зеркало из https://github.com/mozilla/pjs.git
Bug 563514 - Avoid leaking or misplacing attributes on stray <html> and <body> tokens in the innerHTML case. r=jonas.
--HG-- extra : rebase_source : 174666b3ec6c0a7e6251fe34b6bf23c499ad3575
This commit is contained in:
Henri Sivonen
Родитель
18c289b901
Коммит
e7eb986aa9
|
|
@ -1793,8 +1793,10 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
switch (group) {
|
||||
case HTML:
|
||||
err("Stray \u201Chtml\u201D start tag.");
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
}
|
||||
break starttagloop;
|
||||
case BASE:
|
||||
case LINK:
|
||||
|
|
@ -1807,8 +1809,9 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
break inbodyloop;
|
||||
case BODY:
|
||||
err("\u201Cbody\u201D start tag found but the \u201Cbody\u201D element is already open.");
|
||||
addAttributesToBody(attributes);
|
||||
attributes = null; // CPP
|
||||
if (addAttributesToBody(attributes)) {
|
||||
attributes = null; // CPP
|
||||
}
|
||||
break starttagloop;
|
||||
case P:
|
||||
case DIV_OR_BLOCKQUOTE_OR_CENTER_OR_MENU:
|
||||
|
|
@ -2302,8 +2305,10 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
switch (group) {
|
||||
case HTML:
|
||||
err("Stray \u201Chtml\u201D start tag.");
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
}
|
||||
break starttagloop;
|
||||
case BASE:
|
||||
case COMMAND:
|
||||
|
|
@ -2386,8 +2391,10 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
// XXX did Hixie really mean to omit "base"
|
||||
// here?
|
||||
err("Stray \u201Chtml\u201D start tag.");
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
}
|
||||
break starttagloop;
|
||||
case LINK:
|
||||
appendVoidElementToCurrentMayFoster(
|
||||
|
|
@ -2432,8 +2439,10 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
switch (group) {
|
||||
case HTML:
|
||||
err("Stray \u201Chtml\u201D start tag.");
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
}
|
||||
break starttagloop;
|
||||
case COL:
|
||||
appendVoidElementToCurrentMayFoster(
|
||||
|
|
@ -2479,8 +2488,10 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
switch (group) {
|
||||
case HTML:
|
||||
err("Stray \u201Chtml\u201D start tag.");
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
}
|
||||
break starttagloop;
|
||||
case OPTION:
|
||||
if (isCurrent("option")) {
|
||||
|
|
@ -2555,8 +2566,10 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
switch (group) {
|
||||
case HTML:
|
||||
err("Stray \u201Chtml\u201D start tag.");
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
}
|
||||
break starttagloop;
|
||||
default:
|
||||
err("Stray \u201C" + name + "\u201D start tag.");
|
||||
|
|
@ -2585,8 +2598,10 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
switch (group) {
|
||||
case HTML:
|
||||
err("Stray \u201Chtml\u201D start tag.");
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
}
|
||||
break starttagloop;
|
||||
case NOFRAMES:
|
||||
appendToCurrentNodeAndPushElement(
|
||||
|
|
@ -2675,8 +2690,10 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
switch (group) {
|
||||
case HTML:
|
||||
err("Stray \u201Chtml\u201D start tag.");
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
}
|
||||
break starttagloop;
|
||||
case HEAD:
|
||||
/*
|
||||
|
|
@ -2719,8 +2736,10 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
switch (group) {
|
||||
case HTML:
|
||||
err("Stray \u201Chtml\u201D start tag.");
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
}
|
||||
break starttagloop;
|
||||
case BODY:
|
||||
if (attributes.getLength() == 0) {
|
||||
|
|
@ -2825,8 +2844,10 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
switch (group) {
|
||||
case HTML:
|
||||
err("Stray \u201Chtml\u201D start tag.");
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = null; // CPP
|
||||
}
|
||||
break starttagloop;
|
||||
default:
|
||||
err("Stray \u201C" + name + "\u201D start tag.");
|
||||
|
|
@ -4542,7 +4563,13 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
return 0;
|
||||
}
|
||||
|
||||
private void addAttributesToBody(HtmlAttributes attributes)
|
||||
/**
|
||||
* Attempt to add attribute to the body element.
|
||||
* @param attributes the attributes
|
||||
* @return <code>true</code> iff the attributes were added
|
||||
* @throws SAXException
|
||||
*/
|
||||
private boolean addAttributesToBody(HtmlAttributes attributes)
|
||||
throws SAXException {
|
||||
// [NOCPP[
|
||||
checkAttributes(attributes, "http://www.w3.org/1999/xhtml");
|
||||
|
|
@ -4551,8 +4578,10 @@ public abstract class TreeBuilder<T> implements TokenHandler,
|
|||
StackNode<T> body = stack[1];
|
||||
if (body.group == TreeBuilder.BODY) {
|
||||
addAttributesToElement(body.node, attributes);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private void addAttributesToHtml(HtmlAttributes attributes)
|
||||
|
|
|
|||
|
|
@ -888,8 +888,10 @@ nsHtml5TreeBuilder::startTag(nsHtml5ElementName* elementName, nsHtml5HtmlAttribu
|
|||
switch(group) {
|
||||
case NS_HTML5TREE_BUILDER_HTML: {
|
||||
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
}
|
||||
NS_HTML5_BREAK(starttagloop);
|
||||
}
|
||||
case NS_HTML5TREE_BUILDER_BASE:
|
||||
|
|
@ -903,8 +905,9 @@ nsHtml5TreeBuilder::startTag(nsHtml5ElementName* elementName, nsHtml5HtmlAttribu
|
|||
}
|
||||
case NS_HTML5TREE_BUILDER_BODY: {
|
||||
|
||||
addAttributesToBody(attributes);
|
||||
attributes = nsnull;
|
||||
if (addAttributesToBody(attributes)) {
|
||||
attributes = nsnull;
|
||||
}
|
||||
NS_HTML5_BREAK(starttagloop);
|
||||
}
|
||||
case NS_HTML5TREE_BUILDER_P:
|
||||
|
|
@ -1287,8 +1290,10 @@ nsHtml5TreeBuilder::startTag(nsHtml5ElementName* elementName, nsHtml5HtmlAttribu
|
|||
switch(group) {
|
||||
case NS_HTML5TREE_BUILDER_HTML: {
|
||||
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
}
|
||||
NS_HTML5_BREAK(starttagloop);
|
||||
}
|
||||
case NS_HTML5TREE_BUILDER_BASE:
|
||||
|
|
@ -1357,8 +1362,10 @@ nsHtml5TreeBuilder::startTag(nsHtml5ElementName* elementName, nsHtml5HtmlAttribu
|
|||
switch(group) {
|
||||
case NS_HTML5TREE_BUILDER_HTML: {
|
||||
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
}
|
||||
NS_HTML5_BREAK(starttagloop);
|
||||
}
|
||||
case NS_HTML5TREE_BUILDER_LINK: {
|
||||
|
|
@ -1403,8 +1410,10 @@ nsHtml5TreeBuilder::startTag(nsHtml5ElementName* elementName, nsHtml5HtmlAttribu
|
|||
switch(group) {
|
||||
case NS_HTML5TREE_BUILDER_HTML: {
|
||||
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
}
|
||||
NS_HTML5_BREAK(starttagloop);
|
||||
}
|
||||
case NS_HTML5TREE_BUILDER_COL: {
|
||||
|
|
@ -1452,8 +1461,10 @@ nsHtml5TreeBuilder::startTag(nsHtml5ElementName* elementName, nsHtml5HtmlAttribu
|
|||
switch(group) {
|
||||
case NS_HTML5TREE_BUILDER_HTML: {
|
||||
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
}
|
||||
NS_HTML5_BREAK(starttagloop);
|
||||
}
|
||||
case NS_HTML5TREE_BUILDER_OPTION: {
|
||||
|
|
@ -1523,8 +1534,10 @@ nsHtml5TreeBuilder::startTag(nsHtml5ElementName* elementName, nsHtml5HtmlAttribu
|
|||
switch(group) {
|
||||
case NS_HTML5TREE_BUILDER_HTML: {
|
||||
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
}
|
||||
NS_HTML5_BREAK(starttagloop);
|
||||
}
|
||||
default: {
|
||||
|
|
@ -1555,8 +1568,10 @@ nsHtml5TreeBuilder::startTag(nsHtml5ElementName* elementName, nsHtml5HtmlAttribu
|
|||
switch(group) {
|
||||
case NS_HTML5TREE_BUILDER_HTML: {
|
||||
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
}
|
||||
NS_HTML5_BREAK(starttagloop);
|
||||
}
|
||||
case NS_HTML5TREE_BUILDER_NOFRAMES: {
|
||||
|
|
@ -1601,8 +1616,10 @@ nsHtml5TreeBuilder::startTag(nsHtml5ElementName* elementName, nsHtml5HtmlAttribu
|
|||
switch(group) {
|
||||
case NS_HTML5TREE_BUILDER_HTML: {
|
||||
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
}
|
||||
NS_HTML5_BREAK(starttagloop);
|
||||
}
|
||||
case NS_HTML5TREE_BUILDER_HEAD: {
|
||||
|
|
@ -1622,8 +1639,10 @@ nsHtml5TreeBuilder::startTag(nsHtml5ElementName* elementName, nsHtml5HtmlAttribu
|
|||
switch(group) {
|
||||
case NS_HTML5TREE_BUILDER_HTML: {
|
||||
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
}
|
||||
NS_HTML5_BREAK(starttagloop);
|
||||
}
|
||||
case NS_HTML5TREE_BUILDER_BODY: {
|
||||
|
|
@ -1717,8 +1736,10 @@ nsHtml5TreeBuilder::startTag(nsHtml5ElementName* elementName, nsHtml5HtmlAttribu
|
|||
switch(group) {
|
||||
case NS_HTML5TREE_BUILDER_HTML: {
|
||||
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
if (!fragment) {
|
||||
addAttributesToHtml(attributes);
|
||||
attributes = nsnull;
|
||||
}
|
||||
NS_HTML5_BREAK(starttagloop);
|
||||
}
|
||||
default: {
|
||||
|
|
@ -3305,15 +3326,17 @@ nsHtml5TreeBuilder::findLastOrRoot(PRInt32 group)
|
|||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
PRBool
|
||||
nsHtml5TreeBuilder::addAttributesToBody(nsHtml5HtmlAttributes* attributes)
|
||||
{
|
||||
if (currentPtr >= 1) {
|
||||
nsHtml5StackNode* body = stack[1];
|
||||
if (body->group == NS_HTML5TREE_BUILDER_BODY) {
|
||||
addAttributesToElement(body->node, attributes);
|
||||
return PR_TRUE;
|
||||
}
|
||||
}
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
||||
void
|
||||
|
|
|
|||
|
|
@ -154,7 +154,7 @@ class nsHtml5TreeBuilder : public nsAHtml5TreeBuilderState
|
|||
PRInt32 findInListOfActiveFormattingElementsContainsBetweenEndAndLastMarker(nsIAtom* name);
|
||||
PRInt32 findLastOrRoot(nsIAtom* name);
|
||||
PRInt32 findLastOrRoot(PRInt32 group);
|
||||
void addAttributesToBody(nsHtml5HtmlAttributes* attributes);
|
||||
PRBool addAttributesToBody(nsHtml5HtmlAttributes* attributes);
|
||||
void addAttributesToHtml(nsHtml5HtmlAttributes* attributes);
|
||||
void pushHeadPointerOntoStack();
|
||||
void reconstructTheActiveFormattingElements();
|
||||
|
|
|
|||
|
|
@ -0,0 +1,10 @@
|
|||
<!DOCTYPE html>
|
||||
<head>
|
||||
<script>
|
||||
function boom()
|
||||
{
|
||||
document.createElement("span").innerHTML = "<body a='b'>";
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body onload="boom();"></body>
|
||||
|
|
@ -41,3 +41,4 @@ load 515816-1.html
|
|||
load 525229-1.html
|
||||
load 522326-1.html
|
||||
load 536097-1.html
|
||||
load 563514-1.html
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче