Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(337)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/Document.cpp

Issue 141103006: Protect document.execCommand() from recursive call and DOM mutation events (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: 2014-01-29T17:06:03 Created 6 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« LayoutTests/editing/inserting/insert-with-mutation-event.html ('K') | « LayoutTests/editing/inserting/insert-with-mutation-event-expected.txt ('k') | Source/core/editing/CompositeEditCommand.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org) 5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org)
6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All r ights reserved. 6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All r ights reserved.
7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) 7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/)
8 * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved. 8 * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies) 9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved. 10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved.
(...skipping 4133 matching lines...) Expand 10 before | Expand all | Expand 10 after
4144 Frame* frame = document->frame(); 4144 Frame* frame = document->frame();
4145 if (!frame || frame->document() != document) 4145 if (!frame || frame->document() != document)
4146 return Editor::Command(); 4146 return Editor::Command();
4147 4147
4148 document->updateStyleIfNeeded(); 4148 document->updateStyleIfNeeded();
4149 return frame->editor().command(commandName, userInterface ? CommandFromDOMWi thUserInterface : CommandFromDOM); 4149 return frame->editor().command(commandName, userInterface ? CommandFromDOMWi thUserInterface : CommandFromDOM);
4150 } 4150 }
4151 4151
4152 bool Document::execCommand(const String& commandName, bool userInterface, const String& value) 4152 bool Document::execCommand(const String& commandName, bool userInterface, const String& value)
4153 { 4153 {
4154 // We don't allow recusrive |execCommand()| to protect against attack code.
4155 // Recursive call of |execCommand()| could be happened by moving iframe
4156 // with script triggered by insertion, e.g. <iframe src="javascript:...">
4157 // <iframe onload="...">. This usage is valid as of the specification
4158 // although, it isn't common use case, rather it is used as attack code.
4159 static bool inExecCommand = false;
4160 if (inExecCommand) {
4161 String message = "We don't execute document.execCommand() this time, bec ause it is called recursively.";
4162 addConsoleMessage(JSMessageSource, WarningMessageLevel, message);
4163 return false;
4164 }
4165 TemporaryChange<bool> executeScope(inExecCommand, true);
4166
4167 // Postpone DOM mutation events, which can execute scripts and change
4168 // DOM tree against implementation assumption.
4169 EventQueueScope eventQueueScope;
4154 return command(this, commandName, userInterface).execute(value); 4170 return command(this, commandName, userInterface).execute(value);
4155 } 4171 }
4156 4172
4157 bool Document::queryCommandEnabled(const String& commandName) 4173 bool Document::queryCommandEnabled(const String& commandName)
4158 { 4174 {
4159 return command(this, commandName).isEnabled(); 4175 return command(this, commandName).isEnabled();
4160 } 4176 }
4161 4177
4162 bool Document::queryCommandIndeterm(const String& commandName) 4178 bool Document::queryCommandIndeterm(const String& commandName)
4163 { 4179 {
(...skipping 1202 matching lines...) Expand 10 before | Expand all | Expand 10 after
5366 if (!page->focusController().isActive() || !page->focusController().isFocuse d()) 5382 if (!page->focusController().isActive() || !page->focusController().isFocuse d())
5367 return false; 5383 return false;
5368 if (Frame* focusedFrame = page->focusController().focusedFrame()) { 5384 if (Frame* focusedFrame = page->focusController().focusedFrame()) {
5369 if (focusedFrame->tree().isDescendantOf(frame())) 5385 if (focusedFrame->tree().isDescendantOf(frame()))
5370 return true; 5386 return true;
5371 } 5387 }
5372 return false; 5388 return false;
5373 } 5389 }
5374 5390
5375 } // namespace WebCore 5391 } // namespace WebCore
OLDNEW
« LayoutTests/editing/inserting/insert-with-mutation-event.html ('K') | « LayoutTests/editing/inserting/insert-with-mutation-event-expected.txt ('k') | Source/core/editing/CompositeEditCommand.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698