diff -U0 qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog 2010-05-03 15:55:37.703101680 +0200 @@ -0,0 +1,90 @@ +2010-01-20 Adam Barth + + Reviewed by Darin Adler. + + Stylesheet href property shows redirected URL unlike other browsers + https://bugs.webkit.org/show_bug.cgi?id=33683 + + Teach StyleSheet the difference between original and final URLs in + redirect chains. Unfortunately, StyleSheet needs to know both of these + URLs. The original URL is needed for the href property and the final + URL is needed as the baseURL. + + This change required touching a lot of lines of code because we need to + plumb this information to the StyleSheet object. I audited all + existing clients of href() and setHref() to see whether they wanted the + original or final URLs. I then updated the clients (except the JS + bindings themselves) to use the correct accessor. + + Test: http/tests/security/stylesheet-href-redirect.html + + * css/CSSImportRule.cpp: + (WebCore::CSSImportRule::setCSSStyleSheet): + (WebCore::CSSImportRule::insertedIntoParent): + * css/CSSImportRule.h: + * css/CSSStyleSheet.cpp: + (WebCore::CSSStyleSheet::CSSStyleSheet): + * css/CSSStyleSheet.h: + (WebCore::CSSStyleSheet::create): + (WebCore::CSSStyleSheet::createInline): Added a new constructor to deal + with "inline" style sheets that don't have a distinct original and + final URL. + * css/StyleBase.cpp: + (WebCore::StyleBase::baseURL): This code wants to use the final URL, + not the original URL. Updated it to grab the baseURL directly. + * css/StyleSheet.cpp: + (WebCore::StyleSheet::StyleSheet): + * css/StyleSheet.h: + (WebCore::StyleSheet::href): + (WebCore::StyleSheet::setBaseURL): This function really just updates + the base URL of the style sheet, so I made it more explicit. + (WebCore::StyleSheet::putativeBaseURL): We need an accessor for the + base URL, but baseURL is already taken. + * dom/Document.cpp: + (WebCore::Document::updateBaseURL): + (WebCore::Document::pageUserSheet): + (WebCore::Document::pageGroupUserSheets): + (WebCore::Document::elementSheet): + (WebCore::Document::mappedElementSheet): + * dom/ProcessingInstruction.cpp: + (WebCore::ProcessingInstruction::checkStyleSheet): + (WebCore::ProcessingInstruction::setCSSStyleSheet): + (WebCore::ProcessingInstruction::setXSLStyleSheet): + * dom/ProcessingInstruction.h: + * dom/StyleElement.cpp: + (WebCore::StyleElement::createSheet): + * html/HTMLLinkElement.cpp: + (WebCore::HTMLLinkElement::setCSSStyleSheet): + * html/HTMLLinkElement.h: + * loader/CachedCSSStyleSheet.cpp: + (WebCore::CachedCSSStyleSheet::didAddClient): + (WebCore::CachedCSSStyleSheet::checkNotify): This code now passes both + the original and final URL into setCSSStyleSheet so that the style + sheet can have both. + * loader/CachedResourceClient.h: + (WebCore::CachedResourceClient::setCSSStyleSheet): + (WebCore::CachedResourceClient::setXSLStyleSheet): + * loader/CachedXSLStyleSheet.cpp: + (WebCore::CachedXSLStyleSheet::didAddClient): + (WebCore::CachedXSLStyleSheet::checkNotify): I don't have any direct + evidence that we need to change the XSLStyleSheet behavior, which is + why I wasn't able to add a test for the behavior. However, the objects + are parallel enough that it seemed like the right thing to do. + * xml/XSLImportRule.cpp: + (WebCore::XSLImportRule::setXSLStyleSheet): + (WebCore::XSLImportRule::loadSheet): + * xml/XSLImportRule.h: + * xml/XSLStyleSheet.h: + (WebCore::XSLStyleSheet::create): + (WebCore::XSLStyleSheet::createEmbedded): + * xml/XSLStyleSheetLibxslt.cpp: + (WebCore::XSLStyleSheet::XSLStyleSheet): + (WebCore::XSLStyleSheet::parseString): + (WebCore::XSLStyleSheet::loadChildSheets): + * xml/XSLStyleSheetQt.cpp: + (WebCore::XSLStyleSheet::XSLStyleSheet): + * xml/XSLTProcessorLibxslt.cpp: + (WebCore::xsltStylesheetPointer): + * xml/XSLTProcessorQt.cpp: + (WebCore::XSLTProcessor::transformToString): + diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.652102626 +0200 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp 2010-05-03 16:49:14.631038884 +0200 @@ -55,11 +55,11 @@ CSSImportRule::~CSSImportRule() m_cachedSheet->removeClient(this); } -void CSSImportRule::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet) +void CSSImportRule::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet) { if (m_styleSheet) m_styleSheet->setParent(0); - m_styleSheet = CSSStyleSheet::create(this, url, charset); + m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset); bool crossOriginCSS = false; bool validMIMEType = false; @@ -70,17 +70,17 @@ void CSSImportRule::setCSSStyleSheet(con String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType); m_styleSheet->parseString(sheetText, strict); - if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url))) + if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(baseURL)) crossOriginCSS = true; if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader()) - m_styleSheet = CSSStyleSheet::create(this, url, charset); + m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset); if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) { // Work around . DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css")); DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n")); - if (url.endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) { + if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) { ASSERT(m_styleSheet->length() == 1); ExceptionCode ec; m_styleSheet->deleteRule(0, ec); @@ -109,15 +109,16 @@ void CSSImportRule::insertedIntoParent() return; String absHref = m_strHref; - if (!parentSheet->href().isNull()) + if (!parentSheet->putativeBaseURL().isNull()) // use parent styleheet's URL as the base URL - absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string(); + absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string(); // Check for a cycle in our import chain. If we encounter a stylesheet // in our parent chain with the same URL, then just bail. StyleBase* root = this; for (StyleBase* curr = parent(); curr; curr = curr->parent()) { - if (curr->isCSSStyleSheet() && absHref == static_cast(curr)->href()) + // FIXME: This is wrong if the putativeBaseURL was updated via document::updateBaseURL. + if (curr->isCSSStyleSheet() && absHref == static_cast(curr)->putativeBaseURL().string()) return; root = curr; } diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h 2010-05-03 15:55:37.740976769 +0200 @@ -63,7 +63,7 @@ private: virtual unsigned short type() const { return IMPORT_RULE; } // from CachedResourceClient - virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*); + virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*); String m_strHref; RefPtr m_lstMedia; diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.660977242 +0200 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp 2010-05-03 15:55:37.740976769 +0200 @@ -33,8 +33,8 @@ namespace WebCore { -CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset) - : StyleSheet(parentSheet, href) +CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset) + : StyleSheet(parentSheet, href, baseURL) , m_doc(parentSheet ? parentSheet->doc() : 0) , m_namespaces(0) , m_charset(charset) @@ -45,8 +45,8 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe { } -CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const String& charset) - : StyleSheet(parentNode, href) +CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, const String& charset) + : StyleSheet(parentNode, href, baseURL) , m_doc(parentNode->document()) , m_namespaces(0) , m_charset(charset) @@ -57,8 +57,8 @@ CSSStyleSheet::CSSStyleSheet(Node* paren { } -CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset) - : StyleSheet(ownerRule, href) +CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset) + : StyleSheet(ownerRule, href, baseURL) , m_namespaces(0) , m_charset(charset) , m_loadCompleted(false) diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.660977242 +0200 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h 2010-05-03 15:55:37.745101706 +0200 @@ -38,27 +38,31 @@ class CSSStyleSheet : public StyleSheet public: static PassRefPtr create() { - return adoptRef(new CSSStyleSheet(static_cast(0), String(), String())); + return adoptRef(new CSSStyleSheet(static_cast(0), String(), KURL(), String())); } static PassRefPtr create(Node* ownerNode) { - return adoptRef(new CSSStyleSheet(ownerNode, String(), String())); + return adoptRef(new CSSStyleSheet(ownerNode, String(), KURL(), String())); } - static PassRefPtr create(Node* ownerNode, const String& href) + static PassRefPtr create(Node* ownerNode, const String& href, const KURL& baseURL) { - return adoptRef(new CSSStyleSheet(ownerNode, href, String())); + return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, String())); } - static PassRefPtr create(Node* ownerNode, const String& href, const String& charset) + static PassRefPtr create(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset) { - return adoptRef(new CSSStyleSheet(ownerNode, href, charset)); + return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, charset)); } - static PassRefPtr create(CSSRule* ownerRule, const String& href, const String& charset) + static PassRefPtr create(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset) { - return adoptRef(new CSSStyleSheet(ownerRule, href, charset)); + return adoptRef(new CSSStyleSheet(ownerRule, href, baseURL, charset)); + } + static PassRefPtr createInline(Node* ownerNode, const KURL& baseURL) + { + return adoptRef(new CSSStyleSheet(ownerNode, baseURL.string(), baseURL, String())); } virtual ~CSSStyleSheet(); - + CSSRule* ownerRule() const; PassRefPtr cssRules(bool omitCharsetRules = false); unsigned insertRule(const String& rule, unsigned index, ExceptionCode&); @@ -72,7 +76,7 @@ public: void addNamespace(CSSParser*, const AtomicString& prefix, const AtomicString& uri); const AtomicString& determineNamespace(const AtomicString& prefix); - + virtual void styleSheetChanged(); virtual bool parseString(const String&, bool strict = true); @@ -99,10 +103,10 @@ public: bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; } private: - CSSStyleSheet(Node* ownerNode, const String& href, const String& charset); - CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset); - CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset); - + CSSStyleSheet(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset); + CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset); + CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset); + virtual bool isCSSStyleSheet() const { return true; } virtual String type() const { return "text/css"; } diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:20.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp 2010-05-03 15:55:37.757976382 +0200 @@ -56,9 +56,9 @@ KURL StyleBase::baseURL() const StyleSheet* sheet = const_cast(this)->stylesheet(); if (!sheet) return KURL(); - if (!sheet->href().isNull()) - return KURL(ParsedURLString, sheet->href()); - if (sheet->parent()) + if (!sheet->putativeBaseURL().isNull()) + return sheet->putativeBaseURL(); + if (sheet->parent()) return sheet->parent()->baseURL(); if (!sheet->ownerNode()) return KURL(); diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp 2010-05-03 15:55:37.758976847 +0200 @@ -26,27 +26,30 @@ namespace WebCore { -StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href) +StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL) : StyleList(parentSheet) , m_parentNode(0) - , m_strHref(href) + , m_href(href) + , m_baseURL(baseURL) , m_disabled(false) { } -StyleSheet::StyleSheet(Node* parentNode, const String& href) +StyleSheet::StyleSheet(Node* parentNode, const String& href, const KURL& baseURL) : StyleList(0) , m_parentNode(parentNode) - , m_strHref(href) + , m_href(href) + , m_baseURL(baseURL) , m_disabled(false) { } -StyleSheet::StyleSheet(StyleBase* owner, const String& href) +StyleSheet::StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL) : StyleList(owner) , m_parentNode(0) - , m_strHref(href) + , m_href(href) + , m_baseURL(baseURL) , m_disabled(false) { } diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h 2010-05-03 15:55:37.758976847 +0200 @@ -41,8 +41,18 @@ public: Node* ownerNode() const { return m_parentNode; } StyleSheet *parentStyleSheet() const; - const String& href() const { return m_strHref; } - void setHref(const String& href) { m_strHref = href; } + + // Note that href is the URL that started the redirect chain that led to + // this style sheet. This property probably isn't useful for much except + // the JavaScript binding (which needs to use this value for security). + const String& href() const { return m_href; } + + void setBaseURL(const KURL& baseURL) { m_baseURL = baseURL; } + + // Notice that this object inherits a baseURL function from StyleBase that + // crawls the parent() relation looking for a non-0 putativeBaseURL. + const KURL& putativeBaseURL() const { return m_baseURL; } + const String& title() const { return m_strTitle; } void setTitle(const String& s) { m_strTitle = s; } MediaList* media() const { return m_media.get(); } @@ -58,15 +68,16 @@ public: virtual bool parseString(const String&, bool strict = true) = 0; protected: - StyleSheet(Node* ownerNode, const String& href); - StyleSheet(StyleSheet* parentSheet, const String& href); - StyleSheet(StyleBase* owner, const String& href); + StyleSheet(Node* ownerNode, const String& href, const KURL& baseURL); + StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL); + StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL); private: virtual bool isStyleSheet() const { return true; } Node* m_parentNode; - String m_strHref; + String m_href; + KURL m_baseURL; String m_strTitle; RefPtr m_media; bool m_disabled; diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp 2010-05-03 15:55:37.760977901 +0200 @@ -1920,9 +1920,9 @@ void Document::updateBaseURL() m_baseURL = KURL(); if (m_elemSheet) - m_elemSheet->setHref(m_baseURL.string()); + m_elemSheet->setBaseURL(m_baseURL); if (m_mappedElementSheet) - m_mappedElementSheet->setHref(m_baseURL.string()); + m_mappedElementSheet->setBaseURL(m_baseURL); } String Document::userAgent(const KURL& url) const @@ -1944,7 +1944,7 @@ CSSStyleSheet* Document::pageUserSheet() return 0; // Parse the sheet and cache it. - m_pageUserSheet = CSSStyleSheet::create(this, settings()->userStyleSheetLocation()); + m_pageUserSheet = CSSStyleSheet::createInline(this, settings()->userStyleSheetLocation()); m_pageUserSheet->setIsUserStyleSheet(true); m_pageUserSheet->parseString(userSheetText, !inCompatMode()); return m_pageUserSheet.get(); @@ -1979,7 +1979,7 @@ const Vector >* Do const UserStyleSheet* sheet = sheets->at(i).get(); if (!UserContentURLPattern::matchesPatterns(url(), sheet->whitelist(), sheet->blacklist())) continue; - RefPtr parsedSheet = CSSStyleSheet::create(const_cast(this), sheet->url()); + RefPtr parsedSheet = CSSStyleSheet::createInline(const_cast(this), sheet->url()); parsedSheet->setIsUserStyleSheet(true); parsedSheet->parseString(sheet->source(), !inCompatMode()); if (!m_pageGroupUserSheets) @@ -2001,14 +2001,14 @@ void Document::clearPageGroupUserSheets( CSSStyleSheet* Document::elementSheet() { if (!m_elemSheet) - m_elemSheet = CSSStyleSheet::create(this, m_baseURL.string()); + m_elemSheet = CSSStyleSheet::createInline(this, m_baseURL); return m_elemSheet.get(); } CSSStyleSheet* Document::mappedElementSheet() { if (!m_mappedElementSheet) - m_mappedElementSheet = CSSStyleSheet::create(this, m_baseURL.string()); + m_mappedElementSheet = CSSStyleSheet::createInline(this, m_baseURL); return m_mappedElementSheet.get(); } diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp 2010-05-03 15:55:37.761977599 +0200 @@ -138,7 +138,8 @@ void ProcessingInstruction::checkStyleSh // We need to make a synthetic XSLStyleSheet that is embedded. It needs to be able // to kick off import/include loads that can hang off some parent sheet. if (m_isXSL) { - m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref); + KURL baseURL = KURL(ParsedURLString, m_localHref); + m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref, baseURL); m_loading = false; } #endif @@ -196,12 +197,12 @@ bool ProcessingInstruction::sheetLoaded( return false; } -void ProcessingInstruction::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet) +void ProcessingInstruction::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet) { #if ENABLE(XSLT) ASSERT(!m_isXSL); #endif - RefPtr newSheet = CSSStyleSheet::create(this, url, charset); + RefPtr newSheet = CSSStyleSheet::create(this, href, baseURL, charset); m_sheet = newSheet; // We don't need the cross-origin security check here because we are // getting the sheet text in "strict" mode. This enforces a valid CSS MIME @@ -213,10 +214,10 @@ void ProcessingInstruction::setCSSStyleS } #if ENABLE(XSLT) -void ProcessingInstruction::setXSLStyleSheet(const String& url, const String& sheet) +void ProcessingInstruction::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet) { ASSERT(m_isXSL); - m_sheet = XSLStyleSheet::create(this, url); + m_sheet = XSLStyleSheet::create(this, href, baseURL); parseStyleSheet(sheet); } #endif diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h 2010-05-03 15:55:37.761977599 +0200 @@ -68,9 +68,9 @@ private: virtual void removedFromDocument(); void checkStyleSheet(); - virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*); + virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*); #if ENABLE(XSLT) - virtual void setXSLStyleSheet(const String& url, const String& sheet); + virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet); #endif bool isLoading() const; diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp 2010-05-03 15:55:37.762976937 +0200 @@ -103,7 +103,7 @@ void StyleElement::createSheet(Element* if (screenEval.eval(mediaList.get()) || printEval.eval(mediaList.get())) { document->addPendingSheet(); setLoading(true); - m_sheet = CSSStyleSheet::create(e, String(), document->inputEncoding()); + m_sheet = CSSStyleSheet::create(e, String(), KURL(), document->inputEncoding()); m_sheet->parseString(text, !document->inCompatMode()); m_sheet->setMedia(mediaList.get()); m_sheet->setTitle(e->title()); diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp 2010-05-03 17:02:45.528101154 +0200 @@ -253,9 +253,9 @@ void HTMLLinkElement::finishParsingChild HTMLElement::finishParsingChildren(); } -void HTMLLinkElement::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet) +void HTMLLinkElement::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet) { - m_sheet = CSSStyleSheet::create(this, url, charset); + m_sheet = CSSStyleSheet::create(this, href, baseURL, charset); bool strictParsing = !document()->inCompatMode(); bool enforceMIMEType = strictParsing; @@ -275,11 +275,11 @@ void HTMLLinkElement::setCSSStyleSheet(c // valid CSS rule. // This prevents an attacker playing games by injecting CSS strings into // HTML, XML, JSON, etc. etc. - if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url))) + if (!document()->securityOrigin()->canRequest(baseURL)) crossOriginCSS = true; if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader()) - m_sheet = CSSStyleSheet::create(this, url, charset); + m_sheet = CSSStyleSheet::create(this, href, baseURL, charset); if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) { // Work around . @@ -287,7 +287,7 @@ void HTMLLinkElement::setCSSStyleSheet(c DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n")); // There are two variants of KHTMLFixes.css. One is equal to mediaWikiKHTMLFixesStyleSheet, // while the other lacks the second trailing newline. - if (url.endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText) + if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText) && sheetText.length() >= mediaWikiKHTMLFixesStyleSheet.length() - 1) { ASSERT(m_sheet->length() == 1); ExceptionCode ec; diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h 2010-05-03 15:55:37.773083096 +0200 @@ -79,7 +79,7 @@ public: virtual void removedFromDocument(); // from CachedResourceClient - virtual void setCSSStyleSheet(const String &url, const String& charset, const CachedCSSStyleSheet* sheet); + virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet); bool isLoading() const; virtual bool sheetLoaded(); diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp 2010-05-03 15:55:37.774976529 +0200 @@ -52,9 +52,9 @@ CachedCSSStyleSheet::~CachedCSSStyleShee void CachedCSSStyleSheet::didAddClient(CachedResourceClient *c) { if (!m_loading) - c->setCSSStyleSheet(m_url, m_decoder->encoding().name(), this); + c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this); } - + void CachedCSSStyleSheet::allClientsRemoved() { if (isSafeToMakePurgeable()) @@ -112,7 +112,7 @@ void CachedCSSStyleSheet::checkNotify() CachedResourceClientWalker w(m_clients); while (CachedResourceClient *c = w.next()) - c->setCSSStyleSheet(m_response.url().string(), m_decoder->encoding().name(), this); + c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this); } void CachedCSSStyleSheet::error() diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h 2010-05-03 15:55:37.775976911 +0200 @@ -42,6 +42,7 @@ namespace WebCore { class String; class Image; class IntRect; + class KURL; /** * @internal @@ -65,8 +66,8 @@ namespace WebCore { // e.g., in the b/f cache or in a background tab). virtual bool willRenderImage(CachedImage*) { return false; } - virtual void setCSSStyleSheet(const String& /*URL*/, const String& /*charset*/, const CachedCSSStyleSheet*) { } - virtual void setXSLStyleSheet(const String& /*URL*/, const String& /*sheet*/) { } + virtual void setCSSStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* charset */, const CachedCSSStyleSheet*) { } + virtual void setXSLStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* sheet */) { } virtual void fontLoaded(CachedFont*) {}; diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp 2010-05-03 15:55:37.789038977 +0200 @@ -48,7 +48,7 @@ CachedXSLStyleSheet::CachedXSLStyleSheet void CachedXSLStyleSheet::didAddClient(CachedResourceClient* c) { if (!m_loading) - c->setXSLStyleSheet(m_url, m_sheet); + c->setXSLStyleSheet(m_url, m_response.url(), m_sheet); } void CachedXSLStyleSheet::setEncoding(const String& chs) @@ -83,10 +83,9 @@ void CachedXSLStyleSheet::checkNotify() CachedResourceClientWalker w(m_clients); while (CachedResourceClient *c = w.next()) - c->setXSLStyleSheet(m_url, m_sheet); + c->setXSLStyleSheet(m_url, m_response.url(), m_sheet); } - void CachedXSLStyleSheet::error() { m_loading = false; diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp 2010-05-03 15:55:37.789038977 +0200 @@ -52,13 +52,13 @@ XSLStyleSheet* XSLImportRule::parentStyl return (parent() && parent()->isXSLStyleSheet()) ? static_cast(parent()) : 0; } -void XSLImportRule::setXSLStyleSheet(const String& url, const String& sheet) +void XSLImportRule::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet) { if (m_styleSheet) m_styleSheet->setParent(0); - - m_styleSheet = XSLStyleSheet::create(this, url); - + + m_styleSheet = XSLStyleSheet::create(this, href, baseURL); + XSLStyleSheet* parent = parentStyleSheet(); if (parent) m_styleSheet->setParentStyleSheet(parent); @@ -87,14 +87,14 @@ void XSLImportRule::loadSheet() String absHref = m_strHref; XSLStyleSheet* parentSheet = parentStyleSheet(); - if (!parentSheet->href().isNull()) + if (!parentSheet->putativeBaseURL().isNull()) // use parent styleheet's URL as the base URL - absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string(); + absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string(); // Check for a cycle in our import chain. If we encounter a stylesheet // in our parent chain with the same URL, then just bail. for (parent = this->parent(); parent; parent = parent->parent()) { - if (parent->isXSLStyleSheet() && absHref == static_cast(parent)->href()) + if (parent->isXSLStyleSheet() && absHref == static_cast(parent)->putativeBaseURL().string()) return; } diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h 2010-05-03 15:55:37.789981560 +0200 @@ -57,7 +57,7 @@ private: virtual bool isImportRule() { return true; } // from CachedResourceClient - virtual void setXSLStyleSheet(const String& url, const String& sheet); + virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet); String m_strHref; RefPtr m_styleSheet; diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h 2010-05-03 15:55:37.827976887 +0200 @@ -43,18 +43,18 @@ class XSLImportRule; class XSLStyleSheet : public StyleSheet { public: #if !USE(QXMLQUERY) - static PassRefPtr create(XSLImportRule* parentImport, const String& href) + static PassRefPtr create(XSLImportRule* parentImport, const String& href, const KURL& baseURL) { - return adoptRef(new XSLStyleSheet(parentImport, href)); + return adoptRef(new XSLStyleSheet(parentImport, href, baseURL)); } #endif - static PassRefPtr create(Node* parentNode, const String& href) + static PassRefPtr create(Node* parentNode, const String& href, const KURL& baseURL) { - return adoptRef(new XSLStyleSheet(parentNode, href, false)); + return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, false)); } - static PassRefPtr createEmbedded(Node* parentNode, const String& href) + static PassRefPtr createEmbedded(Node* parentNode, const String& href, const KURL& baseURL) { - return adoptRef(new XSLStyleSheet(parentNode, href, true)); + return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, true)); } virtual ~XSLStyleSheet(); @@ -90,9 +90,9 @@ public: bool processed() const { return m_processed; } private: - XSLStyleSheet(Node* parentNode, const String& href, bool embedded); + XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded); #if !USE(QXMLQUERY) - XSLStyleSheet(XSLImportRule* parentImport, const String& href); + XSLStyleSheet(XSLImportRule* parentImport, const String& href, const KURL& baseURL); #endif Document* m_ownerDocument; diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp 2010-05-03 15:55:37.837079694 +0200 @@ -55,8 +55,8 @@ SOFT_LINK(libxslt, xsltLoadStylesheetPI, namespace WebCore { -XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href) - : StyleSheet(parentRule, href) +XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href, const KURL& baseURL) + : StyleSheet(parentRule, href, baseURL) , m_ownerDocument(0) , m_embedded(false) , m_processed(false) // Child sheets get marked as processed when the libxslt engine has finally seen them. @@ -66,8 +66,8 @@ XSLStyleSheet::XSLStyleSheet(XSLImportRu { } -XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, bool embedded) - : StyleSheet(parentNode, href) +XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded) + : StyleSheet(parentNode, href, baseURL) , m_ownerDocument(parentNode->document()) , m_embedded(embedded) , m_processed(true) // The root sheet starts off processed. @@ -168,7 +168,7 @@ bool XSLStyleSheet::parseString(const St } m_stylesheetDoc = xmlCtxtReadMemory(ctxt, buffer, size, - href().utf8().data(), + putativeBaseURL().string().utf8().data(), BOMHighByte == 0xFF ? "UTF-16LE" : "UTF-16BE", XML_PARSE_NOENT | XML_PARSE_DTDATTR | XML_PARSE_NOWARNING | XML_PARSE_NOCDATA); xmlFreeParserCtxt(ctxt); @@ -192,7 +192,7 @@ void XSLStyleSheet::loadChildSheets() if (m_embedded) { // We have to locate (by ID) the appropriate embedded stylesheet element, so that we can walk the // import/include list. - xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(href().utf8().data())); + xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(putativeBaseURL().string().utf8().data())); if (!idNode) return; stylesheetRoot = idNode->parent; diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp 2010-05-03 15:55:37.837977083 +0200 @@ -33,8 +33,8 @@ namespace WebCore { -XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, bool embedded) - : StyleSheet(parentNode, href) +XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded) + : StyleSheet(parentNode, href, baseURL) , m_ownerDocument(parentNode->document()) , m_embedded(embedded) { diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp 2010-05-03 15:55:37.837977083 +0200 @@ -226,7 +226,8 @@ static xsltStylesheetPtr xsltStylesheetP { if (!cachedStylesheet && stylesheetRootNode) { cachedStylesheet = XSLStyleSheet::create(stylesheetRootNode->parent() ? stylesheetRootNode->parent() : stylesheetRootNode, - stylesheetRootNode->document()->url().string()); + stylesheetRootNode->document()->url().string(), + stylesheetRootNode->document()->url()); // FIXME: Should we use baseURL here? cachedStylesheet->parseString(createMarkup(stylesheetRootNode)); } diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp --- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 +++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp 2010-05-03 15:55:37.915979873 +0200 @@ -120,7 +120,9 @@ bool XSLTProcessor::transformToString(No RefPtr stylesheet = m_stylesheet; if (!stylesheet && m_stylesheetRootNode) { Node* node = m_stylesheetRootNode.get(); - stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node, node->document()->url().string()); + stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node, + node->document()->url().string(), + node->document()->url()); // FIXME: Should we use baseURL here? stylesheet->parseString(createMarkup(node)); }