Chromium Code Reviews Chromium Code Reviews
Issue 67813002:
Protect contextElement during insertAdjacentHTML call (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
| 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
| 4 * Copyright (C) 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved. | 4 * Copyright (C) 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved. |
| 5 * Copyright (C) 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmo bile.com/) | 5 * Copyright (C) 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmo bile.com/) |
| 6 * Copyright (C) 2011 Motorola Mobility. All rights reserved. | 6 * Copyright (C) 2011 Motorola Mobility. All rights reserved. |
| 7 * | 7 * |
| 8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
| 9 * modify it under the terms of the GNU Library General Public | 9 * modify it under the terms of the GNU Library General Public |
| 10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
| (...skipping 508 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 519 es.throwUninformativeAndGenericDOMException(SyntaxError); | 519 es.throwUninformativeAndGenericDOMException(SyntaxError); |
| 520 return 0; | 520 return 0; |
| 521 } | 521 } |
| 522 | 522 |
| 523 void HTMLElement::insertAdjacentHTML(const String& where, const String& markup, ExceptionState& es) | 523 void HTMLElement::insertAdjacentHTML(const String& where, const String& markup, ExceptionState& es) |
| 524 { | 524 { |
| 525 Element* contextElement = contextElementForInsertion(where, this, es); | 525 Element* contextElement = contextElementForInsertion(where, this, es); |
| 526 if (!contextElement) | 526 if (!contextElement) |
| 527 return; | 527 return; |
| 528 | 528 |
| 529 // Parsing can result in losing our last ref to contextElement when JS event handlers fire. | |
| 530 RefPtr<Element> protect = contextElement; | |
|
inferno
2013/11/10 09:10:46
Please define the contextElement as RefPtr itself,
davve
2013/11/10 20:02:13
OK.
| |
| 531 | |
| 529 RefPtr<DocumentFragment> fragment = createFragmentForInnerOuterHTML(markup, contextElement, AllowScriptingContent, "insertAdjacentHTML", es); | 532 RefPtr<DocumentFragment> fragment = createFragmentForInnerOuterHTML(markup, contextElement, AllowScriptingContent, "insertAdjacentHTML", es); |
| 530 if (!fragment) | 533 if (!fragment) |
| 531 return; | 534 return; |
| 532 insertAdjacent(where, fragment.get(), es); | 535 insertAdjacent(where, fragment.get(), es); |
| 533 } | 536 } |
| 534 | 537 |
| 535 void HTMLElement::insertAdjacentText(const String& where, const String& text, Ex ceptionState& es) | 538 void HTMLElement::insertAdjacentText(const String& where, const String& text, Ex ceptionState& es) |
| 536 { | 539 { |
| 537 RefPtr<Text> textNode = document().createTextNode(text); | 540 RefPtr<Text> textNode = document().createTextNode(text); |
| 538 insertAdjacent(where, textNode.get(), es); | 541 insertAdjacent(where, textNode.get(), es); |
| (...skipping 533 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1072 #ifndef NDEBUG | 1075 #ifndef NDEBUG |
| 1073 | 1076 |
| 1074 // For use in the debugger | 1077 // For use in the debugger |
| 1075 void dumpInnerHTML(WebCore::HTMLElement*); | 1078 void dumpInnerHTML(WebCore::HTMLElement*); |
| 1076 | 1079 |
| 1077 void dumpInnerHTML(WebCore::HTMLElement* element) | 1080 void dumpInnerHTML(WebCore::HTMLElement* element) |
| 1078 { | 1081 { |
| 1079 printf("%s\n", element->innerHTML().ascii().data()); | 1082 printf("%s\n", element->innerHTML().ascii().data()); |
| 1080 } | 1083 } |
| 1081 #endif | 1084 #endif |
| OLD | NEW |
