diff options
Diffstat (limited to 'Source/WebCore/html')
-rw-r--r-- | Source/WebCore/html/FormAssociatedElement.cpp | 5 | ||||
-rw-r--r-- | Source/WebCore/html/HTMLCanvasElement.cpp | 2 | ||||
-rw-r--r-- | Source/WebCore/html/HTMLFormElement.cpp | 46 | ||||
-rw-r--r-- | Source/WebCore/html/HTMLFormElement.h | 16 | ||||
-rw-r--r-- | Source/WebCore/html/HTMLImageElement.cpp | 6 | ||||
-rw-r--r-- | Source/WebCore/html/HTMLMediaElement.cpp | 2 | ||||
-rw-r--r-- | Source/WebCore/html/ImageInputType.cpp | 3 | ||||
-rw-r--r-- | Source/WebCore/html/parser/HTMLSourceTracker.cpp | 3 | ||||
-rw-r--r-- | Source/WebCore/html/parser/HTMLToken.h | 9 | ||||
-rw-r--r-- | Source/WebCore/html/parser/HTMLTokenizer.h | 8 |
10 files changed, 67 insertions, 33 deletions
diff --git a/Source/WebCore/html/FormAssociatedElement.cpp b/Source/WebCore/html/FormAssociatedElement.cpp index 759390435..bb90fd402 100644 --- a/Source/WebCore/html/FormAssociatedElement.cpp +++ b/Source/WebCore/html/FormAssociatedElement.cpp @@ -2,7 +2,7 @@ * Copyright (C) 1999 Lars Knoll (knoll@kde.org) * (C) 1999 Antti Koivisto (koivisto@kde.org) * (C) 2001 Dirk Mueller (mueller@kde.org) - * Copyright (C) 2004, 2005, 2006, 2007 Apple Inc. All rights reserved. + * Copyright (C) 2004-2016 Apple Inc. All rights reserved. * (C) 2006 Alexey Proskuryakov (ap@nypop.com) * * This library is free software; you can redistribute it and/or @@ -75,6 +75,9 @@ void FormAssociatedElement::insertedInto(ContainerNode& insertionPoint) m_formSetByParser = nullptr; } + if (m_form && element.rootElement() != m_form->rootElement()) + setForm(nullptr); + if (!insertionPoint.inDocument()) return; diff --git a/Source/WebCore/html/HTMLCanvasElement.cpp b/Source/WebCore/html/HTMLCanvasElement.cpp index 8ea5b0381..0e80f23e7 100644 --- a/Source/WebCore/html/HTMLCanvasElement.cpp +++ b/Source/WebCore/html/HTMLCanvasElement.cpp @@ -676,7 +676,7 @@ void HTMLCanvasElement::createImageBuffer() const QWebPageClient* client = document().page()->chrome().platformPageClient(); // The WebKit2 Chrome does not have a pageclient. QOpenGLContext* context = client ? client->openGLContextIfAvailable() : 0; - setImageBuffer(ImageBuffer::createCompatibleBuffer(size(), 1.0f, ColorSpaceDeviceRGB, context)); + setImageBuffer(ImageBuffer::createCompatibleBuffer(size(), ColorSpaceDeviceRGB, context)); } else #endif { diff --git a/Source/WebCore/html/HTMLFormElement.cpp b/Source/WebCore/html/HTMLFormElement.cpp index 686576d51..55f9391f0 100644 --- a/Source/WebCore/html/HTMLFormElement.cpp +++ b/Source/WebCore/html/HTMLFormElement.cpp @@ -2,7 +2,7 @@ * Copyright (C) 1999 Lars Knoll (knoll@kde.org) * (C) 1999 Antti Koivisto (koivisto@kde.org) * (C) 2001 Dirk Mueller (mueller@kde.org) - * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved. + * Copyright (C) 2004-2010, 2012-2016 Apple Inc. All rights reserved. * (C) 2006 Alexey Proskuryakov (ap@nypop.com) * * This library is free software; you can redistribute it and/or @@ -46,6 +46,7 @@ #include "Page.h" #include "RenderTextControl.h" #include "ScriptController.h" +#include "SetForScope.h" #include "Settings.h" #include <limits> #include <wtf/Ref.h> @@ -56,13 +57,6 @@ using namespace HTMLNames; HTMLFormElement::HTMLFormElement(const QualifiedName& tagName, Document& document) : HTMLElement(tagName, document) - , m_associatedElementsBeforeIndex(0) - , m_associatedElementsAfterIndex(0) - , m_wasUserSubmitted(false) - , m_isSubmittingOrPreparingForSubmission(false) - , m_shouldSubmit(false) - , m_isInResetFunction(false) - , m_wasDemoted(false) #if ENABLE(REQUEST_AUTOCOMPLETE) , m_requestAutocompletetimer(*this, &HTMLFormElement::requestAutocompleteTimerFired) #endif @@ -372,19 +366,30 @@ void HTMLFormElement::reset() if (m_isInResetFunction || !frame) return; - m_isInResetFunction = true; + Ref<HTMLFormElement> protectedThis(*this); - if (!dispatchEvent(Event::create(eventNames().resetEvent, true, true))) { - m_isInResetFunction = false; + SetForScope<bool> isInResetFunctionRestorer(m_isInResetFunction, true); + + if (!dispatchEvent(Event::create(eventNames().resetEvent, true, true))) return; - } - for (auto& associatedElement : m_associatedElements) { - if (is<HTMLFormControlElement>(*associatedElement)) - downcast<HTMLFormControlElement>(*associatedElement).reset(); - } + resetAssociatedFormControlElements(); +} - m_isInResetFunction = false; +void HTMLFormElement::resetAssociatedFormControlElements() +{ + // Event handling can cause associated elements to be added or deleted while iterating + // over this collection. Protect these elements until we are done notifying them of + // the reset operation. + Vector<Ref<HTMLFormControlElement>> associatedFormControlElements; + associatedFormControlElements.reserveInitialCapacity(m_associatedElements.size()); + for (auto* element : m_associatedElements) { + if (is<HTMLFormControlElement>(element)) + associatedFormControlElements.uncheckedAppend(*downcast<HTMLFormControlElement>(element)); + } + + for (auto& associatedFormControlElement : associatedFormControlElements) + associatedFormControlElement->reset(); } #if ENABLE(IOS_AUTOCORRECT_AND_AUTOCAPITALIZE) @@ -821,10 +826,9 @@ void HTMLFormElement::resumeFromDocumentSuspension() { ASSERT(!shouldAutocomplete()); - for (auto& associatedElement : m_associatedElements) { - if (is<HTMLFormControlElement>(*associatedElement)) - downcast<HTMLFormControlElement>(*associatedElement).reset(); - } + Ref<HTMLFormElement> protectedThis(*this); + + resetAssociatedFormControlElements(); } void HTMLFormElement::didMoveToNewDocument(Document* oldDocument) diff --git a/Source/WebCore/html/HTMLFormElement.h b/Source/WebCore/html/HTMLFormElement.h index 90198b613..b27576a5c 100644 --- a/Source/WebCore/html/HTMLFormElement.h +++ b/Source/WebCore/html/HTMLFormElement.h @@ -177,6 +177,8 @@ private: virtual bool matchesValidPseudoClass() const override; virtual bool matchesInvalidPseudoClass() const override; + void resetAssociatedFormControlElements(); + typedef HashMap<RefPtr<AtomicStringImpl>, FormNamedItem*> PastNamesMap; FormSubmission::Attributes m_attributes; @@ -184,19 +186,19 @@ private: CheckedRadioButtons m_checkedRadioButtons; - unsigned m_associatedElementsBeforeIndex; - unsigned m_associatedElementsAfterIndex; + unsigned m_associatedElementsBeforeIndex { 0 }; + unsigned m_associatedElementsAfterIndex { 0 }; Vector<FormAssociatedElement*> m_associatedElements; Vector<HTMLImageElement*> m_imageElements; HashSet<const HTMLFormControlElement*> m_invalidAssociatedFormControls; - bool m_wasUserSubmitted; - bool m_isSubmittingOrPreparingForSubmission; - bool m_shouldSubmit; + bool m_wasUserSubmitted { false }; + bool m_isSubmittingOrPreparingForSubmission { false }; + bool m_shouldSubmit { false }; - bool m_isInResetFunction; + bool m_isInResetFunction { false }; - bool m_wasDemoted; + bool m_wasDemoted { false }; #if ENABLE(REQUEST_AUTOCOMPLETE) void requestAutocompleteTimerFired(); diff --git a/Source/WebCore/html/HTMLImageElement.cpp b/Source/WebCore/html/HTMLImageElement.cpp index 488c4e6af..67675c595 100644 --- a/Source/WebCore/html/HTMLImageElement.cpp +++ b/Source/WebCore/html/HTMLImageElement.cpp @@ -38,6 +38,7 @@ #include "MIMETypeRegistry.h" #include "MediaList.h" #include "MediaQueryEvaluator.h" +#include "NodeTraversal.h" #include "Page.h" #include "RenderImage.h" #include "Settings.h" @@ -303,6 +304,11 @@ Node::InsertionNotificationRequest HTMLImageElement::insertedInto(ContainerNode& m_form->registerImgElement(this); } + if (m_form && rootElement() != m_form->rootElement()) { + m_form->removeImgElement(this); + m_form = nullptr; + } + if (!m_form) { m_form = HTMLFormElement::findClosestFormAncestor(*this); if (m_form) diff --git a/Source/WebCore/html/HTMLMediaElement.cpp b/Source/WebCore/html/HTMLMediaElement.cpp index 3d3f8ab76..3d15dfa9e 100644 --- a/Source/WebCore/html/HTMLMediaElement.cpp +++ b/Source/WebCore/html/HTMLMediaElement.cpp @@ -3608,6 +3608,7 @@ void HTMLMediaElement::removeAudioTrack(AudioTrack* track) return; m_audioTracks->remove(track); + track->clearClient(); } void HTMLMediaElement::removeTextTrack(TextTrack* track, bool scheduleEvent) @@ -3631,6 +3632,7 @@ void HTMLMediaElement::removeVideoTrack(VideoTrack* track) return; m_videoTracks->remove(track); + track->clearClient(); } void HTMLMediaElement::forgetResourceSpecificTracks() diff --git a/Source/WebCore/html/ImageInputType.cpp b/Source/WebCore/html/ImageInputType.cpp index beb105dab..8b1a7e099 100644 --- a/Source/WebCore/html/ImageInputType.cpp +++ b/Source/WebCore/html/ImageInputType.cpp @@ -109,6 +109,9 @@ RenderPtr<RenderElement> ImageInputType::createInputRenderer(Ref<RenderStyle>&& void ImageInputType::altAttributeChanged() { + if (!is<RenderImage>(element().renderer())) + return; + auto* renderer = downcast<RenderImage>(element().renderer()); if (!renderer) return; diff --git a/Source/WebCore/html/parser/HTMLSourceTracker.cpp b/Source/WebCore/html/parser/HTMLSourceTracker.cpp index 0c9a04632..783047b7b 100644 --- a/Source/WebCore/html/parser/HTMLSourceTracker.cpp +++ b/Source/WebCore/html/parser/HTMLSourceTracker.cpp @@ -49,6 +49,7 @@ void HTMLSourceTracker::startToken(SegmentedString& currentInput, HTMLTokenizer& m_currentSource = currentInput; m_tokenStart = m_currentSource.numberOfCharactersConsumed() - m_previousSource.length(); + tokenizer.setTokenAttributeBaseOffset(m_tokenStart); } void HTMLSourceTracker::endToken(SegmentedString& currentInput, HTMLTokenizer& tokenizer) @@ -92,7 +93,7 @@ String HTMLSourceTracker::source(const HTMLToken& token) String HTMLSourceTracker::source(const HTMLToken& token, unsigned attributeStart, unsigned attributeEnd) { - return source(token).substring(attributeStart - m_tokenStart, attributeEnd - attributeStart); + return source(token).substring(attributeStart, attributeEnd - attributeStart); } } diff --git a/Source/WebCore/html/parser/HTMLToken.h b/Source/WebCore/html/parser/HTMLToken.h index ee87edc6c..0ec9359bd 100644 --- a/Source/WebCore/html/parser/HTMLToken.h +++ b/Source/WebCore/html/parser/HTMLToken.h @@ -112,6 +112,9 @@ public: void setSelfClosing(); + // Used by HTMLTokenizer on behalf of HTMLSourceTracker. + void setAttributeBaseOffset(unsigned attributeBaseOffset) { m_attributeBaseOffset = attributeBaseOffset; } + public: // Used by the XSSAuditor to nuke XSS-laden attributes. void eraseValueOfAttribute(unsigned index); @@ -151,6 +154,8 @@ private: // For DOCTYPE std::unique_ptr<DoctypeData> m_doctypeData; + + unsigned m_attributeBaseOffset { 0 }; // Changes across document.write() boundaries. }; const HTMLToken::Attribute* findAttribute(const Vector<HTMLToken::Attribute>&, StringView name); @@ -313,14 +318,14 @@ inline void HTMLToken::beginAttribute(unsigned offset) m_attributes.grow(m_attributes.size() + 1); m_currentAttribute = &m_attributes.last(); - m_currentAttribute->startOffset = offset; + m_currentAttribute->startOffset = offset - m_attributeBaseOffset; } inline void HTMLToken::endAttribute(unsigned offset) { ASSERT(offset); ASSERT(m_currentAttribute); - m_currentAttribute->endOffset = offset; + m_currentAttribute->endOffset = offset - m_attributeBaseOffset; #if !ASSERT_DISABLED m_currentAttribute = nullptr; #endif diff --git a/Source/WebCore/html/parser/HTMLTokenizer.h b/Source/WebCore/html/parser/HTMLTokenizer.h index fed21188d..bbf5cdb9b 100644 --- a/Source/WebCore/html/parser/HTMLTokenizer.h +++ b/Source/WebCore/html/parser/HTMLTokenizer.h @@ -43,6 +43,9 @@ public: class TokenPtr; TokenPtr nextToken(SegmentedString&); + // Used by HTMLSourceTracker. + void setTokenAttributeBaseOffset(unsigned); + // Returns a copy of any characters buffered internally by the tokenizer. // The tokenizer buffers characters when searching for the </script> token that terminates a script element. String bufferedCharacters() const; @@ -282,6 +285,11 @@ inline HTMLTokenizer::TokenPtr HTMLTokenizer::nextToken(SegmentedString& source) return TokenPtr(processToken(source) ? &m_token : nullptr); } +inline void HTMLTokenizer::setTokenAttributeBaseOffset(unsigned offset) +{ + m_token.setAttributeBaseOffset(offset); +} + inline size_t HTMLTokenizer::numberOfBufferedCharacters() const { // Notice that we add 2 to the length of the m_temporaryBuffer to |