From 96b416cdb9a2bf3df884773905a4fa32d6cb555e Mon Sep 17 00:00:00 2001 From: Daniel Holbert Date: Wed, 23 Nov 2011 17:49:26 -0800 Subject: [PATCH] Bug 704482: Reject 'accessKey' time specifications in SVG animation elements when scripting is disabled. r=birtles r=roc --- content/smil/nsSMILTimeValueSpec.cpp | 25 ++++++++++++++++--------- content/smil/nsSMILTimedElement.cpp | 1 + content/smil/nsSMILTimedElement.h | 4 +++- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/content/smil/nsSMILTimeValueSpec.cpp b/content/smil/nsSMILTimeValueSpec.cpp index a5df46d04cc..e2dce25fc2b 100644 --- a/content/smil/nsSMILTimeValueSpec.cpp +++ b/content/smil/nsSMILTimeValueSpec.cpp @@ -100,6 +100,9 @@ nsresult nsSMILTimeValueSpec::SetSpec(const nsAString& aStringSpec, Element* aContextNode) { + NS_ABORT_IF_FALSE(aContextNode, + "null context node; can't determine if script is enabled"); + nsSMILTimeValueSpecParams params; nsresult rv = nsSMILParserUtils::ParseTimeValueSpecParams(aStringSpec, params); @@ -107,24 +110,28 @@ nsSMILTimeValueSpec::SetSpec(const nsAString& aStringSpec, if (NS_FAILED(rv)) return rv; - mParams = params; - // According to SMIL 3.0: // The special value "indefinite" does not yield an instance time in the // begin list. It will, however yield a single instance with the value // "indefinite" in an end list. This value is not removed by a reset. - if (mParams.mType == nsSMILTimeValueSpecParams::OFFSET || - (!mIsBegin && mParams.mType == nsSMILTimeValueSpecParams::INDEFINITE)) { - mOwner->AddInstanceTime(new nsSMILInstanceTime(mParams.mOffset), mIsBegin); + if (params.mType == nsSMILTimeValueSpecParams::OFFSET || + (!mIsBegin && params.mType == nsSMILTimeValueSpecParams::INDEFINITE)) { + mOwner->AddInstanceTime(new nsSMILInstanceTime(params.mOffset), mIsBegin); } // Fill in the event symbol to simplify handling later - if (mParams.mType == nsSMILTimeValueSpecParams::REPEAT) { - mParams.mEventSymbol = nsGkAtoms::repeatEvent; - } else if (mParams.mType == nsSMILTimeValueSpecParams::ACCESSKEY) { - mParams.mEventSymbol = nsGkAtoms::keypress; + if (params.mType == nsSMILTimeValueSpecParams::REPEAT) { + params.mEventSymbol = nsGkAtoms::repeatEvent; + } else if (params.mType == nsSMILTimeValueSpecParams::ACCESSKEY) { + // Reject accessKey if scripts are disabled. + if (!aContextNode->GetOwnerDocument()->IsScriptEnabled()) { + return NS_ERROR_FAILURE; + } + + params.mEventSymbol = nsGkAtoms::keypress; } + mParams = params; ResolveReferences(aContextNode); return rv; diff --git a/content/smil/nsSMILTimedElement.cpp b/content/smil/nsSMILTimedElement.cpp index fefd6944c13..5c335336dec 100644 --- a/content/smil/nsSMILTimedElement.cpp +++ b/content/smil/nsSMILTimedElement.cpp @@ -803,6 +803,7 @@ nsSMILTimedElement::SetAttr(nsIAtom* aAttribute, const nsAString& aValue, Element* aContextNode, nsresult* aParseResult) { + NS_ABORT_IF_FALSE(aContextNode, "missing context node"); bool foundMatch = true; nsresult parseResult = NS_OK; diff --git a/content/smil/nsSMILTimedElement.h b/content/smil/nsSMILTimedElement.h index 1d796cc8605..7334c645d00 100644 --- a/content/smil/nsSMILTimedElement.h +++ b/content/smil/nsSMILTimedElement.h @@ -263,7 +263,9 @@ public: * @param aResult The nsAttrValue object that may be used for storing the * parsed result. * @param aContextNode The element to use for context when resolving - * references to other elements. + * references to other elements, and for determining + * whether scripting is enabled (and hence whether + * we should allow "accessKey" time specifications). * @param[out] aParseResult The result of parsing the attribute. Will be set * to NS_OK if parsing is successful. *