DescriptionExtend applying document.execCommand() protection to all commands
Before this patch, preventing recursive call of |document.execCommand()| and delaying DOM mutation event after editing command completion to ensure assumption of DOM tree in editing command, are applying to part of editing commands invoked by |CompositeEditCommand::apply()|, which is introduced by blink@162080.
However, editing commands are also invoked by |document.execCommand()| not via |CompositeEditCommand::apply()|.
This patch changes to move recursive call checking to |document.execCommand()|, because it is entry point for scripts, to postpone DOM mutation event until |document.execCommand()| finished. We still need to postpone DOM mutation event during |CompositeEditCommand::apply()|, which |DragController| calls.
This patch also updates test expectations for test scripts which calls |document.execCommand()| recursively; all of them are for crash testing caused by recursive document.execCommand calls.
Note: Preventing recursive call of |document.execCommand()| is right way to do so. Although, recursive call of |document.execCommand()| isn't common case, rather it is done by attacker. This patch reduces chances of attacking.
BUG=338558
TEST=LayoutTests/editing/inserting/insert-with-mutation-event.html
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=166294
Patch Set 1 #
Total comments: 2
Patch Set 2 : 2014-01-29T16:48:25 #
Total comments: 2
Patch Set 3 : 2014-01-29T17:06:03 #
Total comments: 2
Patch Set 4 : 2014-02-03T14:21:08 #Messages
Total messages: 29 (0 generated)
|