Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(78)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/Document.cpp

Issue 141103006: Protect document.execCommand() from recursive call and DOM mutation events (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Created 6 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « LayoutTests/editing/inserting/insert-with-mutation-event-expected.txt ('k') | Source/core/editing/CompositeEditCommand.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org) 5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org)
6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All r ights reserved. 6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All r ights reserved.
7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) 7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/)
8 * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved. 8 * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies) 9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved. 10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved.
(...skipping 4137 matching lines...) Expand 10 before | Expand all | Expand 10 after
4148 Frame* frame = document->frame(); 4148 Frame* frame = document->frame();
4149 if (!frame || frame->document() != document) 4149 if (!frame || frame->document() != document)
4150 return Editor::Command(); 4150 return Editor::Command();
4151 4151
4152 document->updateStyleIfNeeded(); 4152 document->updateStyleIfNeeded();
4153 return frame->editor().command(commandName, userInterface ? CommandFromDOMWi thUserInterface : CommandFromDOM); 4153 return frame->editor().command(commandName, userInterface ? CommandFromDOMWi thUserInterface : CommandFromDOM);
4154 } 4154 }
4155 4155
4156 bool Document::execCommand(const String& commandName, bool userInterface, const String& value) 4156 bool Document::execCommand(const String& commandName, bool userInterface, const String& value)
4157 { 4157 {
4158 // We don't allow recusrive |execComand()| to protect against attack code.
4159 // Recursive call of |execCommand()| could be happened by moving iframe
4160 // with script triggered by insertion, e.g. <iframe src="javascript:...">
4161 // <iframe onload="...">. This usage is valid as of the specification
4162 // although, it isn't common use case, rather it is used as attack code.
4163 static bool inExecCommand = false;
4164 if (inExecCommand)
4165 return false;
tkent 2014/01/29 05:06:00 Can we show a console message to tell this restric
yosin_UTC9 2014/01/29 07:50:41 Done.
4166 TemporaryChange<bool> executeScope(inExecCommand, true);
4167
4168 // Postpone DOM mutation events, which can execute scripts and change
4169 // DOM tree against implementation assumption.
4170 EventQueueScope eventQueueScope;
4158 return command(this, commandName, userInterface).execute(value); 4171 return command(this, commandName, userInterface).execute(value);
4159 } 4172 }
4160 4173
4161 bool Document::queryCommandEnabled(const String& commandName) 4174 bool Document::queryCommandEnabled(const String& commandName)
4162 { 4175 {
4163 return command(this, commandName).isEnabled(); 4176 return command(this, commandName).isEnabled();
4164 } 4177 }
4165 4178
4166 bool Document::queryCommandIndeterm(const String& commandName) 4179 bool Document::queryCommandIndeterm(const String& commandName)
4167 { 4180 {
(...skipping 1202 matching lines...) Expand 10 before | Expand all | Expand 10 after
5370 if (!page->focusController().isActive() || !page->focusController().isFocuse d()) 5383 if (!page->focusController().isActive() || !page->focusController().isFocuse d())
5371 return false; 5384 return false;
5372 if (Frame* focusedFrame = page->focusController().focusedFrame()) { 5385 if (Frame* focusedFrame = page->focusController().focusedFrame()) {
5373 if (focusedFrame->tree().isDescendantOf(frame())) 5386 if (focusedFrame->tree().isDescendantOf(frame()))
5374 return true; 5387 return true;
5375 } 5388 }
5376 return false; 5389 return false;
5377 } 5390 }
5378 5391
5379 } // namespace WebCore 5392 } // namespace WebCore
OLDNEW
« no previous file with comments | « LayoutTests/editing/inserting/insert-with-mutation-event-expected.txt ('k') | Source/core/editing/CompositeEditCommand.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698