[webkit-reviews] review denied: [Bug 45565] URIs in styles created via innerHTML are not resolved against the document's base URI : [Attachment 67241] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 10 14:40:38 PDT 2010
Adam Barth <abarth at webkit.org> has denied Mihai Parparita
<mihaip at chromium.org>'s request for review:
Bug 45565: URIs in styles created via innerHTML are not resolved against the
document's base URI
https://bugs.webkit.org/show_bug.cgi?id=45565
Attachment 67241: Patch
https://bugs.webkit.org/attachment.cgi?id=67241&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context:
https://bugs.webkit.org/attachment.cgi?id=67241&action=prettypatch
> WebCore/html/parser/HTMLTreeBuilder.cpp:405
> - : m_dummyDocumentForFragmentParsing(HTMLDocument::create(0, KURL()))
> + : m_dummyDocumentForFragmentParsing(HTMLDocument::create(0,
fragment->document()->baseURI()))
You don't want to set the URL of the dummy document to the baseURL. That's a
potential security vulnerability (since the base URL can be anything the
document wants). It's probably harmless right now, but it's pretty dangerous.
Instead, we want set the baseURL of the m_dummyDocumentForFragmentParsing after
we construct it.
More information about the webkit-reviews
mailing list