2010-06-14 14:58:01 +00:00
|
|
|
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp
|
|
|
|
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp.CVE-2010-1398 2010-06-02 04:03:12.000000000 +0200
|
|
|
|
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp 2010-06-11 16:12:55.750525354 +0200
|
2010-06-11 14:23:51 +00:00
|
|
|
@@ -35,6 +35,7 @@
|
|
|
|
#include "ClientRect.h"
|
|
|
|
#include "ClientRectList.h"
|
|
|
|
#include "Document.h"
|
|
|
|
+#include "DocumentFragment.h"
|
|
|
|
#include "ElementRareData.h"
|
|
|
|
#include "ExceptionCode.h"
|
|
|
|
#include "FocusController.h"
|
|
|
|
@@ -42,6 +43,7 @@
|
|
|
|
#include "FrameView.h"
|
|
|
|
#include "HTMLElement.h"
|
|
|
|
#include "HTMLNames.h"
|
|
|
|
+#include "HTMLTokenizer.h"
|
|
|
|
#include "NamedNodeMap.h"
|
|
|
|
#include "NodeList.h"
|
|
|
|
#include "NodeRenderStyle.h"
|
|
|
|
@@ -49,6 +51,7 @@
|
|
|
|
#include "RenderView.h"
|
|
|
|
#include "TextIterator.h"
|
|
|
|
#include "XMLNames.h"
|
|
|
|
+#include "XMLTokenizer.h"
|
|
|
|
|
|
|
|
#if ENABLE(SVG)
|
|
|
|
#include "SVGNames.h"
|
2010-06-14 14:58:01 +00:00
|
|
|
@@ -91,6 +94,51 @@ NodeRareData* Element::createRareData()
|
2010-06-11 14:23:51 +00:00
|
|
|
{
|
|
|
|
return new ElementRareData;
|
|
|
|
}
|
|
|
|
+
|
|
|
|
+PassRefPtr<DocumentFragment> Element::createContextualFragment(const String& markup)
|
|
|
|
+{
|
|
|
|
+ RefPtr<DocumentFragment> fragment = DocumentFragment::create(document());
|
|
|
|
+
|
|
|
|
+ if (document()->isHTMLDocument())
|
|
|
|
+ parseHTMLDocumentFragment(markup, fragment.get());
|
|
|
|
+ else {
|
|
|
|
+ if (!parseXMLDocumentFragment(markup, fragment.get(), this))
|
|
|
|
+ // FIXME: We should propagate a syntax error exception out here.
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ // Exceptions are ignored because none ought to happen here.
|
|
|
|
+ ExceptionCode ignoredExceptionCode;
|
|
|
|
+
|
|
|
|
+ // We need to pop <html> and <body> elements and remove <head> to
|
|
|
|
+ // accommodate folks passing complete HTML documents to make the
|
|
|
|
+ // child of an element.
|
|
|
|
+
|
|
|
|
+ RefPtr<Node> nextNode;
|
|
|
|
+ for (RefPtr<Node> node = fragment->firstChild(); node; node = nextNode) {
|
|
|
|
+ nextNode = node->nextSibling();
|
|
|
|
+ if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) {
|
|
|
|
+ Node* firstChild = node->firstChild();
|
|
|
|
+ if (firstChild)
|
|
|
|
+ nextNode = firstChild;
|
|
|
|
+ RefPtr<Node> nextChild;
|
|
|
|
+ for (RefPtr<Node> child = firstChild; child; child = nextChild) {
|
|
|
|
+ nextChild = child->nextSibling();
|
|
|
|
+ node->removeChild(child.get(), ignoredExceptionCode);
|
|
|
|
+ ASSERT(!ignoredExceptionCode);
|
|
|
|
+ fragment->insertBefore(child, node.get(), ignoredExceptionCode);
|
|
|
|
+ ASSERT(!ignoredExceptionCode);
|
|
|
|
+ }
|
|
|
|
+ fragment->removeChild(node.get(), ignoredExceptionCode);
|
|
|
|
+ ASSERT(!ignoredExceptionCode);
|
|
|
|
+ } else if (node->hasTagName(headTag)) {
|
|
|
|
+ fragment->removeChild(node.get(), ignoredExceptionCode);
|
|
|
|
+ ASSERT(!ignoredExceptionCode);
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return fragment.release();
|
|
|
|
+}
|
|
|
|
|
|
|
|
PassRefPtr<Node> Element::cloneNode(bool deep)
|
|
|
|
{
|
2010-06-14 14:58:01 +00:00
|
|
|
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h
|
|
|
|
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h.CVE-2010-1398 2010-06-02 04:03:12.000000000 +0200
|
|
|
|
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h 2010-06-14 16:54:57.639394749 +0200
|
|
|
|
@@ -28,6 +28,7 @@
|
|
|
|
#include "ContainerNode.h"
|
|
|
|
#include "QualifiedName.h"
|
|
|
|
#include "ScrollTypes.h"
|
|
|
|
+#include "DocumentFragment.h"
|
|
|
|
|
|
|
|
namespace WebCore {
|
|
|
|
|
|
|
|
@@ -89,6 +90,8 @@ public:
|
2010-06-11 14:23:51 +00:00
|
|
|
DEFINE_ATTRIBUTE_EVENT_LISTENER(search);
|
|
|
|
DEFINE_ATTRIBUTE_EVENT_LISTENER(selectstart);
|
|
|
|
|
|
|
|
+ virtual PassRefPtr<DocumentFragment> createContextualFragment(const String&);
|
|
|
|
+
|
|
|
|
const AtomicString& getIDAttribute() const;
|
|
|
|
bool hasAttribute(const QualifiedName&) const;
|
|
|
|
const AtomicString& getAttribute(const QualifiedName&) const;
|
2010-06-14 14:58:01 +00:00
|
|
|
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp
|
|
|
|
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp.CVE-2010-1398 2010-06-02 04:03:10.000000000 +0200
|
|
|
|
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp 2010-06-11 16:12:55.752525451 +0200
|
|
|
|
@@ -1054,11 +1054,7 @@ String createMarkup(const Range* range,
|
2010-06-11 14:23:51 +00:00
|
|
|
|
|
|
|
PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document* document, const String& markup, const String& baseURL)
|
|
|
|
{
|
|
|
|
- ASSERT(document->documentElement()->isHTMLElement());
|
|
|
|
- // FIXME: What if the document element is not an HTML element?
|
|
|
|
- HTMLElement *element = static_cast<HTMLElement*>(document->documentElement());
|
|
|
|
-
|
|
|
|
- RefPtr<DocumentFragment> fragment = element->createContextualFragment(markup);
|
|
|
|
+ RefPtr<DocumentFragment> fragment = document->documentElement()->createContextualFragment(markup);
|
|
|
|
|
|
|
|
if (fragment && !baseURL.isEmpty() && baseURL != blankURL() && baseURL != document->baseURL())
|
|
|
|
completeURLs(fragment.get(), baseURL);
|
2010-06-14 14:58:01 +00:00
|
|
|
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp
|
|
|
|
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp.CVE-2010-1398 2010-06-02 04:03:10.000000000 +0200
|
|
|
|
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp 2010-06-11 16:12:55.753537613 +0200
|
|
|
|
@@ -235,9 +235,9 @@ String HTMLElement::outerHTML() const
|
2010-06-11 14:23:51 +00:00
|
|
|
return createMarkup(this);
|
|
|
|
}
|
|
|
|
|
|
|
|
-PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String &html)
|
|
|
|
+PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String &markup)
|
|
|
|
{
|
|
|
|
- // the following is in accordance with the definition as used by IE
|
|
|
|
+ // The following is in accordance with the definition as used by IE.
|
|
|
|
if (endTagRequirement() == TagStatusForbidden)
|
|
|
|
return 0;
|
|
|
|
|
2010-06-14 14:58:01 +00:00
|
|
|
@@ -245,47 +245,7 @@ PassRefPtr<DocumentFragment> HTMLElement
|
2010-06-11 14:23:51 +00:00
|
|
|
hasLocalName(headTag) || hasLocalName(styleTag) || hasLocalName(titleTag))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
- RefPtr<DocumentFragment> fragment = DocumentFragment::create(document());
|
|
|
|
-
|
|
|
|
- if (document()->isHTMLDocument())
|
|
|
|
- parseHTMLDocumentFragment(html, fragment.get());
|
|
|
|
- else {
|
|
|
|
- if (!parseXMLDocumentFragment(html, fragment.get(), this))
|
|
|
|
- // FIXME: We should propagate a syntax error exception out here.
|
|
|
|
- return 0;
|
|
|
|
- }
|
|
|
|
-
|
|
|
|
- // Exceptions are ignored because none ought to happen here.
|
|
|
|
- int ignoredExceptionCode;
|
|
|
|
-
|
|
|
|
- // we need to pop <html> and <body> elements and remove <head> to
|
|
|
|
- // accommodate folks passing complete HTML documents to make the
|
|
|
|
- // child of an element.
|
|
|
|
-
|
|
|
|
- RefPtr<Node> nextNode;
|
|
|
|
- for (RefPtr<Node> node = fragment->firstChild(); node; node = nextNode) {
|
|
|
|
- nextNode = node->nextSibling();
|
|
|
|
- if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) {
|
|
|
|
- Node *firstChild = node->firstChild();
|
|
|
|
- if (firstChild)
|
|
|
|
- nextNode = firstChild;
|
|
|
|
- RefPtr<Node> nextChild;
|
|
|
|
- for (RefPtr<Node> child = firstChild; child; child = nextChild) {
|
|
|
|
- nextChild = child->nextSibling();
|
|
|
|
- node->removeChild(child.get(), ignoredExceptionCode);
|
|
|
|
- ASSERT(!ignoredExceptionCode);
|
|
|
|
- fragment->insertBefore(child, node.get(), ignoredExceptionCode);
|
|
|
|
- ASSERT(!ignoredExceptionCode);
|
|
|
|
- }
|
|
|
|
- fragment->removeChild(node.get(), ignoredExceptionCode);
|
|
|
|
- ASSERT(!ignoredExceptionCode);
|
|
|
|
- } else if (node->hasTagName(headTag)) {
|
|
|
|
- fragment->removeChild(node.get(), ignoredExceptionCode);
|
|
|
|
- ASSERT(!ignoredExceptionCode);
|
|
|
|
- }
|
|
|
|
- }
|
|
|
|
-
|
|
|
|
- return fragment.release();
|
|
|
|
+ return Element::createContextualFragment(markup);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool hasOneChild(ContainerNode* node)
|
2010-06-14 14:58:01 +00:00
|
|
|
@@ -371,7 +331,7 @@ void HTMLElement::setOuterHTML(const Str
|
2010-06-11 14:23:51 +00:00
|
|
|
|
|
|
|
void HTMLElement::setInnerText(const String& text, ExceptionCode& ec)
|
|
|
|
{
|
|
|
|
- // follow the IE specs about when this is allowed
|
|
|
|
+ // Follow the IE specs about when this is allowed.
|
|
|
|
if (endTagRequirement() == TagStatusForbidden) {
|
|
|
|
ec = NO_MODIFICATION_ALLOWED_ERR;
|
|
|
|
return;
|
2010-06-14 14:58:01 +00:00
|
|
|
@@ -441,7 +401,7 @@ void HTMLElement::setInnerText(const Str
|
2010-06-11 14:23:51 +00:00
|
|
|
|
|
|
|
void HTMLElement::setOuterText(const String &text, ExceptionCode& ec)
|
|
|
|
{
|
|
|
|
- // follow the IE specs about when this is allowed
|
|
|
|
+ // Follow the IE specs about when this is allowed.
|
|
|
|
if (endTagRequirement() == TagStatusForbidden) {
|
|
|
|
ec = NO_MODIFICATION_ALLOWED_ERR;
|
|
|
|
return;
|
2010-06-14 14:58:01 +00:00
|
|
|
@@ -469,7 +429,7 @@ void HTMLElement::setOuterText(const Str
|
2010-06-11 14:23:51 +00:00
|
|
|
if (ec)
|
|
|
|
return;
|
|
|
|
|
|
|
|
- // is previous node a text node? if so, merge into it
|
|
|
|
+ // Is previous node a text node? If so, merge into it.
|
|
|
|
Node* prev = t->previousSibling();
|
|
|
|
if (prev && prev->isTextNode()) {
|
|
|
|
Text* textPrev = static_cast<Text*>(prev);
|
2010-06-14 14:58:01 +00:00
|
|
|
@@ -482,7 +442,7 @@ void HTMLElement::setOuterText(const Str
|
2010-06-11 14:23:51 +00:00
|
|
|
t = textPrev;
|
|
|
|
}
|
|
|
|
|
|
|
|
- // is next node a text node? if so, merge it in
|
|
|
|
+ // Is next node a text node? If so, merge it in.
|
|
|
|
Node* next = t->nextSibling();
|
|
|
|
if (next && next->isTextNode()) {
|
|
|
|
Text* textNext = static_cast<Text*>(next);
|
2010-06-14 14:58:01 +00:00
|
|
|
@@ -522,7 +482,7 @@ Node* HTMLElement::insertAdjacent(const
|
2010-06-11 14:23:51 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
- // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative
|
|
|
|
+ // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative.
|
|
|
|
ec = NOT_SUPPORTED_ERR;
|
|
|
|
return 0;
|
|
|
|
}
|
2010-06-14 14:58:01 +00:00
|
|
|
@@ -530,7 +490,7 @@ Node* HTMLElement::insertAdjacent(const
|
2010-06-11 14:23:51 +00:00
|
|
|
Element* HTMLElement::insertAdjacentElement(const String& where, Element* newChild, ExceptionCode& ec)
|
|
|
|
{
|
|
|
|
if (!newChild) {
|
|
|
|
- // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative
|
|
|
|
+ // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative.
|
|
|
|
ec = TYPE_MISMATCH_ERR;
|
|
|
|
return 0;
|
|
|
|
}
|
2010-06-14 14:58:01 +00:00
|
|
|
@@ -567,8 +527,8 @@ void HTMLElement::addHTMLAlignment(Mappe
|
2010-06-11 14:23:51 +00:00
|
|
|
|
|
|
|
void HTMLElement::addHTMLAlignmentToStyledElement(StyledElement* element, MappedAttribute* attr)
|
|
|
|
{
|
|
|
|
- // vertical alignment with respect to the current baseline of the text
|
|
|
|
- // right or left means floating images
|
|
|
|
+ // Vertical alignment with respect to the current baseline of the text
|
|
|
|
+ // right or left means floating images.
|
|
|
|
int floatValue = CSSValueInvalid;
|
|
|
|
int verticalAlignValue = CSSValueInvalid;
|
|
|
|
|