Bug 335291 r+sr=bz Make trunk popup events safer

2006-06-19 16:54:53 +00:00 · 2006-06-19 16:54:53 +00:00 · fa844bcd6d
--- a/content/xul/content/src/nsXULPopupListener.cpp
+++ b/content/xul/content/src/nsXULPopupListener.cpp
@ -282,7 +282,7 @@ XULPopupListenerImpl::PreLaunchPopup(nsIDOMEvent* aMouseEvent)
  // Store clicked-on node in xul document for context menus and menu popups.
  // CLEAR THE POPUP EVENT BEFORE THIS FUNCTION EXITS
  xulDocument->SetPopupNode( targetNode );
-  xulDocument->SetPopupEvent( aMouseEvent );
+  xulDocument->SetTrustedPopupEvent( aMouseEvent );

  nsCOMPtr<nsIDOMNSEvent> nsevent(do_QueryInterface(aMouseEvent));

@ -310,7 +310,7 @@ XULPopupListenerImpl::PreLaunchPopup(nsIDOMEvent* aMouseEvent)
      aMouseEvent->PreventDefault();
      break;
  }
-  xulDocument->SetPopupEvent(nsnull);
+  xulDocument->SetTrustedPopupEvent(nsnull);
  return NS_OK;
 }

--- a/content/xul/document/src/nsXULDocument.cpp
+++ b/content/xul/document/src/nsXULDocument.cpp
@ -71,6 +71,7 @@
 #include "nsIScrollableView.h"
 #include "nsIContentViewer.h"
 #include "nsGUIEvent.h"
+#include "nsIDOMNSUIEvent.h"
 #include "nsIDOMXULElement.h"
 #include "nsIPrivateDOMEvent.h"
 #include "nsIRDFNode.h"
@ -1477,7 +1478,7 @@ nsXULDocument::SetPopupNode(nsIDOMNode* aNode)
 }

 NS_IMETHODIMP
-nsXULDocument::GetPopupEvent(nsIDOMEvent** aEvent)
+nsXULDocument::GetTrustedPopupEvent(nsIDOMEvent** aEvent)
 {
    nsresult rv;

@ -1491,7 +1492,7 @@ nsXULDocument::GetPopupEvent(nsIDOMEvent** aEvent)
 }

 NS_IMETHODIMP
-nsXULDocument::SetPopupEvent(nsIDOMEvent* aEvent)
+nsXULDocument::SetTrustedPopupEvent(nsIDOMEvent* aEvent)
 {
    nsresult rv;

@ -1504,6 +1505,58 @@ nsXULDocument::SetPopupEvent(nsIDOMEvent* aEvent)
    return rv;
 }

+// Returns the rangeOffset element from the popupEvent. This is for chrome
+// callers only.
+NS_IMETHODIMP
+nsXULDocument::GetPopupRangeParent(nsIDOMNode** aRangeParent)
+{
+    NS_ENSURE_ARG_POINTER(aRangeParent);
+    *aRangeParent = nsnull;
+
+    nsCOMPtr<nsIDOMEvent> event;
+    nsresult rv = GetTrustedPopupEvent(getter_AddRefs(event));
+    NS_ENSURE_SUCCESS(rv, rv);
+    if (! event)
+        return NS_ERROR_UNEXPECTED; // no event active
+
+    nsCOMPtr<nsIDOMNSUIEvent> uiEvent = do_QueryInterface(event, &rv);
+    NS_ENSURE_SUCCESS(rv, rv);
+    rv = uiEvent->GetRangeParent(aRangeParent); // addrefs
+
+    if (NS_SUCCEEDED(rv) && *aRangeParent &&
+            !nsContentUtils::CanCallerAccess(*aRangeParent)) {
+        NS_RELEASE(*aRangeParent);
+        return NS_ERROR_DOM_SECURITY_ERR;
+    }
+    return rv;
+}
+
+// Returns the rangeOffset element from the popupEvent. We check the rangeParent
+// to determine if the caller has rights to access to the data.
+NS_IMETHODIMP
+nsXULDocument::GetPopupRangeOffset(PRInt32* aRangeOffset)
+{
+    NS_ENSURE_ARG_POINTER(aRangeOffset);
+
+    nsCOMPtr<nsIDOMEvent> event;
+    nsresult rv = GetTrustedPopupEvent(getter_AddRefs(event));
+    NS_ENSURE_SUCCESS(rv, rv);
+    if (! event)
+        return NS_ERROR_UNEXPECTED; // no event active
+
+    nsCOMPtr<nsIDOMNSUIEvent> uiEvent = do_QueryInterface(event, &rv);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    nsCOMPtr<nsIDOMNode> parent;
+    rv = uiEvent->GetRangeParent(getter_AddRefs(parent));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    if (parent && !nsContentUtils::CanCallerAccess(parent))
+        return NS_ERROR_DOM_SECURITY_ERR;
+
+    return uiEvent->GetRangeOffset(aRangeOffset);
+}
+
 NS_IMETHODIMP
 nsXULDocument::GetTooltipNode(nsIDOMNode** aNode)
 {
--- a/dom/public/idl/xul/nsIDOMXULDocument.idl
+++ b/dom/public/idl/xul/nsIDOMXULDocument.idl
@ -42,18 +42,21 @@
 interface nsIDOMXULCommandDispatcher;
 interface nsIObserver;

-[scriptable, uuid(741d56f3-f347-4559-aa27-b8f684854baf)]
+[scriptable, uuid(a521baa9-0745-453a-9049-03c1a2241378)]
 interface nsIDOMXULDocument : nsISupports
 {
-           attribute nsIDOMNode                 popupNode;
+  attribute nsIDOMNode                          popupNode;

-           /**
-            * The event that triggered the popup. This is only valid during
-            * the popup showing event.
-            */
-           attribute nsIDOMEvent                popupEvent;
+  /**
+   * These attributes correspond to trustedGetPopupNode().rangeOffset and
+   * rangeParent. They will help you find where in the DOM the popup is
+   * happening. Can be accessed from chrome only, and only during a popup
+   * event. Accessing any other time will be an error.
+   */
+  readonly attribute nsIDOMNode                 popupRangeParent;
+  readonly attribute long                       popupRangeOffset;

-           attribute nsIDOMNode                 tooltipNode;
+  attribute nsIDOMNode                          tooltipNode;

  readonly attribute nsIDOMXULCommandDispatcher commandDispatcher;

@ -103,4 +106,9 @@ interface nsIDOMXULDocument : nsISupports
   * Like trustedGetPopupNode, but gets the tooltip node instead.
   */
  [noscript] nsIDOMNode     trustedGetTooltipNode();
+
+  /**
+   * Like trustedGetPopupNode, but gets the 
+   */
+  [noscript] attribute nsIDOMEvent trustedPopupEvent;
 };
--- a/toolkit/content/inlineSpellCheckUI.js
+++ b/toolkit/content/inlineSpellCheckUI.js
@ -77,12 +77,11 @@ var InlineSpellCheckerUI = {

  // for each UI event, you must call this function, it will compute the
  // word the cursor is over
-  initFromEvent: function(event)
+  initFromEvent: function(rangeParent, rangeOffset)
  {
    this.mOverMisspelling = false;
-    this.mEvent = event;

-    if (! this.mInlineSpellChecker || ! (event instanceof UIEvent))
+    if (! this.mInlineSpellChecker)
      return;

    var selcon = this.mEditor.selectionController;
@ -90,15 +89,15 @@ var InlineSpellCheckerUI = {
    if (spellsel.rangeCount == 0)
      return; // easy case - no misspellings

-    var range = this.mInlineSpellChecker.getMispelledWord(event.rangeParent,
-                                                          event.rangeOffset);
+    var range = this.mInlineSpellChecker.getMispelledWord(rangeParent,
+                                                          rangeOffset);
    if (! range)
      return; // not over a misspelled word

    this.mMisspelling = range.toString();
    this.mOverMisspelling = true;
-    this.mWordNode = event.rangeParent;
-    this.mWordOffset = event.rangeOffset;
+    this.mWordNode = rangeParent;
+    this.mWordOffset = rangeOffset;
  },

  // returns false if there should be no spellchecking UI enabled at all, true
--- a/toolkit/content/widgets/textbox.xml
+++ b/toolkit/content/widgets/textbox.xml
@ -339,7 +339,8 @@
              return;
            }

-            spellui.initFromEvent(document.popupEvent);
+            spellui.initFromEvent(document.popupRangeParent,
+                                  document.popupRangeOffset);

            var enabled = spellui.enabled;
            document.getAnonymousElementByAttribute(this, "anonid",