[webkit-reviews] review granted: [Bug 45218] Move functions from Frame to Editor as planned : [Attachment 67059] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 9 12:35:51 PDT 2010
Adam Barth <abarth at webkit.org> has granted Darin Adler <darin at apple.com>'s
request for review:
Bug 45218: Move functions from Frame to Editor as planned
https://bugs.webkit.org/show_bug.cgi?id=45218
Attachment 67059: Patch
https://bugs.webkit.org/attachment.cgi?id=67059&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context:
https://bugs.webkit.org/attachment.cgi?id=67059&action=prettypatch
> WebCore/editing/Editor.cpp:3366
> +
styleElement->appendChild(m_frame->document()->createEditingTextNode(""), ec);
> + ASSERT(!ec);
This is a security vulnerability. appendChild fires DOM mutation events, which
run JavaScript, which can make |node| point off into unallocated memory.
Please RefPtr node.
> WebCore/editing/Editor.cpp:3394
> + Node* shadowTreeRoot = selection.shadowTreeRootNode();
I bet this needs to be RefPtr for the same reason.
More information about the webkit-reviews
mailing list