[editing] Avoid ReplaceSelectionCommand crashes with mixed editability

Executing document.execCommand('InsertImage') with this HTML:

  <body contenteditable="true">
    <div contenteditable="false">
      <span contenteditable="true">a|b</span>
    </div>
  </body>

runs ReplaceSelectionCommand::InsertParagraphSeparatorIfNeeds().
This would typically split the <span> and insert the <img> as a child of
the <div>. However, the <div> is not editable, so a new <div> was added
at the end of the <body>, since it's an editable ancestor.

A DCHECK failed when collapsing the selection to the VisiblePosition in
the new <div> because the canonical position is null when the height of
a block is 0 (see IsVisuallyEquivalentCandidateAlgorithm).

Alternatively, we can modify the testcase a bit to trigger a null deref.
MergeEndIfNeeded() uses PositionAtEndOfInsertedContent(), which may be
a null VisiblePosition if the original Position couldn't be normalized.
Then it could call InsertNodeBefore() with a null node which would be
dereferenced.

This patch avoids this kind of problems by making that code not skip
over non-editable ancestors in EnclosingBlock(). To do so, changes
EnclosingNodeOfTypeAlgorithm() to use RootEditableElementOf() instead
of HighestEditableRoot() when rule == kCannotCrossEditingBoundary.
The difference is that RootEditableElementOf() doesn't cross editing
boundaries.

Bug: 1246674

TEST=ReplaceSelectionCommandTest.InsertImageInNonEditableBlock1
TEST=ReplaceSelectionCommandTest.InsertImageInNonEditableBlock2
TEST=external/wpt/editing/run/insertparagraph.html?6001-last

Change-Id: Icf93a26c6f1581fc1710a45128fe36d8860e5701
Cq-Do-Not-Cancel-Tryjobs: true
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3156666
Commit-Queue: Yoshifumi Inoue <yosin@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#920693}
5 files changed
tree: b56238c0e66df82b43cbea2467c7c0ba35c31394
  1. .clang-format
  2. .clang-tidy
  3. .eslintrc.js
  4. .git-blame-ignore-revs
  5. .gitattributes
  6. .gitignore
  7. .gn
  8. .mailmap
  9. .vpython
  10. .vpython3
  11. .yapfignore
  12. AUTHORS
  13. BUILD.gn
  14. CODE_OF_CONDUCT.md
  15. DEPS
  16. DIR_METADATA
  17. ENG_REVIEW_OWNERS
  18. LICENSE
  19. LICENSE.chromium_os
  20. OWNERS
  21. PRESUBMIT.py
  22. PRESUBMIT_test.py
  23. PRESUBMIT_test_mocks.py
  24. README.md
  25. WATCHLISTS
  26. android_webview/
  27. apps/
  28. ash/
  29. base/
  30. build/
  31. build_overrides/
  32. buildtools/
  33. cc/
  34. chrome/
  35. chromecast/
  36. chromeos/
  37. cloud_print/
  38. codelabs/
  39. codereview.settings
  40. components/
  41. content/
  42. courgette/
  43. crypto/
  44. dbus/
  45. device/
  46. docs/
  47. extensions/
  48. fuchsia/
  49. gin/
  50. google_apis/
  51. google_update/
  52. gpu/
  53. headless/
  54. infra/
  55. ios/
  56. ipc/
  57. jingle/
  58. media/
  59. mojo/
  60. native_client_sdk/
  61. net/
  62. pdf/
  63. ppapi/
  64. printing/
  65. remoting/
  66. rlz/
  67. sandbox/
  68. services/
  69. skia/
  70. sql/
  71. storage/
  72. styleguide/
  73. testing/
  74. third_party/
  75. tools/
  76. ui/
  77. url/
  78. weblayer/
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

To check out the source code locally, don't use git clone! Instead, follow the instructions on how to get the code.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .

For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.

If you found a bug, please file it at https://crbug.com/new.