Bug 414178 - Do not allow to inject a list outside of the active editing host; r=roc
authorEhsan Akhgari <ehsan@mozilla.com>
Tue, 13 Sep 2011 11:39:40 -0400
changeset 76912 ee7c98d1ec1badbd5202d78ef43c6a23cf65c8f8
parent 76911 ee3f64275f289fdf90d20f4e7d65a962ac322620
child 76913 c9013399fa39ce78f3a1fdbd1cb175770295cce4
push id21154
push usereakhgari@mozilla.com
push dateTue, 13 Sep 2011 19:43:58 +0000
treeherdermozilla-central@d86ee57cdbcc [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersroc
bugs414178
milestone9.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 414178 - Do not allow to inject a list outside of the active editing host; r=roc
editor/libeditor/html/crashtests/414178-1.html
editor/libeditor/html/crashtests/crashtests.list
editor/libeditor/html/nsHTMLEditRules.cpp
new file mode 100644
--- /dev/null
+++ b/editor/libeditor/html/crashtests/414178-1.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script type="text/javascript">
+
+function boom()
+{
+  var table = document.createElement("table");
+  document.body.appendChild(table);
+  table.contentEditable = "true";
+  table.focus();
+  try {
+    // This will throw, since it's attempting to inject a list inside a table
+    document.execCommand("insertunorderedlist", false, null);
+  } catch (e) {}
+}
+
+</script>
+</head>
+
+<body onload="boom();"></body>
+</html>
--- a/editor/libeditor/html/crashtests/crashtests.list
+++ b/editor/libeditor/html/crashtests/crashtests.list
@@ -1,12 +1,13 @@
 load 336081-1.xhtml
 load 382778-1.html
 load 407074-1.html
 load 407277-1.html
+load 414178-1.html
 load 418923-1.html
 asserts(0-16) load 420439.html # Bug 439258
 load 428489-1.html
 asserts(0-16) load 431086-1.xhtml # Bug 439258
 load 448329-1.html
 load 448329-2.html
 load 448329-3.html
 load 456727-1.html
--- a/editor/libeditor/html/nsHTMLEditRules.cpp
+++ b/editor/libeditor/html/nsHTMLEditRules.cpp
@@ -7330,16 +7330,23 @@ nsHTMLEditRules::SplitAsNeeded(const nsA
   nsresult res = NS_OK;
    
   // check that we have a place that can legally contain the tag
   while (!tagParent)
   {
     // sniffing up the parent tree until we find 
     // a legal place for the block
     if (!parent) break;
+    // Don't leave the active editing host
+    if (!mHTMLEditor->IsNodeInActiveEditor(parent)) {
+      nsCOMPtr<nsIContent> parentContent = do_QueryInterface(parent);
+      if (parentContent != mHTMLEditor->GetActiveEditingHost()) {
+        break;
+      }
+    }
     if (mHTMLEditor->CanContainTag(parent, *aTag))
     {
       tagParent = parent;
       break;
     }
     splitNode = parent;
     parent->GetParentNode(getter_AddRefs(temp));
     parent = temp;