Bug 489871 - CSS comments should not be allowed in presentation attribute values. r=dbaron a=roc
authorRobert Longson <longsonr@gmail.com>
Sun, 05 Dec 2010 20:37:39 +0000
changeset 58642 d239dedd96d35e93523ca452d001faf1ab46ece8
parent 58641 21649e5809fb229581bcfcf5df9cae71343d2fda
child 58643 f6dbfac1ab2205cae5d36edfd55f7abe83c263a4
push id17392
push userjwatt@jwatt.org
push dateSun, 05 Dec 2010 20:44:41 +0000
treeherdermozilla-central@f6dbfac1ab22 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdbaron, roc
bugs489871
milestone2.0b8pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 489871 - CSS comments should not be allowed in presentation attribute values. r=dbaron a=roc
layout/reftests/svg/cssComment-in-attribute-01-ref.svg
layout/reftests/svg/cssComment-in-attribute-01.svg
layout/reftests/svg/reftest.list
layout/style/nsCSSScanner.cpp
layout/style/nsCSSScanner.h
new file mode 100644
--- /dev/null
+++ b/layout/reftests/svg/cssComment-in-attribute-01-ref.svg
@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+  <title>Reference that css comment in attribute is not allowed</title>
+  <rect width="100%" height="100%" fill="black"/>
+</svg>
new file mode 100644
--- /dev/null
+++ b/layout/reftests/svg/cssComment-in-attribute-01.svg
@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+  <title>Testcase that css comment in attribute is not allowed</title>
+  <rect width="100%" height="100%" fill="/* blah */ red"/>
+</svg>
--- a/layout/reftests/svg/reftest.list
+++ b/layout/reftests/svg/reftest.list
@@ -15,16 +15,17 @@ include smil/reftest.list
 
 # Mozilla only tests (i.e. those containing XUL/XBL/etc.)
 include moz-only/reftest.list
 
 # svg-integration tests (using svg effects in e.g. HTML)
 include svg-integration/reftest.list
 
 == altGlyph-01.svg altGlyph-01-ref.svg
+== cssComment-in-attribute-01.svg cssComment-in-attribute-01-ref.svg
 == clip-01.svg pass.svg
 == clip-02a.svg clip-02-ref.svg
 == clip-02b.svg clip-02-ref.svg
 == clipPath-advanced-01.svg pass.svg
 == clipPath-and-shape-rendering-01.svg clipPath-and-shape-rendering-01-ref.svg
 == clipPath-basic-01.svg pass.svg
 == clipPath-basic-02.svg pass.svg
 == clipPath-basic-03.svg pass.svg
--- a/layout/style/nsCSSScanner.cpp
+++ b/layout/style/nsCSSScanner.cpp
@@ -258,19 +258,17 @@ nsCSSToken::AppendToString(nsString& aBu
       break;
   }
 }
 
 nsCSSScanner::nsCSSScanner()
   : mInputStream(nsnull)
   , mReadPointer(nsnull)
   , mLowLevelError(NS_OK)
-#ifdef MOZ_SVG
   , mSVGMode(PR_FALSE)
-#endif
 #ifdef CSS_REPORT_PARSE_ERRORS
   , mError(mErrorBuf, NS_ARRAY_LENGTH(mErrorBuf), 0)
 #endif
 {
   MOZ_COUNT_CTOR(nsCSSScanner);
   mPushback = mLocalPushback;
   mPushbackSize = NS_ARRAY_LENGTH(mLocalPushback);
   // No need to init the other members, since they represent state
@@ -778,17 +776,17 @@ nsCSSScanner::Next(nsCSSToken& aToken)
 
     // WS
     if (IsWhitespace(ch)) {
       aToken.mType = eCSSToken_WhiteSpace;
       aToken.mIdent.Assign(PRUnichar(ch));
       EatWhiteSpace();
       return PR_TRUE;
     }
-    if (ch == '/') {
+    if (ch == '/' && !IsSVGMode()) {
       PRInt32 nextChar = Peek();
       if (nextChar == '*') {
         (void) Read();
 #if 0
         // If we change our storage data structures such that comments are
         // stored (for Editor), we should reenable this code, condition it
         // on being in editor mode, and apply glazou's patch from bug
         // 60290.
@@ -1158,17 +1156,16 @@ nsCSSScanner::ParseNumber(PRInt32 c, nsC
       fracPart += DecimalDigitValue(c) / divisor;
       divisor *= 10;
       c = Read();
       // The IsDigit check will do the right thing even if Read() returns < 0
     } while (IsDigit(c));
   }
 
   PRBool gotE = PR_FALSE;
-#ifdef MOZ_SVG
   if (IsSVGMode() && (c == 'e' || c == 'E')) {
     PRInt32 nextChar = Peek();
     PRInt32 expSignChar = 0;
     if (nextChar == '-' || nextChar == '+') {
       expSignChar = Read();
       nextChar = Peek();
     }
     if (IsDigit(nextChar)) {
@@ -1185,17 +1182,16 @@ nsCSSScanner::ParseNumber(PRInt32 c, nsC
         // The IsDigit check will do the right thing even if Read() returns < 0
       } while (IsDigit(c));
     } else {
       if (expSignChar) {
         Pushback(expSignChar);
       }
     }
   }
-#endif
 
   nsCSSTokenType type = eCSSToken_Number;
 
   // Set mIntegerValid for all cases (except %, below) because we need
   // it for the "2n" in :nth-child(2n).
   aToken.mIntegerValid = PR_FALSE;
 
   // Time to reassemble our number.
--- a/layout/style/nsCSSScanner.h
+++ b/layout/style/nsCSSScanner.h
@@ -143,28 +143,26 @@ class nsCSSScanner {
   void Init(nsIUnicharInputStream* aInput, 
             const PRUnichar *aBuffer, PRUint32 aCount,
             nsIURI* aURI, PRUint32 aLineNumber);
   void Close();
 
   static PRBool InitGlobals();
   static void ReleaseGlobals();
 
-#ifdef  MOZ_SVG
   // Set whether or not we are processing SVG
   void SetSVGMode(PRBool aSVGMode) {
     NS_ASSERTION(aSVGMode == PR_TRUE || aSVGMode == PR_FALSE,
                  "bad PRBool value");
     mSVGMode = aSVGMode;
   }
   PRBool IsSVGMode() const {
     return mSVGMode;
   }
 
-#endif
 #ifdef CSS_REPORT_PARSE_ERRORS
   void AddToError(const nsSubstring& aErrorText);
   void OutputError();
   void ClearError();
 
   // aMessage must take no parameters
   void ReportUnexpected(const char* aMessage);
   void ReportUnexpectedParams(const char* aMessage,
@@ -233,20 +231,18 @@ protected:
   PRUint32 mCount;
   PRUnichar* mPushback;
   PRInt32 mPushbackCount;
   PRInt32 mPushbackSize;
   PRUnichar mLocalPushback[4];
   nsresult mLowLevelError;
 
   PRUint32 mLineNumber;
-#ifdef MOZ_SVG
   // True if we are in SVG mode; false in "normal" CSS
   PRPackedBool mSVGMode;
-#endif
 #ifdef CSS_REPORT_PARSE_ERRORS
   nsXPIDLCString mFileName;
   nsCOMPtr<nsIURI> mURI;  // Cached so we know to not refetch mFileName
   PRUint32 mErrorLineNumber, mColNumber, mErrorColNumber;
   nsFixedString mError;
   PRUnichar mErrorBuf[200];
 #endif
 };