summaryrefslogtreecommitdiff
path: root/Source/WebCore/html
diff options
context:
space:
mode:
Diffstat (limited to 'Source/WebCore/html')
-rw-r--r--Source/WebCore/html/FormAssociatedElement.cpp5
-rw-r--r--Source/WebCore/html/HTMLCanvasElement.cpp2
-rw-r--r--Source/WebCore/html/HTMLFormElement.cpp46
-rw-r--r--Source/WebCore/html/HTMLFormElement.h16
-rw-r--r--Source/WebCore/html/HTMLImageElement.cpp6
-rw-r--r--Source/WebCore/html/HTMLMediaElement.cpp2
-rw-r--r--Source/WebCore/html/ImageInputType.cpp3
-rw-r--r--Source/WebCore/html/parser/HTMLSourceTracker.cpp3
-rw-r--r--Source/WebCore/html/parser/HTMLToken.h9
-rw-r--r--Source/WebCore/html/parser/HTMLTokenizer.h8
10 files changed, 67 insertions, 33 deletions
diff --git a/Source/WebCore/html/FormAssociatedElement.cpp b/Source/WebCore/html/FormAssociatedElement.cpp
index 759390435..bb90fd402 100644
--- a/Source/WebCore/html/FormAssociatedElement.cpp
+++ b/Source/WebCore/html/FormAssociatedElement.cpp
@@ -2,7 +2,7 @@
* Copyright (C) 1999 Lars Knoll (knoll@kde.org)
* (C) 1999 Antti Koivisto (koivisto@kde.org)
* (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004, 2005, 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
* (C) 2006 Alexey Proskuryakov (ap@nypop.com)
*
* This library is free software; you can redistribute it and/or
@@ -75,6 +75,9 @@ void FormAssociatedElement::insertedInto(ContainerNode& insertionPoint)
m_formSetByParser = nullptr;
}
+ if (m_form && element.rootElement() != m_form->rootElement())
+ setForm(nullptr);
+
if (!insertionPoint.inDocument())
return;
diff --git a/Source/WebCore/html/HTMLCanvasElement.cpp b/Source/WebCore/html/HTMLCanvasElement.cpp
index 8ea5b0381..0e80f23e7 100644
--- a/Source/WebCore/html/HTMLCanvasElement.cpp
+++ b/Source/WebCore/html/HTMLCanvasElement.cpp
@@ -676,7 +676,7 @@ void HTMLCanvasElement::createImageBuffer() const
QWebPageClient* client = document().page()->chrome().platformPageClient();
// The WebKit2 Chrome does not have a pageclient.
QOpenGLContext* context = client ? client->openGLContextIfAvailable() : 0;
- setImageBuffer(ImageBuffer::createCompatibleBuffer(size(), 1.0f, ColorSpaceDeviceRGB, context));
+ setImageBuffer(ImageBuffer::createCompatibleBuffer(size(), ColorSpaceDeviceRGB, context));
} else
#endif
{
diff --git a/Source/WebCore/html/HTMLFormElement.cpp b/Source/WebCore/html/HTMLFormElement.cpp
index 686576d51..55f9391f0 100644
--- a/Source/WebCore/html/HTMLFormElement.cpp
+++ b/Source/WebCore/html/HTMLFormElement.cpp
@@ -2,7 +2,7 @@
* Copyright (C) 1999 Lars Knoll (knoll@kde.org)
* (C) 1999 Antti Koivisto (koivisto@kde.org)
* (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2010, 2012-2016 Apple Inc. All rights reserved.
* (C) 2006 Alexey Proskuryakov (ap@nypop.com)
*
* This library is free software; you can redistribute it and/or
@@ -46,6 +46,7 @@
#include "Page.h"
#include "RenderTextControl.h"
#include "ScriptController.h"
+#include "SetForScope.h"
#include "Settings.h"
#include <limits>
#include <wtf/Ref.h>
@@ -56,13 +57,6 @@ using namespace HTMLNames;
HTMLFormElement::HTMLFormElement(const QualifiedName& tagName, Document& document)
: HTMLElement(tagName, document)
- , m_associatedElementsBeforeIndex(0)
- , m_associatedElementsAfterIndex(0)
- , m_wasUserSubmitted(false)
- , m_isSubmittingOrPreparingForSubmission(false)
- , m_shouldSubmit(false)
- , m_isInResetFunction(false)
- , m_wasDemoted(false)
#if ENABLE(REQUEST_AUTOCOMPLETE)
, m_requestAutocompletetimer(*this, &HTMLFormElement::requestAutocompleteTimerFired)
#endif
@@ -372,19 +366,30 @@ void HTMLFormElement::reset()
if (m_isInResetFunction || !frame)
return;
- m_isInResetFunction = true;
+ Ref<HTMLFormElement> protectedThis(*this);
- if (!dispatchEvent(Event::create(eventNames().resetEvent, true, true))) {
- m_isInResetFunction = false;
+ SetForScope<bool> isInResetFunctionRestorer(m_isInResetFunction, true);
+
+ if (!dispatchEvent(Event::create(eventNames().resetEvent, true, true)))
return;
- }
- for (auto& associatedElement : m_associatedElements) {
- if (is<HTMLFormControlElement>(*associatedElement))
- downcast<HTMLFormControlElement>(*associatedElement).reset();
- }
+ resetAssociatedFormControlElements();
+}
- m_isInResetFunction = false;
+void HTMLFormElement::resetAssociatedFormControlElements()
+{
+ // Event handling can cause associated elements to be added or deleted while iterating
+ // over this collection. Protect these elements until we are done notifying them of
+ // the reset operation.
+ Vector<Ref<HTMLFormControlElement>> associatedFormControlElements;
+ associatedFormControlElements.reserveInitialCapacity(m_associatedElements.size());
+ for (auto* element : m_associatedElements) {
+ if (is<HTMLFormControlElement>(element))
+ associatedFormControlElements.uncheckedAppend(*downcast<HTMLFormControlElement>(element));
+ }
+
+ for (auto& associatedFormControlElement : associatedFormControlElements)
+ associatedFormControlElement->reset();
}
#if ENABLE(IOS_AUTOCORRECT_AND_AUTOCAPITALIZE)
@@ -821,10 +826,9 @@ void HTMLFormElement::resumeFromDocumentSuspension()
{
ASSERT(!shouldAutocomplete());
- for (auto& associatedElement : m_associatedElements) {
- if (is<HTMLFormControlElement>(*associatedElement))
- downcast<HTMLFormControlElement>(*associatedElement).reset();
- }
+ Ref<HTMLFormElement> protectedThis(*this);
+
+ resetAssociatedFormControlElements();
}
void HTMLFormElement::didMoveToNewDocument(Document* oldDocument)
diff --git a/Source/WebCore/html/HTMLFormElement.h b/Source/WebCore/html/HTMLFormElement.h
index 90198b613..b27576a5c 100644
--- a/Source/WebCore/html/HTMLFormElement.h
+++ b/Source/WebCore/html/HTMLFormElement.h
@@ -177,6 +177,8 @@ private:
virtual bool matchesValidPseudoClass() const override;
virtual bool matchesInvalidPseudoClass() const override;
+ void resetAssociatedFormControlElements();
+
typedef HashMap<RefPtr<AtomicStringImpl>, FormNamedItem*> PastNamesMap;
FormSubmission::Attributes m_attributes;
@@ -184,19 +186,19 @@ private:
CheckedRadioButtons m_checkedRadioButtons;
- unsigned m_associatedElementsBeforeIndex;
- unsigned m_associatedElementsAfterIndex;
+ unsigned m_associatedElementsBeforeIndex { 0 };
+ unsigned m_associatedElementsAfterIndex { 0 };
Vector<FormAssociatedElement*> m_associatedElements;
Vector<HTMLImageElement*> m_imageElements;
HashSet<const HTMLFormControlElement*> m_invalidAssociatedFormControls;
- bool m_wasUserSubmitted;
- bool m_isSubmittingOrPreparingForSubmission;
- bool m_shouldSubmit;
+ bool m_wasUserSubmitted { false };
+ bool m_isSubmittingOrPreparingForSubmission { false };
+ bool m_shouldSubmit { false };
- bool m_isInResetFunction;
+ bool m_isInResetFunction { false };
- bool m_wasDemoted;
+ bool m_wasDemoted { false };
#if ENABLE(REQUEST_AUTOCOMPLETE)
void requestAutocompleteTimerFired();
diff --git a/Source/WebCore/html/HTMLImageElement.cpp b/Source/WebCore/html/HTMLImageElement.cpp
index 488c4e6af..67675c595 100644
--- a/Source/WebCore/html/HTMLImageElement.cpp
+++ b/Source/WebCore/html/HTMLImageElement.cpp
@@ -38,6 +38,7 @@
#include "MIMETypeRegistry.h"
#include "MediaList.h"
#include "MediaQueryEvaluator.h"
+#include "NodeTraversal.h"
#include "Page.h"
#include "RenderImage.h"
#include "Settings.h"
@@ -303,6 +304,11 @@ Node::InsertionNotificationRequest HTMLImageElement::insertedInto(ContainerNode&
m_form->registerImgElement(this);
}
+ if (m_form && rootElement() != m_form->rootElement()) {
+ m_form->removeImgElement(this);
+ m_form = nullptr;
+ }
+
if (!m_form) {
m_form = HTMLFormElement::findClosestFormAncestor(*this);
if (m_form)
diff --git a/Source/WebCore/html/HTMLMediaElement.cpp b/Source/WebCore/html/HTMLMediaElement.cpp
index 3d3f8ab76..3d15dfa9e 100644
--- a/Source/WebCore/html/HTMLMediaElement.cpp
+++ b/Source/WebCore/html/HTMLMediaElement.cpp
@@ -3608,6 +3608,7 @@ void HTMLMediaElement::removeAudioTrack(AudioTrack* track)
return;
m_audioTracks->remove(track);
+ track->clearClient();
}
void HTMLMediaElement::removeTextTrack(TextTrack* track, bool scheduleEvent)
@@ -3631,6 +3632,7 @@ void HTMLMediaElement::removeVideoTrack(VideoTrack* track)
return;
m_videoTracks->remove(track);
+ track->clearClient();
}
void HTMLMediaElement::forgetResourceSpecificTracks()
diff --git a/Source/WebCore/html/ImageInputType.cpp b/Source/WebCore/html/ImageInputType.cpp
index beb105dab..8b1a7e099 100644
--- a/Source/WebCore/html/ImageInputType.cpp
+++ b/Source/WebCore/html/ImageInputType.cpp
@@ -109,6 +109,9 @@ RenderPtr<RenderElement> ImageInputType::createInputRenderer(Ref<RenderStyle>&&
void ImageInputType::altAttributeChanged()
{
+ if (!is<RenderImage>(element().renderer()))
+ return;
+
auto* renderer = downcast<RenderImage>(element().renderer());
if (!renderer)
return;
diff --git a/Source/WebCore/html/parser/HTMLSourceTracker.cpp b/Source/WebCore/html/parser/HTMLSourceTracker.cpp
index 0c9a04632..783047b7b 100644
--- a/Source/WebCore/html/parser/HTMLSourceTracker.cpp
+++ b/Source/WebCore/html/parser/HTMLSourceTracker.cpp
@@ -49,6 +49,7 @@ void HTMLSourceTracker::startToken(SegmentedString& currentInput, HTMLTokenizer&
m_currentSource = currentInput;
m_tokenStart = m_currentSource.numberOfCharactersConsumed() - m_previousSource.length();
+ tokenizer.setTokenAttributeBaseOffset(m_tokenStart);
}
void HTMLSourceTracker::endToken(SegmentedString& currentInput, HTMLTokenizer& tokenizer)
@@ -92,7 +93,7 @@ String HTMLSourceTracker::source(const HTMLToken& token)
String HTMLSourceTracker::source(const HTMLToken& token, unsigned attributeStart, unsigned attributeEnd)
{
- return source(token).substring(attributeStart - m_tokenStart, attributeEnd - attributeStart);
+ return source(token).substring(attributeStart, attributeEnd - attributeStart);
}
}
diff --git a/Source/WebCore/html/parser/HTMLToken.h b/Source/WebCore/html/parser/HTMLToken.h
index ee87edc6c..0ec9359bd 100644
--- a/Source/WebCore/html/parser/HTMLToken.h
+++ b/Source/WebCore/html/parser/HTMLToken.h
@@ -112,6 +112,9 @@ public:
void setSelfClosing();
+ // Used by HTMLTokenizer on behalf of HTMLSourceTracker.
+ void setAttributeBaseOffset(unsigned attributeBaseOffset) { m_attributeBaseOffset = attributeBaseOffset; }
+
public:
// Used by the XSSAuditor to nuke XSS-laden attributes.
void eraseValueOfAttribute(unsigned index);
@@ -151,6 +154,8 @@ private:
// For DOCTYPE
std::unique_ptr<DoctypeData> m_doctypeData;
+
+ unsigned m_attributeBaseOffset { 0 }; // Changes across document.write() boundaries.
};
const HTMLToken::Attribute* findAttribute(const Vector<HTMLToken::Attribute>&, StringView name);
@@ -313,14 +318,14 @@ inline void HTMLToken::beginAttribute(unsigned offset)
m_attributes.grow(m_attributes.size() + 1);
m_currentAttribute = &m_attributes.last();
- m_currentAttribute->startOffset = offset;
+ m_currentAttribute->startOffset = offset - m_attributeBaseOffset;
}
inline void HTMLToken::endAttribute(unsigned offset)
{
ASSERT(offset);
ASSERT(m_currentAttribute);
- m_currentAttribute->endOffset = offset;
+ m_currentAttribute->endOffset = offset - m_attributeBaseOffset;
#if !ASSERT_DISABLED
m_currentAttribute = nullptr;
#endif
diff --git a/Source/WebCore/html/parser/HTMLTokenizer.h b/Source/WebCore/html/parser/HTMLTokenizer.h
index fed21188d..bbf5cdb9b 100644
--- a/Source/WebCore/html/parser/HTMLTokenizer.h
+++ b/Source/WebCore/html/parser/HTMLTokenizer.h
@@ -43,6 +43,9 @@ public:
class TokenPtr;
TokenPtr nextToken(SegmentedString&);
+ // Used by HTMLSourceTracker.
+ void setTokenAttributeBaseOffset(unsigned);
+
// Returns a copy of any characters buffered internally by the tokenizer.
// The tokenizer buffers characters when searching for the </script> token that terminates a script element.
String bufferedCharacters() const;
@@ -282,6 +285,11 @@ inline HTMLTokenizer::TokenPtr HTMLTokenizer::nextToken(SegmentedString& source)
return TokenPtr(processToken(source) ? &m_token : nullptr);
}
+inline void HTMLTokenizer::setTokenAttributeBaseOffset(unsigned offset)
+{
+ m_token.setAttributeBaseOffset(offset);
+}
+
inline size_t HTMLTokenizer::numberOfBufferedCharacters() const
{
// Notice that we add 2 to the length of the m_temporaryBuffer to
View Lorry Controller Status