Only allow escaped newlines inside strings (which includes url() tokens that contain strings). (Bug 384672, patch 4) r=bzbarsky

layout/style/nsCSSScanner.cpp

@@ -1013,13 +1013,14 @@ nsCSSScanner::NextURL(nsCSSToken& aToken)
 PRBool
 nsCSSScanner::ParseAndAppendEscape(nsString& aOutput, PRBool aInString)
 {
-  PRInt32 ch = Peek();
+  PRInt32 ch = Read();
   if (ch < 0) {
     return PR_FALSE;
   }
   if (IsHexDigit(ch)) {
     PRInt32 rv = 0;
     int i;
+    Pushback(ch);
     for (i = 0; i < 6; i++) { // up to six digits
       ch = Read();
       if (ch < 0) {
@@ -1066,8 +1067,17 @@ nsCSSScanner::ParseAndAppendEscape(nsString& aOutput, PRBool aInString)
   // "Any character except a hexidecimal digit can be escaped to
   // remove its special meaning by putting a backslash in front"
   // -- CSS1 spec section 7.1
-  ch = Read();  // Consume the escaped character
-  if ((ch > 0) && (ch != '\n')) {
+  if (ch == '\n') {
+    if (!aInString) {
+      // Outside of strings (which includes url() that contains a
+      // string), escaped newlines aren't special, and just tokenize as
+      // eCSSToken_Symbol (DELIM).
+      Pushback(ch);
+      return PR_FALSE;
+    }
+    // In strings (and in url() containing a string), escaped newlines
+    // are just dropped to allow splitting over multiple lines.
+  } else {
     aOutput.Append(ch);
   }
 

layout/style/test/test_parse_rule.html

@@ -131,8 +131,7 @@ base + "#a {color: rgb(255.0, 0, 0)}",
 "#a {color: rgb(0%, 49.999999999999%, 0%)}",
 ], prop: "color", pseudo: "",
 todo: {
-       "div[title~='weeqweqeweasd\\D\\A a']{color:green}" : 1,
-       "div {color:green}#a\\\n{color:red}" : 1
+       "div[title~='weeqweqeweasd\\D\\A a']{color:green}" : 1
       }
 },
 

layout/style/test/test_parse_url.html

@@ -180,6 +180,13 @@ div.setAttribute("style", "color: url(/*); color: green");
 is(div.style.color, 'green',
    "URL tokenized correctly outside properties taking URLs");
 
+div.style.listStyleImage = 'url("foo\\\nbar1")';
+is(div.style.listStyleImage, 'url("foobar1")',
+   "escaped newline allowed in string form of URL");
+div.style.listStyleImage = 'url(foo\\\nbar2)';
+is(div.style.listStyleImage, 'url("foobar1")',
+   "escaped newline NOT allowed in NON-string form of URL");
+
 </script>
 </pre>
 </body>

layout/style/test/test_selectors.html

@@ -918,6 +918,13 @@ function run() {
     // Test that a backslash alone is not treated as an escape.
     test_unparseable_via_api("#\\");
 
+    // Test that newline escapes are only supported in strings.
+    test_balanced_unparseable("di\\\nv");
+    test_balanced_unparseable("div \\\n p");
+    test_balanced_unparseable("div\\\n p");
+    test_balanced_unparseable("div \\\np");
+    test_balanced_unparseable("div\\\np");
+
     run_deferred_tests();
 }