[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.22-985-g3c00f00
enrica at apple.com
enrica at apple.com
Wed Mar 17 17:57:42 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit 42d0a4c7aa0835d5a5721f4b569c2f60d0490235
Author: enrica at apple.com <enrica at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Feb 23 21:31:11 2010 +0000
WebCore: Crash in createContextualFragment when inserting a list in a non HTML document.
<rdar://problem/7666670>
https://bugs.webkit.org/show_bug.cgi?id=35305
Reviewed by Darin Adler.
createFragmentFromMarkup did not handle correctly the case where documentElement is
not an HTMLElement. The static cast to HTMLElement was causing createContextualFragment to
crash.
Test: editing/execCommand/insert-list-xml.xhtml
* dom/Element.cpp:
(WebCore::Element::createContextualFragment): Added.
* dom/Element.h: Added createContextualFragment virtual function.
* editing/markup.cpp:
(WebCore::createFragmentFromMarkup): Removed static cast to HTMLElement.
* html/HTMLElement.cpp:
(WebCore::HTMLElement::createContextualFragment): Modified to perform only checks
that are specific for an HTMLElement object. The rest of the logic has been moved to the
corresponding method in the Element class.
LayoutTests: Crash in createContextualFragment when inserting a list in a non HTML document.
<rdar://problem/7666670>
https://bugs.webkit.org/show_bug.cgi?id=35305
Reviewed by Darin Adler.
* editing/execCommand/insert-list-xml-expected.txt: Added.
* editing/execCommand/insert-list-xml.xhtml: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@55167 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 8fd02bf..4f10389 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2010-02-23 Enrica Casucci <enrica at apple.com>
+
+ Reviewed by Darin Adler.
+
+ Crash in createContextualFragment when inserting a list in a non HTML document.
+ <rdar://problem/7666670>
+ https://bugs.webkit.org/show_bug.cgi?id=35305
+
+ * editing/execCommand/insert-list-xml-expected.txt: Added.
+ * editing/execCommand/insert-list-xml.xhtml: Added.
+
2010-02-23 Dan Bernstein <mitz at apple.com>
Rubber-stamped by Simon Fraser.
diff --git a/LayoutTests/editing/execCommand/insert-list-xml-expected.txt b/LayoutTests/editing/execCommand/insert-list-xml-expected.txt
new file mode 100644
index 0000000..bf87eae
--- /dev/null
+++ b/LayoutTests/editing/execCommand/insert-list-xml-expected.txt
@@ -0,0 +1,3 @@
+.
+<div xmlns="http://www.w3.org/1999/xhtml" contenteditable="true" id="insertlisthere"><ol><li><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Times; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; ">.</span><br /></li></ol></div>
+PASS
diff --git a/LayoutTests/editing/execCommand/insert-list-xml.xhtml b/LayoutTests/editing/execCommand/insert-list-xml.xhtml
new file mode 100644
index 0000000..0ea5ef3
--- /dev/null
+++ b/LayoutTests/editing/execCommand/insert-list-xml.xhtml
@@ -0,0 +1,31 @@
+<mat:diff xmlns:mat="http://www.w3.org/1998/Math/MathML">
+ <html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <script type="text/javascript">
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ function start()
+ {
+ // select the span that's editable
+ document.getElementById("insertlisthere").focus();
+
+ // insert an ordered list into the span
+ document.execCommand("insertorderedlist", false, null);
+ log(document.getElementById("insertlisthere").outerHTML);
+ log("PASS");
+ }
+ function log(str) {
+ var li = document.createElement("li");
+ li.appendChild(document.createTextNode(str));
+ var console = document.getElementById("console");
+ console.appendChild(li);
+ }
+ </script>
+ </head>
+ <body onload="start();">
+ <div contenteditable="true" id="insertlisthere">.</div>
+ <ul id="console"></ul>
+ </body>
+ </html>
+</mat:diff>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 610e265..10c1dd9 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,27 @@
+2010-02-23 Enrica Casucci <enrica at apple.com>
+
+ Reviewed by Darin Adler.
+
+ Crash in createContextualFragment when inserting a list in a non HTML document.
+ <rdar://problem/7666670>
+ https://bugs.webkit.org/show_bug.cgi?id=35305
+
+ createFragmentFromMarkup did not handle correctly the case where documentElement is
+ not an HTMLElement. The static cast to HTMLElement was causing createContextualFragment to
+ crash.
+
+ Test: editing/execCommand/insert-list-xml.xhtml
+
+ * dom/Element.cpp:
+ (WebCore::Element::createContextualFragment): Added.
+ * dom/Element.h: Added createContextualFragment virtual function.
+ * editing/markup.cpp:
+ (WebCore::createFragmentFromMarkup): Removed static cast to HTMLElement.
+ * html/HTMLElement.cpp:
+ (WebCore::HTMLElement::createContextualFragment): Modified to perform only checks
+ that are specific for an HTMLElement object. The rest of the logic has been moved to the
+ corresponding method in the Element class.
+
2010-02-23 Steve Falkenburg <sfalken at apple.com>
Reviewed by Adam Roben.
diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp
index 9e4b48d..8711110 100644
--- a/WebCore/dom/Element.cpp
+++ b/WebCore/dom/Element.cpp
@@ -35,6 +35,7 @@
#include "ClientRect.h"
#include "ClientRectList.h"
#include "Document.h"
+#include "DocumentFragment.h"
#include "ElementRareData.h"
#include "ExceptionCode.h"
#include "FocusController.h"
@@ -42,6 +43,7 @@
#include "FrameView.h"
#include "HTMLElement.h"
#include "HTMLNames.h"
+#include "HTMLTokenizer.h"
#include "InspectorController.h"
#include "NamedNodeMap.h"
#include "NodeList.h"
@@ -51,6 +53,7 @@
#include "RenderWidget.h"
#include "TextIterator.h"
#include "XMLNames.h"
+#include "XMLTokenizer.h"
#if ENABLE(SVG)
#include "SVGNames.h"
@@ -93,6 +96,51 @@ NodeRareData* Element::createRareData()
{
return new ElementRareData;
}
+
+PassRefPtr<DocumentFragment> Element::createContextualFragment(const String& markup, FragmentScriptingPermission scriptingPermission)
+{
+ RefPtr<DocumentFragment> fragment = DocumentFragment::create(document());
+
+ if (document()->isHTMLDocument())
+ parseHTMLDocumentFragment(markup, fragment.get(), scriptingPermission);
+ else {
+ if (!parseXMLDocumentFragment(markup, fragment.get(), this, scriptingPermission))
+ // FIXME: We should propagate a syntax error exception out here.
+ return 0;
+ }
+
+ // Exceptions are ignored because none ought to happen here.
+ ExceptionCode ignoredExceptionCode;
+
+ // We need to pop <html> and <body> elements and remove <head> to
+ // accommodate folks passing complete HTML documents to make the
+ // child of an element.
+
+ RefPtr<Node> nextNode;
+ for (RefPtr<Node> node = fragment->firstChild(); node; node = nextNode) {
+ nextNode = node->nextSibling();
+ if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) {
+ Node* firstChild = node->firstChild();
+ if (firstChild)
+ nextNode = firstChild;
+ RefPtr<Node> nextChild;
+ for (RefPtr<Node> child = firstChild; child; child = nextChild) {
+ nextChild = child->nextSibling();
+ node->removeChild(child.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ fragment->insertBefore(child, node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ }
+ fragment->removeChild(node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ } else if (node->hasTagName(headTag)) {
+ fragment->removeChild(node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ }
+ }
+
+ return fragment.release();
+}
PassRefPtr<Node> Element::cloneNode(bool deep)
{
diff --git a/WebCore/dom/Element.h b/WebCore/dom/Element.h
index a5c4e96..348ed1c 100644
--- a/WebCore/dom/Element.h
+++ b/WebCore/dom/Element.h
@@ -98,6 +98,8 @@ public:
DEFINE_ATTRIBUTE_EVENT_LISTENER(touchcancel);
#endif
+ virtual PassRefPtr<DocumentFragment> createContextualFragment(const String&, FragmentScriptingPermission = FragmentScriptingAllowed);
+
const AtomicString& getIDAttribute() const;
bool hasAttribute(const QualifiedName&) const;
const AtomicString& getAttribute(const QualifiedName&) const;
diff --git a/WebCore/editing/markup.cpp b/WebCore/editing/markup.cpp
index dc6cbc2..787dad9 100644
--- a/WebCore/editing/markup.cpp
+++ b/WebCore/editing/markup.cpp
@@ -1058,11 +1058,7 @@ String createMarkup(const Range* range, Vector<Node*>* nodes, EAnnotateForInterc
PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document* document, const String& markup, const String& baseURL, FragmentScriptingPermission scriptingPermission)
{
- ASSERT(document->documentElement()->isHTMLElement());
- // FIXME: What if the document element is not an HTML element?
- HTMLElement *element = static_cast<HTMLElement*>(document->documentElement());
-
- RefPtr<DocumentFragment> fragment = element->createContextualFragment(markup, scriptingPermission);
+ RefPtr<DocumentFragment> fragment = document->documentElement()->createContextualFragment(markup, scriptingPermission);
if (fragment && !baseURL.isEmpty() && baseURL != blankURL() && baseURL != document->baseURL())
completeURLs(fragment.get(), baseURL);
diff --git a/WebCore/html/HTMLElement.cpp b/WebCore/html/HTMLElement.cpp
index d3a7f22..5f82195 100644
--- a/WebCore/html/HTMLElement.cpp
+++ b/WebCore/html/HTMLElement.cpp
@@ -272,9 +272,9 @@ String HTMLElement::outerHTML() const
return createMarkup(this);
}
-PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String &html, FragmentScriptingPermission scriptingPermission)
+PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String& markup, FragmentScriptingPermission scriptingPermission)
{
- // the following is in accordance with the definition as used by IE
+ // The following is in accordance with the definition as used by IE.
if (endTagRequirement() == TagStatusForbidden)
return 0;
@@ -282,47 +282,7 @@ PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String
hasLocalName(headTag) || hasLocalName(styleTag) || hasLocalName(titleTag))
return 0;
- RefPtr<DocumentFragment> fragment = DocumentFragment::create(document());
-
- if (document()->isHTMLDocument())
- parseHTMLDocumentFragment(html, fragment.get(), scriptingPermission);
- else {
- if (!parseXMLDocumentFragment(html, fragment.get(), this, scriptingPermission))
- // FIXME: We should propagate a syntax error exception out here.
- return 0;
- }
-
- // Exceptions are ignored because none ought to happen here.
- int ignoredExceptionCode;
-
- // we need to pop <html> and <body> elements and remove <head> to
- // accommodate folks passing complete HTML documents to make the
- // child of an element.
-
- RefPtr<Node> nextNode;
- for (RefPtr<Node> node = fragment->firstChild(); node; node = nextNode) {
- nextNode = node->nextSibling();
- if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) {
- Node *firstChild = node->firstChild();
- if (firstChild)
- nextNode = firstChild;
- RefPtr<Node> nextChild;
- for (RefPtr<Node> child = firstChild; child; child = nextChild) {
- nextChild = child->nextSibling();
- node->removeChild(child.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- fragment->insertBefore(child, node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- }
- fragment->removeChild(node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- } else if (node->hasTagName(headTag)) {
- fragment->removeChild(node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- }
- }
-
- return fragment.release();
+ return Element::createContextualFragment(markup, scriptingPermission);
}
static inline bool hasOneChild(ContainerNode* node)
@@ -415,7 +375,7 @@ void HTMLElement::setOuterHTML(const String& html, ExceptionCode& ec)
void HTMLElement::setInnerText(const String& text, ExceptionCode& ec)
{
- // follow the IE specs about when this is allowed
+ // Follow the IE specs about when this is allowed.
if (endTagRequirement() == TagStatusForbidden) {
ec = NO_MODIFICATION_ALLOWED_ERR;
return;
@@ -485,7 +445,7 @@ void HTMLElement::setInnerText(const String& text, ExceptionCode& ec)
void HTMLElement::setOuterText(const String &text, ExceptionCode& ec)
{
- // follow the IE specs about when this is allowed
+ // Follow the IE specs about when this is allowed.
if (endTagRequirement() == TagStatusForbidden) {
ec = NO_MODIFICATION_ALLOWED_ERR;
return;
@@ -513,7 +473,7 @@ void HTMLElement::setOuterText(const String &text, ExceptionCode& ec)
if (ec)
return;
- // is previous node a text node? if so, merge into it
+ // Is previous node a text node? If so, merge into it.
Node* prev = t->previousSibling();
if (prev && prev->isTextNode()) {
Text* textPrev = static_cast<Text*>(prev);
@@ -526,7 +486,7 @@ void HTMLElement::setOuterText(const String &text, ExceptionCode& ec)
t = textPrev;
}
- // is next node a text node? if so, merge it in
+ // Is next node a text node? If so, merge it in.
Node* next = t->nextSibling();
if (next && next->isTextNode()) {
Text* textNext = static_cast<Text*>(next);
@@ -566,7 +526,7 @@ Node* HTMLElement::insertAdjacent(const String& where, Node* newChild, Exception
return 0;
}
- // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative
+ // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative.
ec = NOT_SUPPORTED_ERR;
return 0;
}
@@ -574,7 +534,7 @@ Node* HTMLElement::insertAdjacent(const String& where, Node* newChild, Exception
Element* HTMLElement::insertAdjacentElement(const String& where, Element* newChild, ExceptionCode& ec)
{
if (!newChild) {
- // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative
+ // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative.
ec = TYPE_MISMATCH_ERR;
return 0;
}
@@ -611,8 +571,8 @@ void HTMLElement::addHTMLAlignment(MappedAttribute* attr)
void HTMLElement::addHTMLAlignmentToStyledElement(StyledElement* element, MappedAttribute* attr)
{
- // vertical alignment with respect to the current baseline of the text
- // right or left means floating images
+ // Vertical alignment with respect to the current baseline of the text
+ // right or left means floating images.
int floatValue = CSSValueInvalid;
int verticalAlignValue = CSSValueInvalid;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list