Google Git
Sign in
chromium / chromium / blink / 4dd6623614cff05eb3c18cd96f8d6ed089b7965b^! / .
commit4dd6623614cff05eb3c18cd96f8d6ed089b7965b[log] [tgz]
authoramineer@chromium.org <amineer@chromium.org>Thu Apr 16 20:25:05 2015
committeramineer@chromium.org <amineer@chromium.org>Thu Apr 16 20:25:05 2015
tree4ff1dd05b2dc99e8bbecc5083d95eddb82e79d2d
parent7efc972077aabb9c41ae1f3ed9fe6497bef53eab [diff]
Revert 191807 "Supress script during parser adjusting DOM node l..."

Reverting on trunk to avoid crashes while a fix is landed

BUG=471599

> Supress script during parser adjusting DOM node location
> 
> This attack uses HTML parser's tree tweaking operation to trigger
> a script execution. This CL supresses it. This should be acceptable
> because:
> 
>  * It never happens with well-formed markup.
>  * It only happens to a node being a child of <script>, which is unusual.
> 
> BUG=464552
> TEST=parser-adjust-parent-crash.html
> R=haraken@chromium.org
> 
> Review URL: https://codereview.chromium.org/1007523003

TBR=morrita@chromium.org

Review URL: https://codereview.chromium.org/1096553003

git-svn-id: svn://svn.chromium.org/blink/trunk@193901 bbb929c8-8fbe-4397-9dbb-9b2b20218538

diff --git a/LayoutTests/fast/dom/parser-adjust-parent-crash-expected.txt b/LayoutTests/fast/dom/parser-adjust-parent-crash-expected.txt
deleted file mode 100644
index 46cc850..0000000
--- a/LayoutTests/fast/dom/parser-adjust-parent-crash-expected.txt
+++ /dev/null

@@ -1 +0,0 @@
-PASS unless crash.

diff --git a/LayoutTests/fast/dom/parser-adjust-parent-crash.html b/LayoutTests/fast/dom/parser-adjust-parent-crash.html
deleted file mode 100644
index c6399cec..0000000
--- a/LayoutTests/fast/dom/parser-adjust-parent-crash.html
+++ /dev/null

@@ -1,20 +0,0 @@
-<script type="foo" id="torun">
-document.getElementById("torun").appendChild(p);
-</script>
-
-<b>
-<p>
-<script>
-  if (window.testRunner)
-    window.testRunner.dumpAsText();
-  p = document.querySelector("p");
-  s = document.getElementById("torun");
-  s.appendChild(p);
-  s.type = "";
-</script>
-</b>
-</p>
-
-<script>
-  document.body.innerHTML = "PASS unless crash.";
-</script>

diff --git a/Source/core/html/parser/HTMLConstructionSite.cpp b/Source/core/html/parser/HTMLConstructionSite.cpp
index 679749a..487323d 100644
--- a/Source/core/html/parser/HTMLConstructionSite.cpp
+++ b/Source/core/html/parser/HTMLConstructionSite.cpp

@@ -50,7 +50,6 @@
 #include "core/loader/FrameLoaderClient.h"
 #include "core/svg/SVGScriptElement.h"
 #include "platform/NotImplemented.h"
-#include "platform/ScriptForbiddenScope.h"
 #include "platform/text/TextBreakIterator.h"
 #include <limits>
 
@@ -103,10 +102,8 @@
     if (isHTMLTemplateElement(*task.parent))
         task.parent = toHTMLTemplateElement(task.parent.get())->content();
 
-    if (ContainerNode* parent = task.child->parentNode()) {
-        ScriptForbiddenScope forbidScript;
+    if (ContainerNode* parent = task.child->parentNode())
         parent->parserRemoveChild(*task.child);
-    }
 
     if (task.nextChild)
         task.parent->parserInsertBefore(task.child.get(), *task.nextChild);
@@ -153,10 +150,8 @@
 {
     ASSERT(task.operation == HTMLConstructionSiteTask::Reparent);
 
-    if (ContainerNode* parent = task.child->parentNode()) {
-        ScriptForbiddenScope forbidScript;
+    if (ContainerNode* parent = task.child->parentNode())
         parent->parserRemoveChild(*task.child);
-    }
 
     task.parent->parserAppendChild(task.child);
 }