[Webkit-unassigned] [Bug 119068] New: Crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 24 17:00:28 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=119068

           Summary: Crash in
                    ReplaceSelectionCommand::removeRedundantStylesAndKeepS
                    tyleSpanInline
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Keywords: BlinkMergeCandidate
          Severity: Normal
          Priority: P2
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rniwa at webkit.org
                CC: darin at apple.com, enrica at apple.com


Consider merging https://chromium.googlesource.com/chromium/blink/+/3500267482e60550ce84fadd6c0db883937ce744

This patch changes inserted HTML sanitize process to check whether tree is in tree or not, for avoiding null pointer reference.

This case is caused by  ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuilder()
when paragraph element contains prohibited paragraph child, e.g. address, article, ..., table, ..., specified in HTML Editing APIs specification.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list