingDownEditor(nsIEditor *aEditor);
  virtual void SetIsXHTML(PRBool aXHTML) { mIsRegularHTML = !aXHTML; }
+  virtual void SetDocWriteDisabled(PRBool aDisabled)
+  {
+    mDisableDocWrite = aDisabled;
+  }

  nsresult ChangeContentEditableCount(nsIContent *aElement, PRInt32 aChange);

@ -338,6 +342,8 @@ protected:

  PRPackedBool mTooDeepWriteRecursion;

+  PRPackedBool mDisableDocWrite;
+
  nsCOMPtr<nsIWyciwygChannel> mWyciwygChannel;

  /* Midas implementation */
--- a/content/html/document/src/nsIHTMLDocument.h
+++ b/content/html/document/src/nsIHTMLDocument.h
@ -55,10 +55,10 @@ class nsIDOMHTMLBodyElement;
 class nsIScriptElement;
 class nsIEditor;

-// 5a959364-a2f4-4cac-9a2c-957055dc3569
+// 56ff0e81-191c-421c-b75c-1727e13091c0
 #define NS_IHTMLDOCUMENT_IID \
-{ 0x5a959364, 0xa2f4, 0x4cac, \
-  { 0x9a, 0x2c, 0x95, 0x70, 0x55, 0xdc, 0x35, 0x69 } }
+{ 0x56ff0e81, 0x191c, 0x421c, \
+  { 0xb7, 0x5c, 0x17, 0x27, 0xe1, 0x30, 0x91, 0xc0 } }


 /**
@ -197,6 +197,8 @@ public:
  virtual void TearingDownEditor(nsIEditor *aEditor) = 0;

  virtual void SetIsXHTML(PRBool aXHTML) = 0;
+
+  virtual void SetDocWriteDisabled(PRBool aDisabled) = 0;
 };

 NS_DEFINE_STATIC_IID_ACCESSOR(nsIHTMLDocument, NS_IHTMLDOCUMENT_IID)
--- a/content/xml/document/src/nsXMLContentSink.cpp
+++ b/content/xml/document/src/nsXMLContentSink.cpp
@ -95,6 +95,7 @@
 #include "nsIDOMProcessingInstruction.h"
 #include "nsNodeUtils.h"
 #include "nsIScriptGlobalObject.h"
+#include "nsIHTMLDocument.h"
 #include "nsEventDispatcher.h"
 #include "mozAutoDocUpdate.h"

@ -383,6 +384,11 @@ nsXMLContentSink::OnDocumentCreated(nsIDocument* aResultDocument)
 {
  NS_ENSURE_ARG(aResultDocument);

+  nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(aResultDocument);
+  if (htmlDoc) {
+    htmlDoc->SetDocWriteDisabled(PR_TRUE);
+  }
+
  nsCOMPtr<nsIContentViewer> contentViewer;
  mDocShell->GetContentViewer(getter_AddRefs(contentViewer));
  if (contentViewer) {
@ -424,6 +430,10 @@ nsXMLContentSink::OnTransformDone(nsresult aResult,
    // Transform succeeded or it failed and we have an error
    // document to display.
    mDocument = aResultDocument;
+    nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(mDocument);
+    if (htmlDoc) {
+      htmlDoc->SetDocWriteDisabled(PR_FALSE);
+    }
  }

  originalDocument->ScriptLoader()->RemoveObserver(this);
--- a/content/xml/document/test/Makefile.in
+++ b/content/xml/document/test/Makefile.in
@ -51,6 +51,9 @@ _TEST_FILES = 	test_bug232004.xhtml \
 		test_bug399502.xhtml \
 		test_bug445330.html \
 		test_viewport.xhtml \
+		test_bug293347.html \
+		file_bug293347.xml \
+		file_bug293347xslt.xml \
 		$(NULL)

 libs:: $(_TEST_FILES)
--- a/content/xml/document/test/file_bug293347.xml
+++ b/content/xml/document/test/file_bug293347.xml
@ -0,0 +1,2 @@
+<?xml-stylesheet type="text/xsl" href="file_bug293347xslt.xml"?>
+<doc/>
--- a/content/xml/document/test/file_bug293347xslt.xml
+++ b/content/xml/document/test/file_bug293347xslt.xml
@ -0,0 +1,19 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+  <xsl:template match="/doc">
+    <html>
+      <body>
+        <div></div>
+        <div>
+          <script>
+            didThrow = false;
+            try {
+              document.write("shrimp");
+            } catch (e) {
+              didThrow = true;
+            }
+          </script>
+        </div>
+      </body>
+    </html>
+  </xsl:template>
+</xsl:stylesheet>
--- a/content/xml/document/test/test_bug293347.html
+++ b/content/xml/document/test/test_bug293347.html
@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=293347
+-->
+<head>
+  <title>Test for Bug 293347</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=293347">Mozilla Bug 293347</a>
+<p id="display"></p>
+<iframe src="file_bug293347.xml" onload="done(this)"></iframe>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+function done(iframe) {
+  win = iframe.contentWindow;
+  is(win.document.getElementsByTagNameNS("http://www.w3.org/1999/xhtml", "div")
+     .length, 2, "doc still intact");
+  is(win.document.body.namespaceURI, "http://www.w3.org/1999/xhtml",
+     "doc body still intact");
+  is(win.didThrow, true, "doc.write throwing");
+  SimpleTest.finish();
+}
+
+</script>
+</pre>
+</body>
+</html>