DescriptionProtect DOM nodes in IndentOutdentCommand::tryIndentingAsListItem()
This patch changes IndentOutdentCommand::tryIndentingAsListItem() to use RefPtr<T> instead of raw pointer for Node and Element not to remove during insertNodeBefore() and moveParagraphWIthClones() calls, which can execute user script to remove DOM nodes.
Note: When I tried to run a test case created by cluster fuzz, content_shell doesn't fail. It is hard to create a test case by hand.
BUG=294456
TEST=ClusterFuzz
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=158727
Patch Set 1 #
Messages
Total messages: 6 (0 generated)
|