Detect and refuse to load some forms of recursive XBL bindings. b=350754 r+sr=bzbarsky

2006-10-08 10:18:41 +00:00 · 2006-10-08 10:18:41 +00:00 · ec3b41eced
--- a/content/xbl/src/nsXBLService.cpp
+++ b/content/xbl/src/nsXBLService.cpp
@ -82,6 +82,7 @@
 #include "nsFrameManager.h"
 #include "nsStyleContext.h"
 #include "nsIScriptSecurityManager.h"
+#include "nsIScriptError.h"

 #ifdef MOZ_XUL
 #include "nsIXULPrototypeCache.h"
@ -99,6 +100,47 @@ static PRBool IsChromeOrResourceURI(nsIURI* aURI)
  return PR_FALSE;
 }

+static PRBool
+IsAncestorBinding(nsIDocument* aDocument,
+                  nsIURI* aChildBindingURI,
+                  nsIContent* aChild)
+{
+  NS_ASSERTION(aDocument, "expected a document");
+  NS_ASSERTION(aChildBindingURI, "expected a binding URI");
+  NS_ASSERTION(aChild, "expected a child content");
+
+  nsIContent* bindingParent = aChild->GetBindingParent();
+  nsIBindingManager* bindingManager = aDocument->BindingManager();
+  for (nsIContent* prev = aChild;
+       bindingParent && prev != bindingParent;
+       prev = bindingParent, bindingParent = bindingParent->GetBindingParent()) {
+    nsXBLBinding* binding = bindingManager->GetBinding(bindingParent);
+    if (!binding) {
+      continue;
+    }
+    PRBool equal;
+    nsresult rv =
+      binding->PrototypeBinding()->BindingURI()->Equals(aChildBindingURI,
+                                                        &equal);
+    if (NS_FAILED(rv) || equal) {
+      nsCAutoString spec;
+      aChildBindingURI->GetSpec(spec);
+      NS_ConvertUTF8toUTF16 bindingURI(spec);
+      const PRUnichar* params[] = { bindingURI.get() };
+      nsContentUtils::ReportToConsole(nsContentUtils::eXBL_PROPERTIES,
+                                      "RecursiveBinding",
+                                      params, NS_ARRAY_LENGTH(params),
+                                      aDocument->GetDocumentURI(),
+                                      EmptyString(), 0, 0,
+                                      nsIScriptError::warningFlag,
+                                      "XBL");
+      return PR_TRUE;
+    }
+  }
+
+  return PR_FALSE;
+}
+
 // Individual binding requests.
 class nsXBLBindingRequest
 {
@ -586,6 +628,10 @@ nsXBLService::LoadBindings(nsIContent* aContent, nsIURI* aURL, PRBool aAugmentFl
    return NS_OK;
  }

+  if (::IsAncestorBinding(document, aURL, aContent)) {
+    return NS_ERROR_ILLEGAL_VALUE;
+  }
+
  if (aAugmentFlag) {
    nsXBLBinding *baseBinding;
    nsXBLBinding *nextBinding = newBinding;
--- a/dom/locales/en-US/chrome/layout/xbl.properties
+++ b/dom/locales/en-US/chrome/layout/xbl.properties
@ -37,3 +37,4 @@ UnexpectedElement=Unexpected <%1$S> element.
 # LOCALIZATION NOTE: do not localize key="%S" modifiers="%S"
 GTK2Conflict=Key event not available on GTK2: key="%S" modifiers="%S"
 WinConflict=Key event not available on some keyboard layouts: key="%S" modifiers="%S"
+RecursiveBinding=The XBL binding "%S" is already used by an ancestor element