DescriptionMerge 158727 "Protect DOM nodes in IndentOutdentCommand::tryInde..."
> Protect DOM nodes in IndentOutdentCommand::tryIndentingAsListItem()
>
> This patch changes IndentOutdentCommand::tryIndentingAsListItem() to use RefPtr<T> instead of raw pointer for Node and Element not to remove during insertNodeBefore() and moveParagraphWIthClones() calls, which can execute user script to remove DOM nodes.
>
> Note: When I tried to run a test case created by cluster fuzz, content_shell doesn't fail. It is hard to create a test case by hand.
>
> BUG=294456
> TEST=ClusterFuzz
>
> Review URL: https://codereview.chromium.org/25691002
TBR=yosin@chromium.org
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=159001
Patch Set 1 #
Messages
Total messages: 2 (0 generated)
|