Index: Source/core/dom/Document.cpp |
diff --git a/Source/core/dom/Document.cpp b/Source/core/dom/Document.cpp |
index 207441719a27dff9c87b7879f8ad05b9afdfaaf7..fc714adf590622b0f9b84d171a0bd25c9f0580d3 100644 |
--- a/Source/core/dom/Document.cpp |
+++ b/Source/core/dom/Document.cpp |
@@ -4155,6 +4155,19 @@ static Editor::Command command(Document* document, const String& commandName, bo |
bool Document::execCommand(const String& commandName, bool userInterface, const String& value) |
{ |
+ // We don't allow recusrive |execComand()| to protect against attack code. |
+ // Recursive call of |execCommand()| could be happened by moving iframe |
+ // with script triggered by insertion, e.g. <iframe src="javascript:..."> |
+ // <iframe onload="...">. This usage is valid as of the specification |
+ // although, it isn't common use case, rather it is used as attack code. |
+ static bool inExecCommand = false; |
+ if (inExecCommand) |
+ return false; |
tkent
2014/01/29 05:06:00
Can we show a console message to tell this restric
yosin_UTC9
2014/01/29 07:50:41
Done.
|
+ TemporaryChange<bool> executeScope(inExecCommand, true); |
+ |
+ // Postpone DOM mutation events, which can execute scripts and change |
+ // DOM tree against implementation assumption. |
+ EventQueueScope eventQueueScope; |
return command(this, commandName, userInterface).execute(value); |
} |