Bug 414178 - Do not allow to inject a list outside of the active editing host; r=roc
authorEhsan Akhgari <ehsan@mozilla.com>
Tue, 13 Sep 2011 11:39:40 -0400
changeset 76912 ee7c98d1ec1badbd5202d78ef43c6a23cf65c8f8
parent 76911 ee3f64275f289fdf90d20f4e7d65a962ac322620
child 76913 c9013399fa39ce78f3a1fdbd1cb175770295cce4
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
reviewersroc
bugs414178
milestone9.0a1
Bug 414178 - Do not allow to inject a list outside of the active editing host; r=roc
editor/libeditor/html/crashtests/414178-1.html
editor/libeditor/html/crashtests/crashtests.list
editor/libeditor/html/nsHTMLEditRules.cpp
new file mode 100644
--- /dev/null
+++ b/editor/libeditor/html/crashtests/414178-1.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script type="text/javascript">
+
+function boom()
+{
+  var table = document.createElement("table");
+  document.body.appendChild(table);
+  table.contentEditable = "true";
+  table.focus();
+  try {
+    // This will throw, since it's attempting to inject a list inside a table
+    document.execCommand("insertunorderedlist", false, null);
+  } catch (e) {}
+}
+
+</script>
+</head>
+
+<body onload="boom();"></body>
+</html>
--- a/editor/libeditor/html/crashtests/crashtests.list
+++ b/editor/libeditor/html/crashtests/crashtests.list
@@ -1,12 +1,13 @@
 load 336081-1.xhtml
 load 382778-1.html
 load 407074-1.html
 load 407277-1.html
+load 414178-1.html
 load 418923-1.html
 asserts(0-16) load 420439.html # Bug 439258
 load 428489-1.html
 asserts(0-16) load 431086-1.xhtml # Bug 439258
 load 448329-1.html
 load 448329-2.html
 load 448329-3.html
 load 456727-1.html
--- a/editor/libeditor/html/nsHTMLEditRules.cpp
+++ b/editor/libeditor/html/nsHTMLEditRules.cpp
@@ -7330,16 +7330,23 @@ nsHTMLEditRules::SplitAsNeeded(const nsA
   nsresult res = NS_OK;
    
   // check that we have a place that can legally contain the tag
   while (!tagParent)
   {
     // sniffing up the parent tree until we find 
     // a legal place for the block
     if (!parent) break;
+    // Don't leave the active editing host
+    if (!mHTMLEditor->IsNodeInActiveEditor(parent)) {
+      nsCOMPtr<nsIContent> parentContent = do_QueryInterface(parent);
+      if (parentContent != mHTMLEditor->GetActiveEditingHost()) {
+        break;
+      }
+    }
     if (mHTMLEditor->CanContainTag(parent, *aTag))
     {
       tagParent = parent;
       break;
     }
     splitNode = parent;
     parent->GetParentNode(getter_AddRefs(temp));
     parent = temp;