Bug 650501 - Avoid assuming that a parser object has a non-null content sink when an attempt to execute a script is made. r=Olli.Pettay.

This commit is contained in:
Henri Sivonen 2011-04-19 10:10:48 +03:00
parent c63d7da1cd
commit 183870ea59
3 changed files with 31 additions and 6 deletions

View File

@ -166,13 +166,15 @@ nsScriptElement::MaybeProcessScript()
mAlreadyStarted = PR_TRUE;
nsIDocument* ownerDoc = cont->GetOwnerDoc();
nsCOMPtr<nsIParser> parser = ((nsIScriptElement*)this)->GetCreatorParser();
nsCOMPtr<nsIParser> parser = ((nsIScriptElement*) this)->GetCreatorParser();
if (parser) {
nsCOMPtr<nsIDocument> parserDoc =
do_QueryInterface(parser->GetContentSink()->GetTarget());
if (ownerDoc != parserDoc) {
// Willful violation of HTML5 as of 2010-12-01
return NS_OK;
nsCOMPtr<nsIContentSink> sink = parser->GetContentSink();
if (sink) {
nsCOMPtr<nsIDocument> parserDoc = do_QueryInterface(sink->GetTarget());
if (ownerDoc != parserDoc) {
// Willful violation of HTML5 as of 2010-12-01
return NS_OK;
}
}
}

View File

@ -0,0 +1,22 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>
<![CDATA[
function boom()
{
var a = document.createElement("div");
a.innerHTML = "<script>1;<\/script>";
var b = document.createElement("div")
try { b.innerHTML = "<"; } catch (invalidXML) { }
document.documentElement.appendChild(a);
}
]]>
</script>
</head>
<body onload="boom();"></body>
</html>

View File

@ -46,3 +46,4 @@ load 563514-1.html
load 574884-1.html
load 574884-2.html
load 591330-1.html
load 650501-1.xhtml