c1ebe5c1e808daf9db5e348a8d0ab32570b9f7a5 - chromium/blink

commit	c1ebe5c1e808daf9db5e348a8d0ab32570b9f7a5	[log] [tgz]
author	yosin@chromium.org <yosin@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538>	Fri Nov 08 10:06:18 2013
committer	yosin@chromium.org <yosin@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538>	Fri Nov 08 10:06:18 2013
tree	cd8f4b55ca0b82303b8efd7780929967af38d43c
parent	06c65019f80700adb7cdc40044afc66b05a7023e [diff]

Make "InsertHTML" and "Indent" commands to handle DOM tree modification during processing

This patch makes "InsertHTML" and "Indent" commands to handle DOM tree modification during processing. When calling Node::insertBefore(), JavaScript may be executed, e.g. <iframe src="javascript:...">, and it modifies DOM tree.

On issue 314469, use-after-free is caused at |startBlock| variable which holds raw Node pointer removed during script execution in ReplaceSelectionCommand::doApply().

Changes for CompositeEditCommand::cloneParagraphUnderNewElement() is similar to ReplaceSelectionCommand::doApply(). |outerNode| is removed during CompositeEditCommand::appendNode(), which inserts <iframe src="javascript:...">.

BUG=314469
TEST=LayoutTests/editing/inserting/insert-with-javascript-protocol-crash.html

Review URL: https://codereview.chromium.org/64103002

git-svn-id: svn://svn.chromium.org/blink/trunk@161598 bbb929c8-8fbe-4397-9dbb-9b2b20218538

4 files changed

tree: cd8f4b55ca0b82303b8efd7780929967af38d43c