Bug 592366 - Do not execute scripts whose owner doc is not the doc of the inserter parser or not the owner doc at the time of starting the script load. r=jonas, a=blocking2.0-betaN.

content/base/src/nsScriptElement.cpp

@@ -46,6 +46,7 @@
 #include "nsIParser.h"
 #include "nsAutoPtr.h"
 #include "nsGkAtoms.h"
+#include "nsContentSink.h"
 
 using namespace mozilla::dom;
 
@@ -162,8 +163,20 @@ nsScriptElement::MaybeProcessScript()
 
   FreezeUriAsyncDefer();
 
-  nsRefPtr<nsScriptLoader> loader = cont->GetOwnerDoc()->ScriptLoader();
   mAlreadyStarted = PR_TRUE;
+
+  nsIDocument* ownerDoc = cont->GetOwnerDoc();
+  nsCOMPtr<nsIParser> parser = ((nsIScriptElement*)this)->GetCreatorParser();
+  if (parser) {
+    nsCOMPtr<nsIDocument> parserDoc =
+        do_QueryInterface(parser->GetContentSink()->GetTarget());
+    if (ownerDoc != parserDoc) {
+      // Willful violation of HTML5 as of 2010-12-01
+      return NS_OK;
+    }
+  }
+
+  nsRefPtr<nsScriptLoader> loader = ownerDoc->ScriptLoader();
   nsresult scriptresult = loader->ProcessScriptElement(this);
 
   // The only error we don't ignore is NS_ERROR_HTMLPARSER_BLOCK

content/base/src/nsScriptLoader.cpp

@@ -839,6 +839,13 @@ nsScriptLoader::EvaluateScript(nsScriptLoadRequest* aRequest,
     return NS_ERROR_FAILURE;
   }
 
+  nsCOMPtr<nsIContent> scriptContent(do_QueryInterface(aRequest->mElement));
+  nsIDocument* ownerDoc = scriptContent->GetOwnerDoc();
+  if (ownerDoc != mDocument) {
+    // Willful violation of HTML5 as of 2010-12-01
+    return NS_ERROR_FAILURE;
+  }
+
   nsPIDOMWindow *pwin = mDocument->GetInnerWindow();
   if (!pwin || !pwin->IsInnerWindow()) {
     return NS_ERROR_FAILURE;
@@ -847,7 +854,6 @@ nsScriptLoader::EvaluateScript(nsScriptLoadRequest* aRequest,
   NS_ASSERTION(globalObject, "windows must be global objects");
 
   // Get the script-type to be used by this element.
-  nsCOMPtr<nsIContent> scriptContent(do_QueryInterface(aRequest->mElement));
   NS_ASSERTION(scriptContent, "no content - what is default script-type?");
   PRUint32 stid = scriptContent ? scriptContent->GetScriptTypeID() :
                                   nsIProgrammingLanguage::JAVASCRIPT;

content/base/test/Makefile.in

@@ -425,6 +425,7 @@ _TEST_FILES2 = \
 		test_bug567350.html \
 		test_bug574596.html \
 		test_bug578096.html \
+		test_bug592366.html \
 		test_bug597345.html \
 		script-1_bug597345.sjs \
 		script-2_bug597345.js \

content/base/test/test_bug592366.html

@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=592366
+-->
+<head>
+  <title>Test for Bug 592366</title>
+  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=592366">Mozilla Bug 592366</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe onload='runTest();'></iframe>  
+<iframe onload='runTest();'></iframe>  
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+SimpleTest.waitForExplicitFinish();
+/** Test for Bug 592366 **/
+var iframesToLoad = 2;
+function runTest() {
+  --iframesToLoad;
+  if (iframesToLoad) {
+    return;
+  }
+
+  ok(true, "Obligatory succeeding assertion.");
+
+  var s = document.createElement("script");
+  s.src = "data:text/javascript,parent.ok(false, 'This script should not be executed.');"
+  
+  var iframes = document.getElementsByTagName("iframe");
+
+  iframes[0].contentDocument.body.appendChild(s);
+  iframes[1].contentDocument.body.appendChild(s);
+
+  setTimeout(function() {
+    SimpleTest.finish();
+  }, 500);
+}
+</script>
+</pre>
+</body>
+</html>
+

content/test/reftest/bug592366-1.html

@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html><head>
+<title>Move node during parse</title>
+</head>
+<body>
+<iframe src=child592366-1.html></iframe>After iframe
+</body></html>

content/test/reftest/bug592366-1.xhtml

@@ -0,0 +1,6 @@
+<html xmlns="http://www.w3.org/1999/xhtml"><head>
+<title>Move node during parse</title>
+</head>
+<body>
+<iframe src="child592366-1.xhtml"></iframe>After iframe
+</body></html>

content/test/reftest/bug592366-2.html

@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html><head>
+<title>Move node during parse</title>
+</head>
+<body>
+<iframe src=child592366-1.html></iframe>After iframe
+</body></html>

content/test/reftest/bug592366-2.xhtml

@@ -0,0 +1,6 @@
+<html xmlns="http://www.w3.org/1999/xhtml"><head>
+<title>Move node during parse</title>
+</head>
+<body>
+<iframe src="child592366-1.html"></iframe>After iframe
+</body></html>

content/test/reftest/bug592366-ref.html

@@ -0,0 +1,9 @@
+<html><head>
+<title>Move node during parse</title>
+</head>
+<body>
+<iframe></iframe>After iframe
+<div><p>This text should not show inside the iframe. It should show inside the parent. Furthermore, there should be text saying "Middle of Page" and then "End of Page" below (also in the parent).</p>
+<p>Middle of Page</p>
+<p>End of Page</p>
+</div></body></html>

content/test/reftest/bug592366-ref.xhtml

@@ -0,0 +1,9 @@
+<html xmlns="http://www.w3.org/1999/xhtml"><head>
+<title>Move node during parse</title>
+</head>
+<body>
+<iframe></iframe>After iframe
+<div><p>This text should not show inside the iframe. It should show inside the parent. Furthermore, there should be text saying "Middle of Page" and then "End of Page" below (also in the parent).</p>
+<p>Middle of Page</p>
+<p>End of Page</p>
+</div></body></html>

content/test/reftest/child592366-1.html

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Move node during parse</title>
+</head>
+<body>
+<div>
+<p>This text should not show inside the iframe. It should show inside the parent. Furthermore, there should be text saying "Middle of Page" and then "End of Page" below (also in the parent).</p>
+<script>
+parent.document.documentElement.lastChild.appendChild(document.getElementsByTagName("div")[0]);
+</script>
+<p>Middle of Page</p>
+<script>
+document.body.insertBefore(document.createTextNode("FAIL"), document.body.firstChild);
+</script>
+<p>End of Page</p>
+</div>
+</body>
+</html>

content/test/reftest/child592366-1.xhtml

@@ -0,0 +1,18 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Move node during parse</title>
+</head>
+<body>
+<div>
+<p>This text should not show inside the iframe. It should show inside the parent. Furthermore, there should be text saying "Middle of Page" and then "End of Page" below (also in the parent).</p>
+<script>
+parent.document.documentElement.lastChild.appendChild(document.getElementsByTagName("div")[0]);
+</script>
+<p>Middle of Page</p>
+<script>
+document.body.insertBefore(document.createTextNode("FAIL"), document.body.firstChild);
+</script>
+<p>End of Page</p>
+</div>
+</body>
+</html>

content/test/reftest/child592366-2.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Move node during parse</title>
+</head>
+<body>
+<div>
+<p>This text should not show inside the iframe. It should show inside the parent. Furthermore, there should be text saying "Middle of Page" and then "End of Page" below (also in the parent).</p>
+<script>
+parent.document.documentElement.lastChild.appendChild(document.getElementsByTagName("div")[0]);
+</script>
+<p>Middle of Page</p>
+<script src="script592366-2.js"></script>
+<p>End of Page</p>
+</div>
+</body>
+</html>

content/test/reftest/child592366-2.xhtml

@@ -0,0 +1,16 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Move node during parse</title>
+</head>
+<body>
+<div>
+<p>This text should not show inside the iframe. It should show inside the parent. Furthermore, there should be text saying "Middle of Page" and then "End of Page" below (also in the parent).</p>
+<script>
+parent.document.documentElement.lastChild.appendChild(document.getElementsByTagName("div")[0]);
+</script>
+<p>Middle of Page</p>
+<script src="script592366-2.js"></script>
+<p>End of Page</p>
+</div>
+</body>
+</html>

content/test/reftest/reftest.list

@@ -6,3 +6,7 @@
 == bug559996.html bug559996-ref.html
 == bug591981-1.html bug591981-ref.html
 == bug591981-2.html bug591981-ref.html
+== bug592366-1.html bug592366-ref.html
+== bug592366-2.html bug592366-ref.html
+== bug592366-1.xhtml bug592366-ref.xhtml
+== bug592366-2.xhtml bug592366-ref.xhtml

content/test/reftest/script592366-2.js

@@ -0,0 +1,2 @@
+document.body.insertBefore(document.createTextNode("FAIL"), document.body.firstChild);
+

content/xml/document/src/nsXMLContentSink.cpp

@@ -514,6 +514,7 @@ nsXMLContentSink::CreateElement(const PRUnichar** aAtts, PRUint32 aAttsCount,
     ) {
     nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(content);
     sele->SetScriptLineNumber(aLineNumber);
+    sele->SetCreatorParser(mParser);
     mConstrainSize = PR_FALSE;
   }
 

parser/htmlparser/src/nsParser.cpp

@@ -890,6 +890,7 @@ NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(nsParser)
   NS_INTERFACE_MAP_ENTRY(nsIStreamListener)
   NS_INTERFACE_MAP_ENTRY(nsIParser)
   NS_INTERFACE_MAP_ENTRY(nsIRequestObserver)
+  NS_INTERFACE_MAP_ENTRY(nsISupportsWeakReference)
   NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsIParser)
 NS_INTERFACE_MAP_END
 

parser/htmlparser/src/nsParser.h

@@ -88,6 +88,7 @@
 #include "nsCOMArray.h"
 #include "nsIUnicharStreamListener.h"
 #include "nsCycleCollectionParticipant.h"
+#include "nsWeakReference.h"
 
 class nsICharsetConverterManager;
 class nsICharsetAlias;
@@ -102,7 +103,8 @@ class nsIThreadPool;
 
 
 class nsParser : public nsIParser,
-                 public nsIStreamListener
+                 public nsIStreamListener,
+                 public nsSupportsWeakReference
 {
   public:
     /**