[Webkit-unassigned] [Bug 14319] Move the Selection object out of the JS bindings
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 22 16:25:04 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=14319
------- Comment #2 from ggaren at apple.com 2007-06-22 16:25 PDT -------
Assuming disconnectFrame() gets called somewhere, DOMSelection needs to NULL
check m_frame in each of its member functions.
+void DOMSelection::disconnectFrame()
I don't see any callers to this function. That means that, once the frame is
destroyed, referencing its DOMSelection will read/write freed memory, right?
I believe this used to be called by Window::disconnectFrame(). Who should call
it now?
+ mutable RefPtr<DOMSelection> m_selection;
Should probably call this m_DOMSelection to distinguish form
WebCore::Selection.
There seems to be a cross-frame security problem here. Once I have a window's
DOMSelection object, I can read the current selection in the window even if a
new document from a new domain is loaded. I can't tell if your patch introduced
this bug or not, but it's pretty serious.
r- for everything but the rename.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list