Chromium Code Reviews

Side by Side Diff: Source/core/dom/Document.cpp

Issue 141103006: Protect document.execCommand() from recursive call and DOM mutation events (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: 2014-02-03T14:21:08 Created 6 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments.
Jump to:
View unified diff | | Annotate | Revision Log
« no previous file with comments | « LayoutTests/fast/parser/nested-fragment-parser-crash-expected.txt ('k') | Source/core/editing/CompositeEditCommand.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org) 5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org)
6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All r ights reserved. 6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All r ights reserved.
7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) 7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/)
8 * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved. 8 * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies) 9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved. 10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved.
(...skipping 4147 matching lines...)
4158 Frame* frame = document->frame(); 4158 Frame* frame = document->frame();
4159 if (!frame || frame->document() != document) 4159 if (!frame || frame->document() != document)
4160 return Editor::Command(); 4160 return Editor::Command();
4161 4161
4162 document->updateStyleIfNeeded(); 4162 document->updateStyleIfNeeded();
4163 return frame->editor().command(commandName, userInterface ? CommandFromDOMWi thUserInterface : CommandFromDOM); 4163 return frame->editor().command(commandName, userInterface ? CommandFromDOMWi thUserInterface : CommandFromDOM);
4164 } 4164 }
4165 4165
4166 bool Document::execCommand(const String& commandName, bool userInterface, const String& value) 4166 bool Document::execCommand(const String& commandName, bool userInterface, const String& value)
4167 { 4167 {
4168 // We don't allow recusrive |execCommand()| to protect against attack code.
4169 // Recursive call of |execCommand()| could be happened by moving iframe
4170 // with script triggered by insertion, e.g. <iframe src="javascript:...">
4171 // <iframe onload="...">. This usage is valid as of the specification
4172 // although, it isn't common use case, rather it is used as attack code.
4173 static bool inExecCommand = false;
4174 if (inExecCommand) {
4175 String message = "We don't execute document.execCommand() this time, bec ause it is called recursively.";
4176 addConsoleMessage(JSMessageSource, WarningMessageLevel, message);
4177 return false;
4178 }
4179 TemporaryChange<bool> executeScope(inExecCommand, true);
4180
4181 // Postpone DOM mutation events, which can execute scripts and change
4182 // DOM tree against implementation assumption.
4183 EventQueueScope eventQueueScope;
4168 return command(this, commandName, userInterface).execute(value); 4184 return command(this, commandName, userInterface).execute(value);
4169 } 4185 }
4170 4186
4171 bool Document::queryCommandEnabled(const String& commandName) 4187 bool Document::queryCommandEnabled(const String& commandName)
4172 { 4188 {
4173 return command(this, commandName).isEnabled(); 4189 return command(this, commandName).isEnabled();
4174 } 4190 }
4175 4191
4176 bool Document::queryCommandIndeterm(const String& commandName) 4192 bool Document::queryCommandIndeterm(const String& commandName)
4177 { 4193 {
(...skipping 1224 matching lines...)
5402 if (!page->focusController().isActive() || !page->focusController().isFocuse d()) 5418 if (!page->focusController().isActive() || !page->focusController().isFocuse d())
5403 return false; 5419 return false;
5404 if (Frame* focusedFrame = page->focusController().focusedFrame()) { 5420 if (Frame* focusedFrame = page->focusController().focusedFrame()) {
5405 if (focusedFrame->tree().isDescendantOf(frame())) 5421 if (focusedFrame->tree().isDescendantOf(frame()))
5406 return true; 5422 return true;
5407 } 5423 }
5408 return false; 5424 return false;
5409 } 5425 }
5410 5426
5411 } // namespace WebCore 5427 } // namespace WebCore
OLDNEW
« no previous file with comments | « LayoutTests/fast/parser/nested-fragment-parser-crash-expected.txt ('k') | Source/core/editing/CompositeEditCommand.cpp » ('j') | no next file with comments »

Powered by Google App Engine