Bug 604807 - Make nsISelectElement unscriptable to prevent crashes; r=bz a=blocking-beta9
authorMs2ger <ms2ger@gmail.com>
Fri, 17 Dec 2010 18:10:51 -0800
changeset 59455 a01537c0bf1987f12f67b6834b2f3b72241ca64c
parent 59454 cd6aa4d8c7bd264c5db2b5ddbbbba6d87c2f33cc
child 59456 be885fbb66c20f8da9e5edee801ead21d2695e24
push id1
push usershaver@mozilla.com
push dateTue, 04 Jan 2011 17:58:04 +0000
reviewersbz, blocking-beta9
bugs604807
milestone2.0b9pre
Bug 604807 - Make nsISelectElement unscriptable to prevent crashes; r=bz a=blocking-beta9
content/html/content/crashtests/604807.html
content/html/content/crashtests/crashtests.list
content/html/content/public/nsISelectElement.idl
content/html/content/test/test_bug546995.html
layout/reftests/bugs/557087-1.html
layout/reftests/bugs/557087-2.html
new file mode 100644
--- /dev/null
+++ b/content/html/content/crashtests/604807.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script>
+try {
+  var selectElem = document.createElementNS("http://www.w3.org/1999/xhtml", "select");
+  selectElem.QueryInterface(Components.interfaces.nsISelectElement);
+  selectElem.getOptionIndex(null, 0, true);
+} catch (e) {
+}
+</script>
--- a/content/html/content/crashtests/crashtests.list
+++ b/content/html/content/crashtests/crashtests.list
@@ -15,13 +15,14 @@ load 504183-1.html
 load 515829-1.html
 load 515829-2.html
 load 570566-1.html
 load 571428-1.html
 load 580507-1.xhtml
 load 590387.html
 load 596785-1.html
 load 596785-2.html
+load 604807.html
 load 606430-1.html
 load 602117.html
 load 613027.html
 load 614279.html
 load 614988-1.html
--- a/content/html/content/public/nsISelectElement.idl
+++ b/content/html/content/public/nsISelectElement.idl
@@ -43,46 +43,46 @@ interface nsIDOMHTMLOptionElement;
 /** 
  * This interface is used to notify a SELECT when OPTION
  * elements are added and removed from its subtree.
  * Note that the nsIDOMHTMLSelectElement and nsIContent 
  * interfaces are the ones to use to access and enumerate
  * OPTIONs within a SELECT element.
  */
 
-[scriptable, uuid(aa73a61a-8ef2-402d-b86c-3a5c5f2a6027)]
+[noscript, uuid(aa73a61a-8ef2-402d-b86c-3a5c5f2a6027)]
 interface nsISelectElement : nsISupports
 {
 
   /**
    * To be called when stuff is added under a child of the select--but *before*
    * they are actually added.
    *
    * @param aOptions the content that was added (usually just an option, but
    *        could be an optgroup node with many child options)
    * @param aParent the parent the options were added to (could be an optgroup)
    * @param aContentIndex the index where the options are being added within the
    *        parent (if the parent is an optgroup, the index within the optgroup)
    */
-  [noscript] void willAddOptions(in nsIContent aOptions,
-                                 in nsIContent aParent,
-                                 in long aContentIndex,
-                                 in boolean aNotify);
+  void willAddOptions(in nsIContent aOptions,
+                      in nsIContent aParent,
+                      in long aContentIndex,
+                      in boolean aNotify);
 
   /**
    * To be called when stuff is removed under a child of the select--but
    * *before* they are actually removed.
    *
    * @param aParent the parent the option(s) are being removed from
    * @param aContentIndex the index of the option(s) within the parent (if the
    *        parent is an optgroup, the index within the optgroup)
    */
-  [noscript] void willRemoveOptions(in nsIContent aParent,
-                                    in long aContentIndex,
-                                    in boolean aNotify);
+  void willRemoveOptions(in nsIContent aParent,
+                         in long aContentIndex,
+                         in boolean aNotify);
 
   /**
    * Checks whether an option is disabled (even if it's part of an optgroup)
    *
    * @param aIndex the index of the option to check
    * @return whether the option is disabled
    */
   boolean isOptionDisabled(in long aIndex);