зеркало из https://github.com/mozilla/gecko-dev.git
Bug 89163: if chrome JS calls nsRange::CreateContextualFragment,
push the current document's JS context on the stack so that event handlers in the fragment are not compiled with the system principal. r=jelwell, sr=jst.
This commit is contained in:
Родитель
d91e17f67a
Коммит
0359509b4a
|
@ -40,6 +40,11 @@
|
|||
#include "nsIComponentManager.h"
|
||||
#include "nsParserCIID.h"
|
||||
#include "nsIHTMLFragmentContentSink.h"
|
||||
#include "nsScriptSecurityManager.h"
|
||||
#include "nsIScriptGlobalObject.h"
|
||||
#include "nsIScriptContext.h"
|
||||
|
||||
#include "nsIJSContextStack.h"
|
||||
// XXX Temporary inclusion to deal with fragment parsing
|
||||
#include "nsHTMLParts.h"
|
||||
|
||||
|
@ -2305,10 +2310,56 @@ nsRange::CreateContextualFragment(const nsAReadableString& aFragment,
|
|||
contentType.Assign(NS_LITERAL_STRING("text/html"));
|
||||
}
|
||||
|
||||
// If there's no JS or system JS running,
|
||||
// push the current document's context on the JS context stack
|
||||
// so that event handlers in the fragment do not get
|
||||
// compiled with the system principal.
|
||||
nsCOMPtr<nsIJSContextStack> ContextStack;
|
||||
nsCOMPtr<nsIScriptSecurityManager> secMan;
|
||||
secMan = do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &result);
|
||||
if (document && NS_SUCCEEDED(result)) {
|
||||
nsCOMPtr<nsIPrincipal> sysPrin;
|
||||
nsCOMPtr<nsIPrincipal> subjectPrin;
|
||||
|
||||
// Just to compare, not to use!
|
||||
result = secMan->GetSystemPrincipal(getter_AddRefs(sysPrin));
|
||||
if (NS_SUCCEEDED(result))
|
||||
result = secMan->GetSubjectPrincipal(getter_AddRefs(subjectPrin));
|
||||
// If there's no subject principal, there's no JS running, so we're in system code.
|
||||
// (just in case...null subject principal will probably never happen)
|
||||
if (NS_SUCCEEDED(result) &&
|
||||
(!subjectPrin || sysPrin.get() == subjectPrin.get())) {
|
||||
nsCOMPtr<nsIScriptGlobalObject> globalObj;
|
||||
result = document->GetScriptGlobalObject(getter_AddRefs(globalObj));
|
||||
|
||||
nsCOMPtr<nsIScriptContext> scriptContext;
|
||||
if (NS_SUCCEEDED(result) && globalObj) {
|
||||
result = globalObj->GetContext(getter_AddRefs(scriptContext));
|
||||
}
|
||||
|
||||
JSContext* cx;
|
||||
if (NS_SUCCEEDED(result) && scriptContext) {
|
||||
cx = (JSContext*)scriptContext->GetNativeContext();
|
||||
}
|
||||
|
||||
if(cx) {
|
||||
ContextStack = do_GetService("@mozilla.org/js/xpc/ContextStack;1", &result);
|
||||
if(NS_SUCCEEDED(result)) {
|
||||
result = ContextStack->Push(cx);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
result = parser->ParseFragment(aFragment, (void*)0,
|
||||
*tagStack,
|
||||
0, contentType);
|
||||
|
||||
if (ContextStack) {
|
||||
JSContext *notused;
|
||||
ContextStack->Pop(¬used);
|
||||
}
|
||||
|
||||
if (NS_SUCCEEDED(result)) {
|
||||
sink->GetFragment(aReturn);
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче