Protect document.execCommand() from recursive call and DOM mutation events

Source/core/dom/Document.cpp

Index: Source/core/dom/Document.cpp
diff --git a/Source/core/dom/Document.cpp b/Source/core/dom/Document.cpp
index 207441719a27dff9c87b7879f8ad05b9afdfaaf7..fc714adf590622b0f9b84d171a0bd25c9f0580d3 100644
--- a/Source/core/dom/Document.cpp
+++ b/Source/core/dom/Document.cpp
@@ -4155,6 +4155,19 @@ static Editor::Command command(Document* document, const String& commandName, bo
 
 bool Document::execCommand(const String& commandName, bool userInterface, const String& value)
 {
+    // We don't allow recusrive |execComand()| to protect against attack code.
+    // Recursive call of |execCommand()| could be happened by moving iframe
+    // with script triggered by insertion, e.g. <iframe src="javascript:...">
+    // <iframe onload="...">. This usage is valid as of the specification
+    // although, it isn't common use case, rather it is used as attack code.
+    static bool inExecCommand = false;
+    if (inExecCommand)
+        return false;

[tkent, 2014/01/29 05:06:00]

Can we show a console message to tell this restriction?

[yosin_UTC9, 2014/01/29 07:50:41]

Done.

+    TemporaryChange<bool> executeScope(inExecCommand, true);
+
+    // Postpone DOM mutation events, which can execute scripts and change
+    // DOM tree against implementation assumption.
+    EventQueueScope eventQueueScope;
     return command(this, commandName, userInterface).execute(value);
 }