rpms
/
qt
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
qt/qt-everywhere-opensource-sr...

245 lines
10 KiB
Diff
Raw Blame History

diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp.CVE-2010-1398 2010-06-02 04:03:12.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp 2010-06-11 16:12:55.750525354 +0200
@@ -35,6 +35,7 @@
#include "ClientRect.h"
#include "ClientRectList.h"
#include "Document.h"
+#include "DocumentFragment.h"
#include "ElementRareData.h"
#include "ExceptionCode.h"
#include "FocusController.h"
@@ -42,6 +43,7 @@
#include "FrameView.h"
#include "HTMLElement.h"
#include "HTMLNames.h"
+#include "HTMLTokenizer.h"
#include "NamedNodeMap.h"
#include "NodeList.h"
#include "NodeRenderStyle.h"
@@ -49,6 +51,7 @@
#include "RenderView.h"
#include "TextIterator.h"
#include "XMLNames.h"
+#include "XMLTokenizer.h"
#if ENABLE(SVG)
#include "SVGNames.h"
@@ -91,6 +94,51 @@ NodeRareData* Element::createRareData()
{
return new ElementRareData;
}
+
+PassRefPtr<DocumentFragment> Element::createContextualFragment(const String& markup)
+{
+ RefPtr<DocumentFragment> fragment = DocumentFragment::create(document());
+
+ if (document()->isHTMLDocument())
+ parseHTMLDocumentFragment(markup, fragment.get());
+ else {
+ if (!parseXMLDocumentFragment(markup, fragment.get(), this))
+ // FIXME: We should propagate a syntax error exception out here.
+ return 0;
+ }
+
+ // Exceptions are ignored because none ought to happen here.
+ ExceptionCode ignoredExceptionCode;
+
+ // We need to pop <html> and <body> elements and remove <head> to
+ // accommodate folks passing complete HTML documents to make the
+ // child of an element.
+
+ RefPtr<Node> nextNode;
+ for (RefPtr<Node> node = fragment->firstChild(); node; node = nextNode) {
+ nextNode = node->nextSibling();
+ if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) {
+ Node* firstChild = node->firstChild();
+ if (firstChild)
+ nextNode = firstChild;
+ RefPtr<Node> nextChild;
+ for (RefPtr<Node> child = firstChild; child; child = nextChild) {
+ nextChild = child->nextSibling();
+ node->removeChild(child.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ fragment->insertBefore(child, node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ }
+ fragment->removeChild(node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ } else if (node->hasTagName(headTag)) {
+ fragment->removeChild(node.get(), ignoredExceptionCode);
+ ASSERT(!ignoredExceptionCode);
+ }
+ }
+
+ return fragment.release();
+}
PassRefPtr<Node> Element::cloneNode(bool deep)
{
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h.CVE-2010-1398 2010-06-02 04:03:12.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h 2010-06-14 16:54:57.639394749 +0200
@@ -28,6 +28,7 @@
#include "ContainerNode.h"
#include "QualifiedName.h"
#include "ScrollTypes.h"
+#include "DocumentFragment.h"
namespace WebCore {
@@ -89,6 +90,8 @@ public:
DEFINE_ATTRIBUTE_EVENT_LISTENER(search);
DEFINE_ATTRIBUTE_EVENT_LISTENER(selectstart);
+ virtual PassRefPtr<DocumentFragment> createContextualFragment(const String&);
+
const AtomicString& getIDAttribute() const;
bool hasAttribute(const QualifiedName&) const;
const AtomicString& getAttribute(const QualifiedName&) const;
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp.CVE-2010-1398 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp 2010-06-11 16:12:55.752525451 +0200
@@ -1054,11 +1054,7 @@ String createMarkup(const Range* range,
PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document* document, const String& markup, const String& baseURL)
{
- ASSERT(document->documentElement()->isHTMLElement());
- // FIXME: What if the document element is not an HTML element?
- HTMLElement *element = static_cast<HTMLElement*>(document->documentElement());
-
- RefPtr<DocumentFragment> fragment = element->createContextualFragment(markup);
+ RefPtr<DocumentFragment> fragment = document->documentElement()->createContextualFragment(markup);
if (fragment && !baseURL.isEmpty() && baseURL != blankURL() && baseURL != document->baseURL())
completeURLs(fragment.get(), baseURL);
diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp.CVE-2010-1398 2010-06-02 04:03:10.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp 2010-06-11 16:12:55.753537613 +0200
@@ -235,9 +235,9 @@ String HTMLElement::outerHTML() const
return createMarkup(this);
}
-PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String &html)
+PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String &markup)
{
- // the following is in accordance with the definition as used by IE
+ // The following is in accordance with the definition as used by IE.
if (endTagRequirement() == TagStatusForbidden)
return 0;
@@ -245,47 +245,7 @@ PassRefPtr<DocumentFragment> HTMLElement
hasLocalName(headTag) || hasLocalName(styleTag) || hasLocalName(titleTag))
return 0;
- RefPtr<DocumentFragment> fragment = DocumentFragment::create(document());
-
- if (document()->isHTMLDocument())
- parseHTMLDocumentFragment(html, fragment.get());
- else {
- if (!parseXMLDocumentFragment(html, fragment.get(), this))
- // FIXME: We should propagate a syntax error exception out here.
- return 0;
- }
-
- // Exceptions are ignored because none ought to happen here.
- int ignoredExceptionCode;
-
- // we need to pop <html> and <body> elements and remove <head> to
- // accommodate folks passing complete HTML documents to make the
- // child of an element.
-
- RefPtr<Node> nextNode;
- for (RefPtr<Node> node = fragment->firstChild(); node; node = nextNode) {
- nextNode = node->nextSibling();
- if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) {
- Node *firstChild = node->firstChild();
- if (firstChild)
- nextNode = firstChild;
- RefPtr<Node> nextChild;
- for (RefPtr<Node> child = firstChild; child; child = nextChild) {
- nextChild = child->nextSibling();
- node->removeChild(child.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- fragment->insertBefore(child, node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- }
- fragment->removeChild(node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- } else if (node->hasTagName(headTag)) {
- fragment->removeChild(node.get(), ignoredExceptionCode);
- ASSERT(!ignoredExceptionCode);
- }
- }
-
- return fragment.release();
+ return Element::createContextualFragment(markup);
}
static inline bool hasOneChild(ContainerNode* node)
@@ -371,7 +331,7 @@ void HTMLElement::setOuterHTML(const Str
void HTMLElement::setInnerText(const String& text, ExceptionCode& ec)
{
- // follow the IE specs about when this is allowed
+ // Follow the IE specs about when this is allowed.
if (endTagRequirement() == TagStatusForbidden) {
ec = NO_MODIFICATION_ALLOWED_ERR;
return;
@@ -441,7 +401,7 @@ void HTMLElement::setInnerText(const Str
void HTMLElement::setOuterText(const String &text, ExceptionCode& ec)
{
- // follow the IE specs about when this is allowed
+ // Follow the IE specs about when this is allowed.
if (endTagRequirement() == TagStatusForbidden) {
ec = NO_MODIFICATION_ALLOWED_ERR;
return;
@@ -469,7 +429,7 @@ void HTMLElement::setOuterText(const Str
if (ec)
return;
- // is previous node a text node? if so, merge into it
+ // Is previous node a text node? If so, merge into it.
Node* prev = t->previousSibling();
if (prev && prev->isTextNode()) {
Text* textPrev = static_cast<Text*>(prev);
@@ -482,7 +442,7 @@ void HTMLElement::setOuterText(const Str
t = textPrev;
}
- // is next node a text node? if so, merge it in
+ // Is next node a text node? If so, merge it in.
Node* next = t->nextSibling();
if (next && next->isTextNode()) {
Text* textNext = static_cast<Text*>(next);
@@ -522,7 +482,7 @@ Node* HTMLElement::insertAdjacent(const
return 0;
}
- // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative
+ // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative.
ec = NOT_SUPPORTED_ERR;
return 0;
}
@@ -530,7 +490,7 @@ Node* HTMLElement::insertAdjacent(const
Element* HTMLElement::insertAdjacentElement(const String& where, Element* newChild, ExceptionCode& ec)
{
if (!newChild) {
- // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative
+ // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative.
ec = TYPE_MISMATCH_ERR;
return 0;
}
@@ -567,8 +527,8 @@ void HTMLElement::addHTMLAlignment(Mappe
void HTMLElement::addHTMLAlignmentToStyledElement(StyledElement* element, MappedAttribute* attr)
{
- // vertical alignment with respect to the current baseline of the text
- // right or left means floating images
+ // Vertical alignment with respect to the current baseline of the text
+ // right or left means floating images.
int floatValue = CSSValueInvalid;
int verticalAlignValue = CSSValueInvalid;
Reference in New Issue View Git Blame Copy Permalink