diff options
author | Simon Hausmann <simon.hausmann@nokia.com> | 2010-07-09 08:01:30 (GMT) |
---|---|---|
committer | Simon Hausmann <simon.hausmann@nokia.com> | 2010-07-09 08:01:30 (GMT) |
commit | 5c50c6a782b127442c3fa748b3dd4d1007db69dc (patch) | |
tree | e0f8c328a21d6197940f864104578de4ce2ceb10 /src/3rdparty/webkit/WebCore | |
parent | 75c5bc5f7efd5f7055b689a244147e69733280a4 (diff) | |
download | Qt-5c50c6a782b127442c3fa748b3dd4d1007db69dc.zip Qt-5c50c6a782b127442c3fa748b3dd4d1007db69dc.tar.gz Qt-5c50c6a782b127442c3fa748b3dd4d1007db69dc.tar.bz2 |
Updated WebKit to ad96ca2f9b57271da4ea7432022ac686ee0981c2
Integrated changes:
|| <https://webkit.org/b/37760> || FrameView's layout root can be detached by style recalc ||
|| <https://webkit.org/b/38922> || innerHTML decompilation issues in textarea ||
|| <https://webkit.org/b/36878> || REGRESSION: Trailing colon on hostnames (with no port specified) causes "Not allowed to use restricted network port" ||
|| <https://webkit.org/b/37781> || [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR ||
|| <https://webkit.org/b/36502> || Cross-origin bypass: iFrame.src can be set to a JavaScript URL via nodeValue or textContent ||
|| <https://webkit.org/b/28697> || WebKit crash on WebCore::Node::nodeIndex() ||
|| <https://webkit.org/b/37031> || Cross-origin bypass: Javascript URL can be set as iframe.src via multiple DOM aliases ||
|| <https://webkit.org/b/36522> || [Qt] Rename QWebSettings::XSSAuditorEnabled to XSSAuditingEnabled ||
|| <https://webkit.org/b/38583> || Use of stale pointers whilst normalizing DOM nodes with mutation event handlers that modify element attributes ||
|| <https://webkit.org/b/41412> || [Qt] Canvas arcTo() should draw straight line to p1 if p0, p1 and p2 are collinear ||
|| <https://webkit.org/b/39878> || [Qt]: REGRESSION(r58703): QWebSettings::JavascriptCanAccessClipboard has wrong case in "Javascript" part. ||
|| <https://webkit.org/b/26824> || focus() behavior permits keystrokes to be redirected across domains ||
|| <https://webkit.org/b/39508> || Crash in WebCore::toAlphabetic() while running MangleMe ||
|| <https://webkit.org/b/36571> || WebKit should treat port numbers outside of the valid range as being blacklisted ||
|| <https://webkit.org/b/38497> || Make sure that http URLs always have a host in SecurityOrigin ||
|| <https://webkit.org/b/38626> || ZDI-CAN-765: CSS Charset Text Transformation Vulnerability ||
|| <https://webkit.org/b/36838> || Cross-origin image theft via SVGs as a canvas pattern ||
|| <https://webkit.org/b/27751> || [sg:high] Copying text to the system clipboard can be done in any context ||
|| <https://webkit.org/b/36843> || REGRESSION (r47291): XHR allows arbitrary XSRF across domains ||
|| <https://webkit.org/b/37230> || REGRESSION (4.0.5): Safari asks for credentials all the time when authenticating to Windows IIS Server ||
|| <https://webkit.org/b/37618> || Memory Corruption with Drag-Drop item from a purged document. ||
|| <https://webkit.org/b/38260> || Frame.src allows javascript URLs with starting spaces ||
|| <https://webkit.org/b/38261> || Table layout crash bug ||
Diffstat (limited to 'src/3rdparty/webkit/WebCore')
54 files changed, 911 insertions, 155 deletions
diff --git a/src/3rdparty/webkit/WebCore/ChangeLog b/src/3rdparty/webkit/WebCore/ChangeLog index a4ae758..a993a97 100644 --- a/src/3rdparty/webkit/WebCore/ChangeLog +++ b/src/3rdparty/webkit/WebCore/ChangeLog @@ -1,3 +1,505 @@ +2010-05-14 Abhishek Arya <inferno@chromium.org> + + Reviewed by David Hyatt. + + Move the m_width(Length) and m_columns(RenderTable::ColumnStruct) + vector out-of-bounds check out of the ASSERT into the main code. + https://bugs.webkit.org/show_bug.cgi?id=38261 + + Test: fast/table/fixed-table-layout-large-colspan-crash.html + + * rendering/FixedTableLayout.cpp: + (WebCore::FixedTableLayout::calcWidthArray): + +2010-05-21 Beth Dakin <bdakin@apple.com> + + Reviewed by Darin Adler. + + Fix for <rdar://problem/8009118> Crash in WebCore::toAlphabetic() + while running MangleMe + -and corresponding- + https://bugs.webkit.org/show_bug.cgi?id=39508 + + The math was slightly off here, and we wound up trying to access an + array at index -1 in some cases. We need to decrement numberShadow + rather than subtracting one from the result of the modulo + operation. + + * rendering/RenderListMarker.cpp: + (WebCore::toAlphabeticOrNumeric): + +2010-05-20 Dan Bernstein <mitz@apple.com> + + Reviewed by Dave Hyatt. + + <rdar://problem/8007953> Textarea using custom font appears blank + + Test: fast/css/font-face-in-shadow-DOM.html + + When a remote font is loaded, CSSFontSelector forces a style recalc, which replaces all + RenderSyles that have FontFallbackLists referencing the placeholder font with fresh + RenderStyles. However, it does not descend into shadow DOM trees, so those may end up with + styles that still reference the placeholder font. + + The fix is to add RenderObject::requiresForcedStyleRecalcPropagation() and have it return + true from renderers that maintain shadow DOM trees or otherwise keep their own RenderStyles. + + * dom/Element.cpp: + (WebCore::Element::recalcStyle): Check if forced style recalc needs to propagated. + * rendering/RenderButton.h: + (WebCore::RenderButton::requiresForcedStyleRecalcPropagation): + * rendering/RenderDataGrid.h: + (WebCore::RenderDataGrid::requiresForcedStyleRecalcPropagation): + * rendering/RenderFileUploadControl.h: + (WebCore::RenderFileUploadControl::requiresForcedStyleRecalcPropagation): + * rendering/RenderListItem.h: + (WebCore::RenderListItem::requiresForcedStyleRecalcPropagation): + * rendering/RenderMedia.h: + (WebCore::RenderMedia::requiresForcedStyleRecalcPropagation): + * rendering/RenderMenuList.h: + (WebCore::RenderMenuList::RenderMenuList::requiresForcedStyleRecalcPropagation): + * rendering/RenderObject.h: + (WebCore::RenderObject::requiresForcedStyleRecalcPropagation): + * rendering/RenderProgress.h: + (WebCore::RenderProgress::requiresForcedStyleRecalcPropagation): + * rendering/RenderSlider.h: + (WebCore::RenderSlider::requiresForcedStyleRecalcPropagation): + * rendering/RenderTextControl.h: + (WebCore::RenderTextControl::requiresForcedStyleRecalcPropagation): + +2010-04-02 Justin Schuh <jschuh@chromium.org> + + Reviewed by Alexey Proskuryakov. + + XHR allows arbitrary XSRF across domains + https://bugs.webkit.org/show_bug.cgi?id=36843 + + Added a one-line change to prevent bypassing the XDC check on + synchronous preflighted requests. Added layout tests to cover + variations of this problem. + + Tests: http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html + http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html + http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html + http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html + + * loader/DocumentThreadableLoader.cpp: + (WebCore::DocumentThreadableLoader::preflightFailure): + +2010-04-28 Julien Chaffraix <jchaffraix@webkit.org> + + Reviewed by Alexey Proskuryakov. + + [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR + https://bugs.webkit.org/show_bug.cgi?id=37781 + <rdar://problem/7905150> + + Tests: http/tests/xmlhttprequest/access-control-preflight-credential-async.html + http/tests/xmlhttprequest/access-control-preflight-credential-sync.html + + Rolling the patch in as I could not reproduce Qt results locally. + + * loader/DocumentThreadableLoader.cpp: + (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Now we remove the + credential from the request here to avoid forgetting to do so in the different code path. + (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): Just add the + "Origin" header. + (WebCore::DocumentThreadableLoader::loadRequest): Check here the the credential have + been removed so that we don't leak them. Also tweaked a comment to make it clear that + the URL check has issue when credential is involved. + +2010-04-21 Alexey Proskuryakov <ap@apple.com> + + Reviewed by Adam Roben. + + Windows build fix. + + * platform/network/cf/ResourceHandleCFNet.cpp: Declare CFURLConnectionCreateWithProperties + for now, as it's mistakenly missing from WebKitSupportLibrary headers. + +2010-05-19 Abhishek Arya <inferno@chromium.org> + + Reviewed by David Hyatt. + + Check that the node is a text node before doing a static cast + to a Text class pointer. + https://bugs.webkit.org/show_bug.cgi?id=38626 + + Test: fast/text/text-transform-nontext-node-crash.xhtml + + * rendering/RenderText.cpp: + (WebCore::RenderText::originalText): + * rendering/RenderTextFragment.cpp: + (WebCore::RenderTextFragment::originalText): + (WebCore::RenderTextFragment::previousCharacter): + +2010-05-12 Abhishek Arya <inferno@chromium.org> + + Reviewed by Darin Adler. + + HTML Entity Escape the contents of a textarea node when accessed + via the innerHTML and outerHTML node properties. + https://bugs.webkit.org/show_bug.cgi?id=38922 + + Test: fast/innerHTML/innerHTML-special-elements.html + + * editing/markup.cpp: + (WebCore::appendStartMarkup): + +2010-05-12 James Robinson <jamesr@chromium.org> + + Patch by Dan Bernstein. + + Reviewed by David Hyatt. + + Fix marking the layout root's parent as needing layout + https://bugs.webkit.org/show_bug.cgi?id=37760 + + If an element gets marked as needing layout due to the recalcStyle() + call in FrameView::layout(), the m_layoutSchedulingEnabled flag will + be set to false. It's possible at this point that a parent of the + existing FrameView::m_layoutRoot will be marked as needing layout. + + This patch updates FrameView::scheduleRelayoutOfSubtree to account + for this case. + + Manual test only due to subtle timing issues. + + * manual-tests/layoutroot_detach.xml: Added. + * page/FrameView.cpp: + (WebCore::FrameView::scheduleRelayoutOfSubtree): + +2010-05-10 Sam Weinig <sam@webkit.org> + + Reviewed by Darin Adler. + + Fix for https://bugs.webkit.org/show_bug.cgi?id=38583 + <rdar://problem/7948784> Crash in Element::normalizeAttributes. + + Test: fast/dom/Element/normalize-crash.html + + * dom/Element.cpp: + (WebCore::Element::normalizeAttributes): Copy attributes to a vector + before iterating. + * dom/NamedAttrMap.cpp: + (WebCore::NamedNodeMap::copyAttributesToVector): Added. + * dom/NamedAttrMap.h: + +2010-05-10 Alexey Proskuryakov <ap@apple.com> + + Reviewed by Darin Adler. + + Based on a patch by Eric Seidel. + + https://bugs.webkit.org/show_bug.cgi?id=28697 + <rdar://problem/7946578> WebKit crash on WebCore::Node::nodeIndex() + + It's not OK to call ContainerNode::willRemoveChild() in a loop, because Range code assumes + that it can adjust start and end position to any node except for the one being removed - + so these notifications cannot be batched. + + Test: fast/dom/Range/remove-all-children-crash.html + + * dom/ContainerNode.cpp: + (WebCore::willRemoveChild): Removed unused ExceptionCode. + (WebCore::willRemoveChildren): New function, used in removeChildren() case. + (WebCore::ContainerNode::removeChild): ExceptionCode return was always 0, don't bother with it. + (WebCore::ContainerNode::removeChildren): Call willRemoveChildrenFromNode. + (WebCore::dispatchChildRemovalEvents): Moved some logic out into willRemoveChildrenFromNode + and willRemoveChild. + + * dom/Document.cpp: + (WebCore::Document::nodeChildrenWillBeRemoved): New function, used in removeChildren() case. + + * dom/Document.h: + (WebCore::Document::nodeChildrenWillBeRemoved): New function, used in removeChildren() case. + + * dom/Range.h: + * dom/Range.cpp: + (WebCore::boundaryNodeChildrenWillBeRemoved): New function, used in removeChildren() case. + (WebCore::Range::nodeChildrenWillBeRemoved): Ditto. + +2010-05-03 Alexey Proskuryakov <ap@apple.com> + + Reviewed by Adam Barth. + + https://bugs.webkit.org/show_bug.cgi?id=38497 + <rdar://problem/7759438> Make sure that http URLs always have a host in SecurityOrigin + + This is a hardening fix, and behavior really depends on what an underlying networking layer + does. So, no test. + + * page/SecurityOrigin.cpp: + (WebCore::schemeRequiresAuthority): List schemes that need an authority for successful loading. + (WebCore::SecurityOrigin::SecurityOrigin): Never let e.g. http origins with empty authorities + have the same security origin. + +2010-05-03 Abhishek Arya <inferno@chromium.org> + + Reviewed by Adam Barth. + + Add support for controlling clipboard access from javascript. + Clipboard access from javascript is disabled by default. + https://bugs.webkit.org/show_bug.cgi?id=27751 + + Test: editing/execCommand/clipboard-access.html + + * WebCore.base.exp: + * editing/EditorCommand.cpp: + (WebCore::supportedCopyCut): + (WebCore::supportedPaste): + (WebCore::createCommandMap): + * page/Settings.cpp: + (WebCore::Settings::Settings): + (WebCore::Settings::setJavaScriptCanAccessClipboard): + * page/Settings.h: + (WebCore::Settings::javaScriptCanAccessClipboard): + +2010-04-30 Abhishek Arya <inferno@chromium.org> + + Reviewed by David Kilzer. + + Convert m_documentUnderMouse, m_dragInitiator to RefPtr. + Eliminated unused m_dragInitiator accessor to prevent dereferencing. + https://bugs.webkit.org/show_bug.cgi?id=37618 + + Test: editing/pasteboard/drag-drop-iframe-refresh-crash.html + + * page/DragController.cpp: + (WebCore::DragController::tryDocumentDrag): + (WebCore::DragController::concludeEditDrag): + * page/DragController.h: + (WebCore::DragController::draggingImageURL): + (WebCore::DragController::documentUnderMouse): + +2010-04-14 Justin Schuh <jschuh@chromium.org> + + Reviewed by Adam Barth. + + Javascript URL can be set as iframe.src via multiple DOM aliases + https://bugs.webkit.org/show_bug.cgi?id=37031 + + Moved frame/iframe checks from Attr to Node on inherited members. + Node child manipulation methods now return NOT_SUPPORTED_ERR if used + on a frame/iframe src attribute. + NamedNodeMap set methods now perform frame/iframe src checks. + Moved allowSettingSrcToJavascriptURL static helper function from + JSElementCustom.cpp to exported function in JSDOMBinding.h. + + * bindings/js/JSAttrCustom.cpp: + (WebCore::JSAttr::setValue): + * bindings/js/JSDOMBinding.cpp: + (WebCore::allowSettingSrcToJavascriptURL): + * bindings/js/JSDOMBinding.h: + * bindings/js/JSElementCustom.cpp: + * bindings/js/JSNamedNodeMapCustom.cpp: + (WebCore::JSNamedNodeMap::setNamedItem): + (WebCore::JSNamedNodeMap::setNamedItemNS): + * bindings/js/JSNodeCustom.cpp: + (WebCore::isAttrFrameSrc): + (WebCore::JSNode::setNodeValue): + (WebCore::JSNode::setTextContent): + (WebCore::JSNode::insertBefore): + (WebCore::JSNode::replaceChild): + (WebCore::JSNode::removeChild): + (WebCore::JSNode::appendChild): + * bindings/v8/custom/V8AttrCustom.cpp: + * bindings/v8/custom/V8NamedNodeMapCustom.cpp: + (WebCore::V8NamedNodeMap::setNamedItemNSCallback): + (WebCore::V8NamedNodeMap::setNamedItemCallback): + (WebCore::toV8): + * bindings/v8/custom/V8NodeCustom.cpp: + (WebCore::isFrameSrc): + (WebCore::V8Node::textContentAccessorSetter): + (WebCore::V8Node::nodeValueAccessorSetter): + (WebCore::V8Node::insertBeforeCallback): + (WebCore::V8Node::replaceChildCallback): + (WebCore::V8Node::removeChildCallback): + (WebCore::V8Node::appendChildCallback): + * dom/Attr.idl: + * dom/NamedNodeMap.idl: + * dom/Node.idl: + +2010-03-26 Justin Schuh <jschuh@chromium.org> + + Reviewed by Adam Barth. + + Security: iFrame.src accepts JavaScript URL via nodeValue or textContent + https://bugs.webkit.org/show_bug.cgi?id=36502 + + Overrode inherited nodeValue and textContent in Attr.idl so they proxy + to value, which performs a security check. + + Test: http/tests/security/xss-DENIED-iframe-src-alias.html + + * bindings/js/JSAttrCustom.cpp: + (WebCore::JSAttr::nodeValue): + (WebCore::JSAttr::setNodeValue): + (WebCore::JSAttr::textContent): + (WebCore::JSAttr::setTextContent): + * bindings/v8/custom/V8AttrCustom.cpp: + (WebCore::V8Attr::nodeValueAccessorSetter): + (WebCore::V8Attr::nodeValueAccessorGetter): + (WebCore::V8Attr::textContentAccessorSetter): + (WebCore::V8Attr::textContentAccessorGetter): + * dom/Attr.idl: + +2010-05-05 Alexey Proskuryakov <ap@apple.com> + + Reviewed by Darin Adler. + + https://bugs.webkit.org/show_bug.cgi?id=38260 + <rdar://problem/7917548> Fix whitespace removing in deprecatedParseURL(). + + Broken all the way since r4 (yes, that's a revision number). + + Test: http/tests/security/xss-DENIED-javascript-with-spaces.html + + * css/CSSHelper.cpp: (WebCore::deprecatedParseURL): Fixed loop conditions for remaining length. + +2010-04-23 Dan Bernstein <mitz@apple.com> + + Reviewed by Simon Fraser. + + <rdar://problem/7898436> :after content is duplicated + + Test: fast/css-generated-content/after-duplicated-after-split.html + + * rendering/RenderInline.cpp: + (WebCore::RenderInline::splitInlines): Pass the correct owner of the child list. + +2010-03-30 Chris Evans <cevans@chromium.org> + + Reviewed by Adam Barth. + + Taint the canvas if an SVG-derived pattern is rendered into it. + + https://bugs.webkit.org/show_bug.cgi?id=36838 + + Test: fast/canvas/svg-taint.html + + * html/canvas/CanvasRenderingContext2D.cpp: + (WebCore::CanvasRenderingContext2D::createPattern): + Take into account the image's hasSingleSecurityOrigin() property. + +2010-04-07 Alexey Proskuryakov <ap@apple.com> + + Reviewed by Darinn Adler. + + https://bugs.webkit.org/show_bug.cgi?id=37230 + <rdar://problem/7813115> REGRESSION (4.0.5): Safari asks for credentials all the time when + authenticating to Windows IIS Server + + * platform/network/ProtectionSpace.h: (WebCore::ProtectionSpaceAuthenticationScheme): Added + a constant for ProtectionSpaceAuthenticationSchemeUnknown. + + * platform/network/cf/AuthenticationCF.cpp: (WebCore::core): + * platform/network/cf/SocketStreamHandleCFNet.cpp: (WebCore::authenticationSchemeFromAuthenticationMethod): + Return ProtectionSpaceAuthenticationSchemeUnknown for unknown scheme. + + * platform/network/mac/AuthenticationMac.mm: + (WebCore::mac): Support NTLM on systems older than 10.6. We actually get this string from + NSURLConnection, even though there was no public constant. + (WebCore::core): Return ProtectionSpaceAuthenticationSchemeUnknown for unknown scheme. + +2010-04-19 Dan Bernstein <mitz@apple.com> + + Reviewed by Darin Adler. + + Make the fix for <rdar://problem/7873647> from r57759 more robust. + + * rendering/RenderLayer.cpp: + (WebCore::RenderLayer::updateHoverActiveState): Use RefPtrs for the Nodes. + +2010-04-16 Dan Bernstein <mitz@apple.com> + + Reviewed by Simon Fraser. + + <rdar://problem/7873647> Crash when updating hover state + + Test: fast/dynamic/hover-style-recalc-crash.html + + Updating the hover state of an element caused the document to need style + recalc, and then updating the hover state of a link caused style recalc, + which changed the render tree while updateHoverActiveState() was iterating + over it, leading to a crash. + + * rendering/RenderLayer.cpp: + (WebCore::RenderLayer::updateHoverActiveState): Collect the nodes to be + updated into vectors, then update their active and hover states. + +2010-03-31 Mark Rowe <mrowe@apple.com> + + Reviewed by Darin Adler. + + <http://webkit.org/b/36878> REGRESSION: Trailing colon on hostnames (with no port specified) causes "Not allowed to use restricted network port" + + * platform/KURL.cpp: + (WebCore::KURL::port): Explicitly handle the case of a colon being present in the URL after the host name but with + no port number before the path. This is handled in the same manner as the colon and port being omitted completely. + +2010-03-24 Mark Rowe <mrowe@apple.com> + + Revert the portion of r56489 that dealt with port zero as it introduced some test failures. + + * platform/KURL.cpp: + (WebCore::KURL::port): Use the "ok" argument to charactersToUIntStrict to determine whether + it was able to successfully parse the string as an unsigned integer, rather than relying on + the fact it returned zero when it failed. + +2010-03-24 Mark Rowe <mrowe@apple.com> + + Reviewed by Darin Adler. + + WebKit should treat port numbers outside the valid range as being blacklisted + <http://webkit.org/b/36571> / <rdar://problem/7790908> + + * platform/KURL.cpp: + (WebCore::KURL::port): Map invalid port numbers to invalidPortNumber. + (WebCore::portAllowed): Add invalidPortNumber to the blacklist. + * platform/KURLGoogle.cpp: invalid port numbers to invalidPortNumber. + (WebCore::KURL::port): Add invalidPortNumber to the blacklist. + Also bring this in to sync with KURL. Having this identical code in two places is stupid. + +2010-05-05 Alexey Proskuryakov <ap@apple.com> + + Reviewed by Adele Peterson. + + https://bugs.webkit.org/show_bug.cgi?id=26824 + <rdar://problem/7018610> EventHandler can operate on a wrong frame if focus changes during + keyboard event dispatch. + + EventHandler object is tied to a frame, so it's wrong for it to continue processing a keyboard + event if focused frame changes between keydown and keypress. + + * manual-tests/focus-change-between-key-events.html: Added. + + * page/EventHandler.cpp: (WebCore::EventHandler::keyEvent): Bail out early if focused frame + changes while dispatching keydown. Also made similar changes for Windows to maintain matching + behavior, even though EventHandler was re-entered anyway due to WM_KEYDOWN and WM_CHAR being + separate events. + +2010-07-02 Tor Arne Vestbø <tor.arne.vestbo@nokia.com> + + Reviewed by Simon Hausmann. + + [Qt] Canvas arcTo() should draw straight line to p1 if p0, p1 and p2 are collinear + + The implementation of PathQt's addArcTo() was not float-safe and also had + a case where it drew an 'infinite' line, which is not part of the spec. + + http://www.whatwg.org/specs/web-apps/current-work/#dom-context-2d-arcto + + We now use qFuzzyCompare() in both cases. The method isPointOnPathBorder() + also had the same problem, and was refactored a bit in the process of fixing + the bug. + + Initial patch by Andreas Kling. + + https://bugs.webkit.org/show_bug.cgi?id=41412 + + * platform/graphics/qt/PathQt.cpp: + 2010-03-26 Shu Chang <chang.shu@nokia.com> Reviewed by Eric Seidel. diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp index 3c01535..4cd40ac 100644 --- a/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp +++ b/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp @@ -33,6 +33,7 @@ #include "Document.h" #include "HTMLFrameElementBase.h" #include "HTMLNames.h" +#include "JSDOMBinding.h" using namespace JSC; @@ -46,13 +47,8 @@ void JSAttr::setValue(ExecState* exec, JSValue value) String attrValue = valueToStringWithNullCheck(exec, value); Element* ownerElement = imp->ownerElement(); - if (ownerElement && (ownerElement->hasTagName(iframeTag) || ownerElement->hasTagName(frameTag))) { - if (equalIgnoringCase(imp->name(), "src") && protocolIsJavaScript(deprecatedParseURL(attrValue))) { - Document* contentDocument = static_cast<HTMLFrameElementBase*>(ownerElement)->contentDocument(); - if (contentDocument && !checkNodeSecurity(exec, contentDocument)) - return; - } - } + if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->name(), attrValue)) + return; ExceptionCode ec = 0; imp->setValue(attrValue, ec); diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp index f294dad..393c1ee 100644 --- a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp +++ b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp @@ -24,6 +24,7 @@ #include "debugger/DebuggerCallFrame.h" #include "ActiveDOMObject.h" +#include "CSSHelper.h" #include "DOMCoreException.h" #include "DOMObjectHashTableMap.h" #include "Document.h" @@ -33,6 +34,7 @@ #include "Frame.h" #include "HTMLAudioElement.h" #include "HTMLCanvasElement.h" +#include "HTMLFrameElementBase.h" #include "HTMLImageElement.h" #include "HTMLNames.h" #include "HTMLScriptElement.h" @@ -630,6 +632,16 @@ bool shouldAllowNavigation(ExecState* exec, Frame* frame) return lexicalFrame && lexicalFrame->loader()->shouldAllowNavigation(frame); } +bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value) +{ + if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) { + Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument(); + if (contentDocument && !checkNodeSecurity(exec, contentDocument)) + return false; + } + return true; +} + void printErrorMessageForFrame(Frame* frame, const String& message) { if (!frame) diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h index 219472b..40f7e40 100644 --- a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h +++ b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h @@ -301,6 +301,8 @@ namespace WebCore { bool allowsAccessFromFrame(JSC::ExecState*, Frame*); bool allowsAccessFromFrame(JSC::ExecState*, Frame*, String& message); bool shouldAllowNavigation(JSC::ExecState*, Frame*); + bool allowSettingSrcToJavascriptURL(JSC::ExecState*, Element*, const String&, const String&); + void printErrorMessageForFrame(Frame*, const String& message); JSC::JSValue objectToStringFunctionGetter(JSC::ExecState*, JSC::JSValue, const JSC::Identifier& propertyName); diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp index c725290..94012fd 100644 --- a/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp +++ b/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp @@ -36,6 +36,7 @@ #include "HTMLFrameElementBase.h" #include "HTMLNames.h" #include "JSAttr.h" +#include "JSDOMBinding.h" #include "JSHTMLElementWrapperFactory.h" #include "JSNodeList.h" #include "NodeList.h" @@ -63,16 +64,6 @@ void JSElement::markChildren(MarkStack& markStack) markDOMObjectWrapper(markStack, globalData, static_cast<StyledElement*>(element)->inlineStyleDecl()); } -static inline bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value) -{ - if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) { - Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument(); - if (contentDocument && !checkNodeSecurity(exec, contentDocument)) - return false; - } - return true; -} - JSValue JSElement::setAttribute(ExecState* exec, const ArgList& args) { ExceptionCode ec = 0; diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp index 13f3628..965498a 100644 --- a/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp +++ b/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp @@ -35,6 +35,38 @@ using namespace JSC; namespace WebCore { +JSValue JSNamedNodeMap::setNamedItem(ExecState* exec, const ArgList& args) +{ + NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl()); + ExceptionCode ec = 0; + Node* newNode = toNode(args.at(0)); + + if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) { + if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue())) + return jsNull(); + } + + JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItem(newNode, ec))); + setDOMException(exec, ec); + return result; +} + +JSValue JSNamedNodeMap::setNamedItemNS(ExecState* exec, const ArgList& args) +{ + NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl()); + ExceptionCode ec = 0; + Node* newNode = toNode(args.at(0)); + + if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) { + if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue())) + return jsNull(); + } + + JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItemNS(newNode, ec))); + setDOMException(exec, ec); + return result; +} + bool JSNamedNodeMap::canGetItemsForName(ExecState*, NamedNodeMap* impl, const Identifier& propertyName) { return impl->getNamedItem(propertyName); diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp index 134c581..bf6c633 100644 --- a/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp +++ b/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp @@ -38,6 +38,7 @@ #include "JSAttr.h" #include "JSCDATASection.h" #include "JSComment.h" +#include "JSDOMBinding.h" #include "JSDocument.h" #include "JSDocumentFragment.h" #include "JSDocumentType.h" @@ -66,12 +67,53 @@ using namespace JSC; namespace WebCore { -typedef int ExpectionCode; +static inline bool isAttrFrameSrc(Element *element, const String& name) +{ + return element && (element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src"); +} + +void JSNode::setNodeValue(JSC::ExecState* exec, JSC::JSValue value) +{ + Node* imp = static_cast<Node*>(impl()); + String nodeValue = valueToStringWithNullCheck(exec, value); + + if (imp->nodeType() == Node::ATTRIBUTE_NODE) { + Element* ownerElement = static_cast<Attr*>(impl())->ownerElement(); + if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue)) + return; + } + + ExceptionCode ec = 0; + imp->setNodeValue(nodeValue, ec); + setDOMException(exec, ec); +} + +void JSNode::setTextContent(JSC::ExecState* exec, JSC::JSValue value) +{ + Node* imp = static_cast<Node*>(impl()); + String nodeValue = valueToStringWithNullCheck(exec, value); + + if (imp->nodeType() == Node::ATTRIBUTE_NODE) { + Element* ownerElement = static_cast<Attr*>(impl())->ownerElement(); + if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue)) + return; + } + + ExceptionCode ec = 0; + imp->setTextContent(nodeValue, ec); + setDOMException(exec, ec); +} JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args) { + Node* imp = static_cast<Node*>(impl()); + if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) { + setDOMException(exec, NOT_SUPPORTED_ERR); + return jsNull(); + } + ExceptionCode ec = 0; - bool ok = impl()->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true); + bool ok = imp->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true); setDOMException(exec, ec); if (ok) return args.at(0); @@ -80,8 +122,14 @@ JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args) JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args) { + Node* imp = static_cast<Node*>(impl()); + if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) { + setDOMException(exec, NOT_SUPPORTED_ERR); + return jsNull(); + } + ExceptionCode ec = 0; - bool ok = impl()->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true); + bool ok = imp->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true); setDOMException(exec, ec); if (ok) return args.at(1); @@ -90,8 +138,14 @@ JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args) JSValue JSNode::removeChild(ExecState* exec, const ArgList& args) { + Node* imp = static_cast<Node*>(impl()); + if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) { + setDOMException(exec, NOT_SUPPORTED_ERR); + return jsNull(); + } + ExceptionCode ec = 0; - bool ok = impl()->removeChild(toNode(args.at(0)), ec); + bool ok = imp->removeChild(toNode(args.at(0)), ec); setDOMException(exec, ec); if (ok) return args.at(0); @@ -100,8 +154,14 @@ JSValue JSNode::removeChild(ExecState* exec, const ArgList& args) JSValue JSNode::appendChild(ExecState* exec, const ArgList& args) { + Node* imp = static_cast<Node*>(impl()); + if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) { + setDOMException(exec, NOT_SUPPORTED_ERR); + return jsNull(); + } + ExceptionCode ec = 0; - bool ok = impl()->appendChild(toNode(args.at(0)), ec, true); + bool ok = imp->appendChild(toNode(args.at(0)), ec, true); setDOMException(exec, ec); if (ok) return args.at(0); diff --git a/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp b/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp index 8e6f3a0..c3418b4 100644 --- a/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp +++ b/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp @@ -36,7 +36,7 @@ String deprecatedParseURL(const String& url) int o = 0; int l = i->length(); - while (o < l && (*i)[o] <= ' ') { + while (0 < l && (*i)[o] <= ' ') { ++o; --l; } @@ -53,7 +53,7 @@ String deprecatedParseURL(const String& url) l -= 5; } - while (o < l && (*i)[o] <= ' ') { + while (0 < l && (*i)[o] <= ' ') { ++o; --l; } @@ -65,7 +65,7 @@ String deprecatedParseURL(const String& url) l -= 2; } - while (o < l && (*i)[o] <= ' ') { + while (0 < l && (*i)[o] <= ' ') { ++o; --l; } diff --git a/src/3rdparty/webkit/WebCore/dom/Attr.idl b/src/3rdparty/webkit/WebCore/dom/Attr.idl index af84478..3c73bc0 100644 --- a/src/3rdparty/webkit/WebCore/dom/Attr.idl +++ b/src/3rdparty/webkit/WebCore/dom/Attr.idl @@ -28,7 +28,9 @@ module core { // DOM Level 1 readonly attribute [ConvertNullStringTo=Null] DOMString name; + readonly attribute boolean specified; + attribute [ConvertNullStringTo=Null, ConvertNullToNullString, CustomSetter] DOMString value setter raises(DOMException); diff --git a/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp b/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp index fb2852f..c17489a 100644 --- a/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp +++ b/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp @@ -292,19 +292,32 @@ void ContainerNode::willRemove() Node::willRemove(); } -static ExceptionCode willRemoveChild(Node *child) +static void willRemoveChild(Node* child) { - ExceptionCode ec = 0; + // update auxiliary doc info (e.g. iterators) to note that node is being removed + child->document()->nodeWillBeRemoved(child); + child->document()->incDOMTreeVersion(); // fire removed from document mutation events. dispatchChildRemovalEvents(child); - if (ec) - return ec; if (child->attached()) child->willRemove(); - - return 0; +} + +static void willRemoveChildren(ContainerNode* container) +{ + container->document()->nodeChildrenWillBeRemoved(container); + container->document()->incDOMTreeVersion(); + + // FIXME: Adding new children from event handlers can cause an infinite loop here. + for (RefPtr<Node> child = container->firstChild(); child; child = child->nextSibling()) { + // fire removed from document mutation events. + dispatchChildRemovalEvents(child.get()); + + if (child->attached()) + child->willRemove(); + } } bool ContainerNode::removeChild(Node* oldChild, ExceptionCode& ec) @@ -328,10 +341,7 @@ bool ContainerNode::removeChild(Node* oldChild, ExceptionCode& ec) } RefPtr<Node> child = oldChild; - - ec = willRemoveChild(child.get()); - if (ec) - return false; + willRemoveChild(child.get()); // Mutation events might have moved this child into a different parent. if (child->parentNode() != this) { @@ -399,14 +409,12 @@ bool ContainerNode::removeChildren() return false; // The container node can be removed from event handlers. - RefPtr<Node> protect(this); - + RefPtr<ContainerNode> protect(this); + // Do any prep work needed before actually starting to detach // and remove... e.g. stop loading frames, fire unload events. - // FIXME: Adding new children from event handlers can cause an infinite loop here. - for (RefPtr<Node> n = m_firstChild; n; n = n->nextSibling()) - willRemoveChild(n.get()); - + willRemoveChildren(protect.get()); + // exclude this node when looking for removed focusedNode since only children will be removed document()->removeFocusedNodeOfSubtree(this, true); @@ -936,6 +944,8 @@ static void dispatchChildInsertionEvents(Node* child) static void dispatchChildRemovalEvents(Node* child) { + ASSERT(!eventDispatchForbidden()); + #if ENABLE(INSPECTOR) if (Page* page = child->document()->page()) { if (InspectorController* inspectorController = page->inspectorController()) @@ -946,11 +956,6 @@ static void dispatchChildRemovalEvents(Node* child) RefPtr<Node> c = child; RefPtr<Document> document = child->document(); - // update auxiliary doc info (e.g. iterators) to note that node is being removed - document->nodeWillBeRemoved(child); - - document->incDOMTreeVersion(); - // dispatch pre-removal mutation events if (c->parentNode() && document->hasListenerType(Document::DOMNODEREMOVED_LISTENER)) c->dispatchEvent(MutationEvent::create(eventNames().DOMNodeRemovedEvent, true, c->parentNode())); diff --git a/src/3rdparty/webkit/WebCore/dom/Document.cpp b/src/3rdparty/webkit/WebCore/dom/Document.cpp index 545819d..9803cf5 100644 --- a/src/3rdparty/webkit/WebCore/dom/Document.cpp +++ b/src/3rdparty/webkit/WebCore/dom/Document.cpp @@ -2957,6 +2957,28 @@ void Document::nodeChildrenChanged(ContainerNode* container) } } +void Document::nodeChildrenWillBeRemoved(ContainerNode* container) +{ + if (!disableRangeMutation(page())) { + HashSet<Range*>::const_iterator end = m_ranges.end(); + for (HashSet<Range*>::const_iterator it = m_ranges.begin(); it != end; ++it) + (*it)->nodeChildrenWillBeRemoved(container); + } + + HashSet<NodeIterator*>::const_iterator nodeIteratorsEnd = m_nodeIterators.end(); + for (HashSet<NodeIterator*>::const_iterator it = m_nodeIterators.begin(); it != nodeIteratorsEnd; ++it) { + for (Node* n = container->firstChild(); n; n = n->nextSibling()) + (*it)->nodeWillBeRemoved(n); + } + + if (Frame* frame = this->frame()) { + for (Node* n = container->firstChild(); n; n = n->nextSibling()) { + frame->selection()->nodeWillBeRemoved(n); + frame->dragCaretController()->nodeWillBeRemoved(n); + } + } +} + void Document::nodeWillBeRemoved(Node* n) { HashSet<NodeIterator*>::const_iterator nodeIteratorsEnd = m_nodeIterators.end(); diff --git a/src/3rdparty/webkit/WebCore/dom/Document.h b/src/3rdparty/webkit/WebCore/dom/Document.h index 44cdf0d..68927f4 100644 --- a/src/3rdparty/webkit/WebCore/dom/Document.h +++ b/src/3rdparty/webkit/WebCore/dom/Document.h @@ -616,6 +616,9 @@ public: void detachRange(Range*); void nodeChildrenChanged(ContainerNode*); + // nodeChildrenWillBeRemoved is used when removing all node children at once. + void nodeChildrenWillBeRemoved(ContainerNode*); + // nodeWillBeRemoved is only safe when removing one node at a time. void nodeWillBeRemoved(Node*); void textInserted(Node*, unsigned offset, unsigned length); diff --git a/src/3rdparty/webkit/WebCore/dom/Element.cpp b/src/3rdparty/webkit/WebCore/dom/Element.cpp index 6bd512d..a02bb4c 100644 --- a/src/3rdparty/webkit/WebCore/dom/Element.cpp +++ b/src/3rdparty/webkit/WebCore/dom/Element.cpp @@ -937,7 +937,7 @@ void Element::recalcStyle(StyleChange change) newStyle->setChildrenAffectedByDirectAdjacentRules(); } - if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get())) { + if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get()) || change == Force && renderer() && renderer()->requiresForcedStyleRecalcPropagation()) { setRenderStyle(newStyle); } else if (needsStyleRecalc() && (styleChangeType() != SyntheticStyleChange) && (document()->usesSiblingRules() || document()->usesDescendantRules())) { // Although no change occurred, we use the new style so that the cousin style sharing code won't get @@ -1429,9 +1429,15 @@ void Element::normalizeAttributes() NamedNodeMap* attrs = attributes(true); if (!attrs) return; - unsigned numAttrs = attrs->length(); - for (unsigned i = 0; i < numAttrs; i++) { - if (Attr* attr = attrs->attributeItem(i)->attr()) + + if (attrs->isEmpty()) + return; + + Vector<RefPtr<Attribute> > attributeVector; + attrs->copyAttributesToVector(attributeVector); + size_t numAttrs = attributeVector.size(); + for (size_t i = 0; i < numAttrs; ++i) { + if (Attr* attr = attributeVector[i]->attr()) attr->normalize(); } } diff --git a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp index d8a6ba8..ee979cf 100644 --- a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp +++ b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp @@ -172,6 +172,11 @@ PassRefPtr<Node> NamedNodeMap::item(unsigned index) const return m_attributes[index]->createAttrIfNeeded(m_element); } +void NamedNodeMap::copyAttributesToVector(Vector<RefPtr<Attribute> >& copy) +{ + copy = m_attributes; +} + Attribute* NamedNodeMap::getAttributeItemSlowCase(const String& name, bool shouldIgnoreAttributeCase) const { unsigned len = length(); diff --git a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h index d5136b5..e292576 100644 --- a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h +++ b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h @@ -72,6 +72,8 @@ public: Attribute* attributeItem(unsigned index) const { return m_attributes[index].get(); } Attribute* getAttributeItem(const QualifiedName&) const; + void copyAttributesToVector(Vector<RefPtr<Attribute> >&); + void shrinkToLength() { m_attributes.shrinkCapacity(length()); } void reserveInitialCapacity(unsigned capacity) { m_attributes.reserveInitialCapacity(capacity); } diff --git a/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl b/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl index 4d36577..7bfbf23 100644 --- a/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl +++ b/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl @@ -28,7 +28,7 @@ module core { Node getNamedItem(in DOMString name); - Node setNamedItem(in Node node) + [Custom] Node setNamedItem(in Node node) raises(DOMException); Node removeNamedItem(in DOMString name) @@ -46,7 +46,7 @@ module core { // FIXME: the implementation does take an exceptioncode parameter. /*raises(DOMException)*/; - Node setNamedItemNS(in Node node) + [Custom] Node setNamedItemNS(in Node node) raises(DOMException); [OldStyleObjC] Node removeNamedItemNS(in [ConvertNullToNullString] DOMString namespaceURI, diff --git a/src/3rdparty/webkit/WebCore/dom/Node.idl b/src/3rdparty/webkit/WebCore/dom/Node.idl index 0489316..22d9a85 100644 --- a/src/3rdparty/webkit/WebCore/dom/Node.idl +++ b/src/3rdparty/webkit/WebCore/dom/Node.idl @@ -51,7 +51,7 @@ module core { readonly attribute [ConvertNullStringTo=Null] DOMString nodeName; // FIXME: the spec says this can also raise on retrieval. - attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue + attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue setter raises(DOMException); readonly attribute unsigned short nodeType; @@ -96,7 +96,7 @@ module core { readonly attribute [ConvertNullStringTo=Null] DOMString baseURI; // FIXME: the spec says this can also raise on retrieval. - attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent + attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent setter raises(DOMException); boolean isSameNode(in Node other); diff --git a/src/3rdparty/webkit/WebCore/dom/Range.cpp b/src/3rdparty/webkit/WebCore/dom/Range.cpp index 52d1785..689b590 100644 --- a/src/3rdparty/webkit/WebCore/dom/Range.cpp +++ b/src/3rdparty/webkit/WebCore/dom/Range.cpp @@ -1716,6 +1716,31 @@ void Range::nodeChildrenChanged(ContainerNode* container) boundaryNodeChildrenChanged(m_end, container); } +static inline void boundaryNodeChildrenWillBeRemoved(RangeBoundaryPoint& boundary, ContainerNode* container) +{ + for (Node* nodeToBeRemoved = container->firstChild(); nodeToBeRemoved; nodeToBeRemoved = nodeToBeRemoved->nextSibling()) { + if (boundary.childBefore() == nodeToBeRemoved) { + boundary.setToStartOfNode(container); + return; + } + + for (Node* n = boundary.container(); n; n = n->parentNode()) { + if (n == nodeToBeRemoved) { + boundary.setToStartOfNode(container); + return; + } + } + } +} + +void Range::nodeChildrenWillBeRemoved(ContainerNode* container) +{ + ASSERT(container); + ASSERT(container->document() == m_ownerDocument); + boundaryNodeChildrenWillBeRemoved(m_start, container); + boundaryNodeChildrenWillBeRemoved(m_end, container); +} + static inline void boundaryNodeWillBeRemoved(RangeBoundaryPoint& boundary, Node* nodeToBeRemoved) { if (boundary.childBefore() == nodeToBeRemoved) { diff --git a/src/3rdparty/webkit/WebCore/dom/Range.h b/src/3rdparty/webkit/WebCore/dom/Range.h index fd0f66a..bfddd32 100644 --- a/src/3rdparty/webkit/WebCore/dom/Range.h +++ b/src/3rdparty/webkit/WebCore/dom/Range.h @@ -111,6 +111,7 @@ public: void textQuads(Vector<FloatQuad>&, bool useSelectionHeight = false); void nodeChildrenChanged(ContainerNode*); + void nodeChildrenWillBeRemoved(ContainerNode*); void nodeWillBeRemoved(Node*); void textInserted(Node*, unsigned offset, unsigned length); diff --git a/src/3rdparty/webkit/WebCore/editing/EditorCommand.cpp b/src/3rdparty/webkit/WebCore/editing/EditorCommand.cpp index 34fa46d..4cb34ac 100644 --- a/src/3rdparty/webkit/WebCore/editing/EditorCommand.cpp +++ b/src/3rdparty/webkit/WebCore/editing/EditorCommand.cpp @@ -1069,6 +1069,21 @@ static bool supportedFromMenuOrKeyBinding(Frame*, EditorCommandSource source) return source == CommandFromMenuOrKeyBinding; } +static bool supportedCopyCut(Frame* frame, EditorCommandSource source) +{ + switch (source) { + case CommandFromMenuOrKeyBinding: + return true; + case CommandFromDOM: + case CommandFromDOMWithUserInterface: { + Settings* settings = frame ? frame->settings() : 0; + return settings && settings->javaScriptCanAccessClipboard(); + } + } + ASSERT_NOT_REACHED(); + return false; +} + static bool supportedPaste(Frame* frame, EditorCommandSource source) { switch (source) { @@ -1077,7 +1092,7 @@ static bool supportedPaste(Frame* frame, EditorCommandSource source) case CommandFromDOM: case CommandFromDOMWithUserInterface: { Settings* settings = frame ? frame->settings() : 0; - return settings && settings->isDOMPasteAllowed(); + return settings && (settings->javaScriptCanAccessClipboard() ? settings->isDOMPasteAllowed() : 0); } } ASSERT_NOT_REACHED(); @@ -1304,9 +1319,9 @@ static const CommandMap& createCommandMap() { "BackColor", { executeBackColor, supported, enabledInRichlyEditableText, stateNone, valueBackColor, notTextInsertion, doNotAllowExecutionWhenDisabled } }, { "BackwardDelete", { executeDeleteBackward, supportedFromMenuOrKeyBinding, enabledInEditableText, stateNone, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } }, // FIXME: remove BackwardDelete when Safari for Windows stops using it. { "Bold", { executeToggleBold, supported, enabledInRichlyEditableText, stateBold, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } }, - { "Copy", { executeCopy, supported, enabledCopy, stateNone, valueNull, notTextInsertion, allowExecutionWhenDisabled } }, + { "Copy", { executeCopy, supportedCopyCut, enabledCopy, stateNone, valueNull, notTextInsertion, allowExecutionWhenDisabled } }, { "CreateLink", { executeCreateLink, supported, enabledInRichlyEditableText, stateNone, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } }, - { "Cut", { executeCut, supported, enabledCut, stateNone, valueNull, notTextInsertion, allowExecutionWhenDisabled } }, + { "Cut", { executeCut, supportedCopyCut, enabledCut, stateNone, valueNull, notTextInsertion, allowExecutionWhenDisabled } }, { "Delete", { executeDelete, supported, enabledDelete, stateNone, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } }, { "DeleteBackward", { executeDeleteBackward, supportedFromMenuOrKeyBinding, enabledInEditableText, stateNone, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } }, { "DeleteBackwardByDecomposingPreviousCharacter", { executeDeleteBackwardByDecomposingPreviousCharacter, supportedFromMenuOrKeyBinding, enabledInEditableText, stateNone, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } }, diff --git a/src/3rdparty/webkit/WebCore/editing/markup.cpp b/src/3rdparty/webkit/WebCore/editing/markup.cpp index 787dad9..7e90107 100644 --- a/src/3rdparty/webkit/WebCore/editing/markup.cpp +++ b/src/3rdparty/webkit/WebCore/editing/markup.cpp @@ -404,10 +404,12 @@ static void appendStartMarkup(Vector<UChar>& result, const Node* node, const Ran if (Node* parent = node->parentNode()) { if (parent->hasTagName(scriptTag) || parent->hasTagName(styleTag) - || parent->hasTagName(textareaTag) || parent->hasTagName(xmpTag)) { appendUCharRange(result, ucharRange(node, range)); break; + } else if (parent->hasTagName(textareaTag)) { + appendEscapedContent(result, ucharRange(node, range), documentIsHTML); + break; } } if (!annotate) { diff --git a/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.cpp b/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.cpp index 7aed66c..1232cfc 100644 --- a/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.cpp +++ b/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.cpp @@ -264,14 +264,7 @@ JSValue JSC_HOST_CALL jsNamedNodeMapPrototypeFunctionSetNamedItem(ExecState* exe if (!thisValue.inherits(&JSNamedNodeMap::s_info)) return throwError(exec, TypeError); JSNamedNodeMap* castedThisObj = static_cast<JSNamedNodeMap*>(asObject(thisValue)); - NamedNodeMap* imp = static_cast<NamedNodeMap*>(castedThisObj->impl()); - ExceptionCode ec = 0; - Node* node = toNode(args.at(0)); - - - JSC::JSValue result = toJS(exec, castedThisObj->globalObject(), WTF::getPtr(imp->setNamedItem(node, ec))); - setDOMException(exec, ec); - return result; + return castedThisObj->setNamedItem(exec, args); } JSValue JSC_HOST_CALL jsNamedNodeMapPrototypeFunctionRemoveNamedItem(ExecState* exec, JSObject*, JSValue thisValue, const ArgList& args) @@ -325,14 +318,7 @@ JSValue JSC_HOST_CALL jsNamedNodeMapPrototypeFunctionSetNamedItemNS(ExecState* e if (!thisValue.inherits(&JSNamedNodeMap::s_info)) return throwError(exec, TypeError); JSNamedNodeMap* castedThisObj = static_cast<JSNamedNodeMap*>(asObject(thisValue)); - NamedNodeMap* imp = static_cast<NamedNodeMap*>(castedThisObj->impl()); - ExceptionCode ec = 0; - Node* node = toNode(args.at(0)); - - - JSC::JSValue result = toJS(exec, castedThisObj->globalObject(), WTF::getPtr(imp->setNamedItemNS(node, ec))); - setDOMException(exec, ec); - return result; + return castedThisObj->setNamedItemNS(exec, args); } JSValue JSC_HOST_CALL jsNamedNodeMapPrototypeFunctionRemoveNamedItemNS(ExecState* exec, JSObject*, JSValue thisValue, const ArgList& args) diff --git a/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.h b/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.h index 0fa1fdf..b79e97c 100644 --- a/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.h +++ b/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.h @@ -50,6 +50,10 @@ public: virtual void getOwnPropertyNames(JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode mode = JSC::ExcludeDontEnumProperties); static JSC::JSValue getConstructor(JSC::ExecState*, JSC::JSGlobalObject*); + + // Custom functions + JSC::JSValue setNamedItem(JSC::ExecState*, const JSC::ArgList&); + JSC::JSValue setNamedItemNS(JSC::ExecState*, const JSC::ArgList&); NamedNodeMap* impl() const { return m_impl.get(); } private: diff --git a/src/3rdparty/webkit/WebCore/generated/JSNode.cpp b/src/3rdparty/webkit/WebCore/generated/JSNode.cpp index 47dafd4..1e16be6 100644 --- a/src/3rdparty/webkit/WebCore/generated/JSNode.cpp +++ b/src/3rdparty/webkit/WebCore/generated/JSNode.cpp @@ -394,11 +394,7 @@ void JSNode::put(ExecState* exec, const Identifier& propertyName, JSValue value, void setJSNodeNodeValue(ExecState* exec, JSObject* thisObject, JSValue value) { - JSNode* castedThisObj = static_cast<JSNode*>(thisObject); - Node* imp = static_cast<Node*>(castedThisObj->impl()); - ExceptionCode ec = 0; - imp->setNodeValue(valueToStringWithNullCheck(exec, value), ec); - setDOMException(exec, ec); + static_cast<JSNode*>(thisObject)->setNodeValue(exec, value); } void setJSNodePrefix(ExecState* exec, JSObject* thisObject, JSValue value) @@ -412,11 +408,7 @@ void setJSNodePrefix(ExecState* exec, JSObject* thisObject, JSValue value) void setJSNodeTextContent(ExecState* exec, JSObject* thisObject, JSValue value) { - JSNode* castedThisObj = static_cast<JSNode*>(thisObject); - Node* imp = static_cast<Node*>(castedThisObj->impl()); - ExceptionCode ec = 0; - imp->setTextContent(valueToStringWithNullCheck(exec, value), ec); - setDOMException(exec, ec); + static_cast<JSNode*>(thisObject)->setTextContent(exec, value); } JSValue JSNode::getConstructor(ExecState* exec, JSGlobalObject* globalObject) diff --git a/src/3rdparty/webkit/WebCore/generated/JSNode.h b/src/3rdparty/webkit/WebCore/generated/JSNode.h index be6dd23..e2c82c4 100644 --- a/src/3rdparty/webkit/WebCore/generated/JSNode.h +++ b/src/3rdparty/webkit/WebCore/generated/JSNode.h @@ -54,6 +54,10 @@ public: static JSC::JSValue getConstructor(JSC::ExecState*, JSC::JSGlobalObject*); + // Custom attributes + void setNodeValue(JSC::ExecState*, JSC::JSValue); + void setTextContent(JSC::ExecState*, JSC::JSValue); + // Custom functions JSC::JSValue insertBefore(JSC::ExecState*, const JSC::ArgList&); JSC::JSValue replaceChild(JSC::ExecState*, const JSC::ArgList&); diff --git a/src/3rdparty/webkit/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/src/3rdparty/webkit/WebCore/html/canvas/CanvasRenderingContext2D.cpp index 9cec7a9..73a572e 100644 --- a/src/3rdparty/webkit/WebCore/html/canvas/CanvasRenderingContext2D.cpp +++ b/src/3rdparty/webkit/WebCore/html/canvas/CanvasRenderingContext2D.cpp @@ -1215,7 +1215,7 @@ PassRefPtr<CanvasPattern> CanvasRenderingContext2D::createPattern(HTMLImageEleme if (!cachedImage || !image->cachedImage()->image()) return CanvasPattern::create(Image::nullImage(), repeatX, repeatY, true); - bool originClean = !canvas()->document()->securityOrigin()->taintsCanvas(KURL(KURL(), cachedImage->url())); + bool originClean = !canvas()->document()->securityOrigin()->taintsCanvas(KURL(KURL(), cachedImage->url())) && cachedImage->image()->hasSingleSecurityOrigin(); return CanvasPattern::create(cachedImage->image(), repeatX, repeatY, originClean); } diff --git a/src/3rdparty/webkit/WebCore/loader/DocumentThreadableLoader.cpp b/src/3rdparty/webkit/WebCore/loader/DocumentThreadableLoader.cpp index de0a0b0..55f51ac 100644 --- a/src/3rdparty/webkit/WebCore/loader/DocumentThreadableLoader.cpp +++ b/src/3rdparty/webkit/WebCore/loader/DocumentThreadableLoader.cpp @@ -81,16 +81,19 @@ DocumentThreadableLoader::DocumentThreadableLoader(Document* document, Threadabl ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); - if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields())) - makeSimpleCrossOriginAccessRequest(request); + OwnPtr<ResourceRequest> crossOriginRequest(new ResourceRequest(request)); + crossOriginRequest->removeCredentials(); + crossOriginRequest->setAllowCookies(m_options.allowCredentials); + + if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields())) + makeSimpleCrossOriginAccessRequest(*crossOriginRequest); else { - m_actualRequest.set(new ResourceRequest(request)); - m_actualRequest->setAllowCookies(m_options.allowCredentials); + m_actualRequest.set(crossOriginRequest.release()); - if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), request.url(), m_options.allowCredentials, request.httpMethod(), request.httpHeaderFields())) + if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields())) preflightSuccess(); else - makeCrossOriginAccessRequestWithPreflight(request); + makeCrossOriginAccessRequestWithPreflight(*m_actualRequest); } } @@ -106,8 +109,6 @@ void DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest(const Resource // Make a copy of the passed request so that we can modify some details. ResourceRequest crossOriginRequest(request); - crossOriginRequest.removeCredentials(); - crossOriginRequest.setAllowCookies(m_options.allowCredentials); crossOriginRequest.setHTTPOrigin(m_document->securityOrigin()->toString()); loadRequest(crossOriginRequest, DoSecurityCheck); @@ -287,11 +288,17 @@ void DocumentThreadableLoader::preflightSuccess() void DocumentThreadableLoader::preflightFailure() { + m_actualRequest = 0; // Prevent didFinishLoading() from bypassing access check. m_client->didFail(ResourceError()); } void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, SecurityCheckPolicy securityCheck) { + // Any credential should have been removed from the cross-site requests. + const KURL& requestURL = request.url(); + ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); + ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); + if (m_async) { // Don't sniff content or send load callbacks for the preflight request. bool sendLoadCallbacks = m_options.sendLoadCallbacks && !m_actualRequest; @@ -315,15 +322,15 @@ void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, Secur // No exception for file:/// resources, see <rdar://problem/4962298>. // Also, if we have an HTTP response, then it wasn't a network error in fact. - if (!error.isNull() && !request.url().isLocalFile() && response.httpStatusCode() <= 0) { + if (!error.isNull() && !requestURL.isLocalFile() && response.httpStatusCode() <= 0) { m_client->didFail(error); return; } // FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was - // requested. - if (request.url() != response.url() && !isAllowedRedirect(response.url())) { + // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials. + if (requestURL != response.url() && !isAllowedRedirect(response.url())) { m_client->didFailRedirectCheck(); return; } diff --git a/src/3rdparty/webkit/WebCore/page/DragController.cpp b/src/3rdparty/webkit/WebCore/page/DragController.cpp index f238b27..0da6873 100644 --- a/src/3rdparty/webkit/WebCore/page/DragController.cpp +++ b/src/3rdparty/webkit/WebCore/page/DragController.cpp @@ -313,7 +313,7 @@ bool DragController::tryDocumentDrag(DragData* dragData, DragDestinationAction a } IntPoint point = frameView->windowToContents(dragData->clientPosition()); - Element* element = elementUnderMouse(m_documentUnderMouse, point); + Element* element = elementUnderMouse(m_documentUnderMouse.get(), point); if (!asFileInput(element)) { VisibleSelection dragCaret = m_documentUnderMouse->frame()->visiblePositionForPoint(point); m_page->dragCaretController()->setSelection(dragCaret); @@ -363,7 +363,7 @@ bool DragController::concludeEditDrag(DragData* dragData) return false; IntPoint point = m_documentUnderMouse->view()->windowToContents(dragData->clientPosition()); - Element* element = elementUnderMouse(m_documentUnderMouse, point); + Element* element = elementUnderMouse(m_documentUnderMouse.get(), point); Frame* innerFrame = element->ownerDocument()->frame(); ASSERT(innerFrame); @@ -439,7 +439,7 @@ bool DragController::concludeEditDrag(DragData* dragData) applyCommand(MoveSelectionCommand::create(fragment, dragCaret.base(), smartInsert, smartDelete)); } else { if (setSelectionToDragCaret(innerFrame, dragCaret, range, point)) - applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse, fragment, true, dragData->canSmartReplace(), chosePlainText)); + applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse.get(), fragment, true, dragData->canSmartReplace(), chosePlainText)); } } else { String text = dragData->asPlainText(); @@ -450,7 +450,7 @@ bool DragController::concludeEditDrag(DragData* dragData) m_client->willPerformDragDestinationAction(DragDestinationActionEdit, dragData); if (setSelectionToDragCaret(innerFrame, dragCaret, range, point)) - applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse, createFragmentFromText(range.get(), text), true, false, true)); + applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse.get(), createFragmentFromText(range.get(), text), true, false, true)); } loader->setAllowStaleResources(false); diff --git a/src/3rdparty/webkit/WebCore/page/DragController.h b/src/3rdparty/webkit/WebCore/page/DragController.h index 3b2b083..712f9ab 100644 --- a/src/3rdparty/webkit/WebCore/page/DragController.h +++ b/src/3rdparty/webkit/WebCore/page/DragController.h @@ -67,13 +67,11 @@ namespace WebCore { DragOperation sourceDragOperation() const { return m_sourceDragOperation; } void setDraggingImageURL(const KURL& url) { m_draggingImageURL = url; } const KURL& draggingImageURL() const { return m_draggingImageURL; } - void setDragInitiator(Document* initiator) { m_dragInitiator = initiator; m_didInitiateDrag = true; } - Document* dragInitiator() const { return m_dragInitiator; } void setDragOffset(const IntPoint& offset) { m_dragOffset = offset; } const IntPoint& dragOffset() const { return m_dragOffset; } DragSourceAction dragSourceAction() const { return m_dragSourceAction; } - Document* documentUnderMouse() const { return m_documentUnderMouse; } + Document* documentUnderMouse() const { return m_documentUnderMouse.get(); } DragDestinationAction dragDestinationAction() const { return m_dragDestinationAction; } DragSourceAction delegateDragSourceAction(const IntPoint& pagePoint); @@ -114,8 +112,8 @@ namespace WebCore { Page* m_page; DragClient* m_client; - Document* m_documentUnderMouse; // The document the mouse was last dragged over. - Document* m_dragInitiator; // The Document (if any) that initiated the drag. + RefPtr<Document> m_documentUnderMouse; // The document the mouse was last dragged over. + RefPtr<Document> m_dragInitiator; // The Document (if any) that initiated the drag. DragDestinationAction m_dragDestinationAction; DragSourceAction m_dragSourceAction; diff --git a/src/3rdparty/webkit/WebCore/page/EventHandler.cpp b/src/3rdparty/webkit/WebCore/page/EventHandler.cpp index 1654257..f1ee742 100644 --- a/src/3rdparty/webkit/WebCore/page/EventHandler.cpp +++ b/src/3rdparty/webkit/WebCore/page/EventHandler.cpp @@ -2163,7 +2163,9 @@ bool EventHandler::keyEvent(const PlatformKeyboardEvent& initialKeyEvent) if (initialKeyEvent.type() == PlatformKeyboardEvent::RawKeyDown) { node->dispatchEvent(keydown, ec); - return keydown->defaultHandled() || keydown->defaultPrevented(); + // If frame changed as a result of keydown dispatch, then return true to avoid sending a subsequent keypress message to the new frame. + bool changedFocusedFrame = m_frame->page() && m_frame != m_frame->page()->focusController()->focusedOrMainFrame(); + return keydown->defaultHandled() || keydown->defaultPrevented() || changedFocusedFrame; } // Run input method in advance of DOM event handling. This may result in the IM @@ -2183,7 +2185,9 @@ bool EventHandler::keyEvent(const PlatformKeyboardEvent& initialKeyEvent) } node->dispatchEvent(keydown, ec); - bool keydownResult = keydown->defaultHandled() || keydown->defaultPrevented(); + // If frame changed as a result of keydown dispatch, then return early to avoid sending a subsequent keypress message to the new frame. + bool changedFocusedFrame = m_frame->page() && m_frame != m_frame->page()->focusController()->focusedOrMainFrame(); + bool keydownResult = keydown->defaultHandled() || keydown->defaultPrevented() || changedFocusedFrame; if (handledByInputMethod || (keydownResult && !backwardCompatibilityMode)) return keydownResult; diff --git a/src/3rdparty/webkit/WebCore/page/FrameView.cpp b/src/3rdparty/webkit/WebCore/page/FrameView.cpp index 639414b..01f0375 100644 --- a/src/3rdparty/webkit/WebCore/page/FrameView.cpp +++ b/src/3rdparty/webkit/WebCore/page/FrameView.cpp @@ -1315,14 +1315,13 @@ void FrameView::scheduleRelayoutOfSubtree(RenderObject* relayoutRoot) { ASSERT(m_frame->view() == this); - if (!m_layoutSchedulingEnabled || (m_frame->contentRenderer() - && m_frame->contentRenderer()->needsLayout())) { + if (m_frame->contentRenderer() && m_frame->contentRenderer()->needsLayout()) { if (relayoutRoot) relayoutRoot->markContainingBlocksForLayout(false); return; } - if (layoutPending()) { + if (layoutPending() || !m_layoutSchedulingEnabled) { if (m_layoutRoot != relayoutRoot) { if (isObjectAncestorContainerOf(m_layoutRoot, relayoutRoot)) { // Keep the current root @@ -1339,7 +1338,7 @@ void FrameView::scheduleRelayoutOfSubtree(RenderObject* relayoutRoot) relayoutRoot->markContainingBlocksForLayout(false); } } - } else { + } else if (m_layoutSchedulingEnabled) { int delay = m_frame->document()->minimumLayoutDelay(); m_layoutRoot = relayoutRoot; m_delayedLayout = delay != 0; diff --git a/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp b/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp index c0b3e22..516c533 100644 --- a/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp +++ b/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp @@ -90,6 +90,20 @@ static URLSchemesMap& schemesWithUniqueOrigins() return schemesWithUniqueOrigins; } +static bool schemeRequiresAuthority(const String& scheme) +{ + DEFINE_STATIC_LOCAL(URLSchemesMap, schemes, ()); + + if (schemes.isEmpty()) { + schemes.add("http"); + schemes.add("https"); + schemes.add("ftp"); + } + + return schemes.contains(scheme); +} + + SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags) : m_sandboxFlags(sandboxFlags) , m_protocol(url.protocol().isNull() ? "" : url.protocol().lower()) @@ -103,6 +117,10 @@ SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags) if (m_protocol == "about" || m_protocol == "javascript") m_protocol = ""; + // For edge case URLs that were probably misparsed, make sure that the origin is unique. + if (schemeRequiresAuthority(m_protocol) && m_host.isEmpty()) + m_isUnique = true; + // document.domain starts as m_host, but can be set by the DOM. m_domain = m_host; diff --git a/src/3rdparty/webkit/WebCore/page/Settings.cpp b/src/3rdparty/webkit/WebCore/page/Settings.cpp index 475d373..c0659d2 100644 --- a/src/3rdparty/webkit/WebCore/page/Settings.cpp +++ b/src/3rdparty/webkit/WebCore/page/Settings.cpp @@ -79,6 +79,7 @@ Settings::Settings(Page* page) , m_allowUniversalAccessFromFileURLs(true) , m_allowFileAccessFromFileURLs(true) , m_javaScriptCanOpenWindowsAutomatically(false) + , m_javaScriptCanAccessClipboard(false) , m_shouldPrintBackgrounds(false) , m_textAreasAreResizable(false) #if ENABLE(DASHBOARD_SUPPORT) @@ -291,6 +292,11 @@ void Settings::setJavaScriptCanOpenWindowsAutomatically(bool javaScriptCanOpenWi m_javaScriptCanOpenWindowsAutomatically = javaScriptCanOpenWindowsAutomatically; } +void Settings::setJavaScriptCanAccessClipboard(bool javaScriptCanAccessClipboard) +{ + m_javaScriptCanAccessClipboard = javaScriptCanAccessClipboard; +} + void Settings::setDefaultTextEncodingName(const String& defaultTextEncodingName) { m_defaultTextEncodingName = defaultTextEncodingName; diff --git a/src/3rdparty/webkit/WebCore/page/Settings.h b/src/3rdparty/webkit/WebCore/page/Settings.h index b677712..a6653ce 100644 --- a/src/3rdparty/webkit/WebCore/page/Settings.h +++ b/src/3rdparty/webkit/WebCore/page/Settings.h @@ -122,6 +122,9 @@ namespace WebCore { void setJavaScriptCanOpenWindowsAutomatically(bool); bool javaScriptCanOpenWindowsAutomatically() const { return m_javaScriptCanOpenWindowsAutomatically; } + void setJavaScriptCanAccessClipboard(bool); + bool javaScriptCanAccessClipboard() const { return m_javaScriptCanAccessClipboard; } + void setSpatialNavigationEnabled(bool); bool isSpatialNavigationEnabled() const { return m_isSpatialNavigationEnabled; } @@ -330,6 +333,7 @@ namespace WebCore { bool m_allowUniversalAccessFromFileURLs: 1; bool m_allowFileAccessFromFileURLs: 1; bool m_javaScriptCanOpenWindowsAutomatically : 1; + bool m_javaScriptCanAccessClipboard : 1; bool m_shouldPrintBackgrounds : 1; bool m_textAreasAreResizable : 1; #if ENABLE(DASHBOARD_SUPPORT) diff --git a/src/3rdparty/webkit/WebCore/platform/KURL.cpp b/src/3rdparty/webkit/WebCore/platform/KURL.cpp index 40adfbc..3c8d50f 100644 --- a/src/3rdparty/webkit/WebCore/platform/KURL.cpp +++ b/src/3rdparty/webkit/WebCore/platform/KURL.cpp @@ -215,6 +215,9 @@ static const unsigned char characterClassTable[256] = { /* 252 */ BadChar, /* 253 */ BadChar, /* 254 */ BadChar, /* 255 */ BadChar }; +static const unsigned maximumValidPortNumber = 0xFFFE; +static const unsigned invalidPortNumber = 0xFFFF; + static int copyPathRemovingDots(char* dst, const char* src, int srcStart, int srcEnd); static void encodeRelativeString(const String& rel, const TextEncoding&, CharBuffer& ouput); static String substituteBackslashes(const String&); @@ -573,12 +576,17 @@ String KURL::host() const unsigned short KURL::port() const { - if (m_hostEnd == m_portEnd) + // We return a port of 0 if there is no port specified. This can happen in two situations: + // 1) The URL contains no colon after the host name and before the path component of the URL. + // 2) The URL contains a colon but there's no port number before the path component of the URL begins. + if (m_hostEnd == m_portEnd || m_hostEnd == m_portEnd - 1) return 0; - int number = m_string.substring(m_hostEnd + 1, m_portEnd - m_hostEnd - 1).toInt(); - if (number < 0 || number > 0xFFFF) - return 0; + const UChar* stringData = m_string.characters(); + bool ok = false; + unsigned number = charactersToUIntStrict(stringData + m_hostEnd + 1, m_portEnd - m_hostEnd - 1, &ok); + if (!ok || number > maximumValidPortNumber) + return invalidPortNumber; return number; } @@ -1757,7 +1765,7 @@ bool portAllowed(const KURL& url) 6667, // Standard IRC [Apple addition] 6668, // Alternate IRC [Apple addition] 6669, // Alternate IRC [Apple addition] - + invalidPortNumber, // Used to block all invalid port numbers }; const unsigned short* const blockedPortListEnd = blockedPortList + sizeof(blockedPortList) / sizeof(blockedPortList[0]); diff --git a/src/3rdparty/webkit/WebCore/platform/KURLGoogle.cpp b/src/3rdparty/webkit/WebCore/platform/KURLGoogle.cpp index 8be7009..10b9bb8 100644 --- a/src/3rdparty/webkit/WebCore/platform/KURLGoogle.cpp +++ b/src/3rdparty/webkit/WebCore/platform/KURLGoogle.cpp @@ -57,6 +57,8 @@ using std::binary_search; namespace WebCore { +static const unsigned invalidPortNumber = 0xFFFF; + // Wraps WebCore's text encoding in a character set converter for the // canonicalizer. class KURLCharsetConverter : public url_canon::CharsetConverter { @@ -499,7 +501,7 @@ String KURL::host() const unsigned short KURL::port() const { if (!m_url.m_isValid || m_url.m_parsed.port.len <= 0) - return 0; + return invalidPortNumber; int port = url_parse::ParsePort(m_url.utf8String().data(), m_url.m_parsed.port); if (port == url_parse::PORT_UNSPECIFIED) return 0; @@ -853,6 +855,12 @@ bool portAllowed(const KURL& url) 3659, // apple-sasl / PasswordServer [Apple addition] 4045, // lockd 6000, // X11 + 6665, // Alternate IRC [Apple addition] + 6666, // Alternate IRC [Apple addition] + 6667, // Standard IRC [Apple addition] + 6668, // Alternate IRC [Apple addition] + 6669, // Alternate IRC [Apple addition] + invalidPortNumber, // Used to block all invalid port numbers }; const unsigned short* const blockedPortListEnd = blockedPortList + sizeof(blockedPortList) / sizeof(blockedPortList[0]); diff --git a/src/3rdparty/webkit/WebCore/platform/graphics/qt/PathQt.cpp b/src/3rdparty/webkit/WebCore/platform/graphics/qt/PathQt.cpp index a7351a0..c96fe25 100644 --- a/src/3rdparty/webkit/WebCore/platform/graphics/qt/PathQt.cpp +++ b/src/3rdparty/webkit/WebCore/platform/graphics/qt/PathQt.cpp @@ -69,23 +69,31 @@ Path& Path::operator=(const Path& other) return *this; } +static inline bool areCollinear(const QPointF& a, const QPointF& b, const QPointF& c) +{ + // Solved from comparing the slopes of a to b and b to c: (ay-by)/(ax-bx) == (cy-by)/(cx-bx) + return qFuzzyCompare((c.y() - b.y()) * (a.x() - b.x()), (a.y() - b.y()) * (c.x() - b.x())); +} + +static inline bool withinRange(qreal p, qreal a, qreal b) +{ + return (p >= a && p <= b) || (p >= b && p <= a); +} + // Check whether a point is on the border -bool isPointOnPathBorder(const QPolygonF& border, const QPointF& p) +static bool isPointOnPathBorder(const QPolygonF& border, const QPointF& p) { QPointF p1 = border.at(0); QPointF p2; for (int i = 1; i < border.size(); ++i) { p2 = border.at(i); - // (x1<=x<=x2||x1=>x>=x2) && (y1<=y<=y2||y1=>y>=y2) && (y2-y1)(x-x1) == (y-y1)(x2-x1) - // In which, (y2-y1)(x-x1) == (y-y1)(x2-x1) is from (y2-y1)/(x2-x1) == (y-y1)/(x-x1) - // it want to check the slope between p1 and p2 is same with slope between p and p1, - // if so then the three points lie on the same line. - // In which, (x1<=x<=x2||x1=>x>=x2) && (y1<=y<=y2||y1=>y>=y2) want to make sure p is - // between p1 and p2, not outside. - if (((p.x() <= p1.x() && p.x() >= p2.x()) || (p.x() >= p1.x() && p.x() <= p2.x())) - && ((p.y() <= p1.y() && p.y() >= p2.y()) || (p.y() >= p1.y() && p.y() <= p2.y())) - && (p2.y() - p1.y()) * (p.x() - p1.x()) == (p.y() - p1.y()) * (p2.x() - p1.x())) { + if (areCollinear(p, p1, p2) + // Once we know that the points are collinear we + // only need to check one of the coordinates + && (qAbs(p2.x() - p1.x()) > qAbs(p2.y() - p1.y()) ? + withinRange(p.x(), p1.x(), p2.x()) : + withinRange(p.y(), p1.y(), p2.y()))) { return true; } p1 = p2; @@ -199,19 +207,14 @@ void Path::addArcTo(const FloatPoint& p1, const FloatPoint& p2, float radius) float p1p2_length = sqrtf(p1p2.x() * p1p2.x() + p1p2.y() * p1p2.y()); double cos_phi = (p1p0.x() * p1p2.x() + p1p0.y() * p1p2.y()) / (p1p0_length * p1p2_length); - // all points on a line logic - if (cos_phi == -1) { + + // The points p0, p1, and p2 are on the same straight line (HTML5, 4.8.11.1.8) + // We could have used areCollinear() here, but since we're reusing + // the variables computed above later on we keep this logic. + if (qFuzzyCompare(qAbs(cos_phi), 1.0)) { m_path.lineTo(p1); return; } - if (cos_phi == 1) { - // add infinite far away point - unsigned int max_length = 65535; - double factor_max = max_length / p1p0_length; - FloatPoint ep((p0.x() + factor_max * p1p0.x()), (p0.y() + factor_max * p1p0.y())); - m_path.lineTo(ep); - return; - } float tangent = radius / tan(acos(cos_phi) / 2); float factor_p1p0 = tangent / p1p0_length; diff --git a/src/3rdparty/webkit/WebCore/platform/network/ProtectionSpace.h b/src/3rdparty/webkit/WebCore/platform/network/ProtectionSpace.h index 126b499..42cbc8a 100644 --- a/src/3rdparty/webkit/WebCore/platform/network/ProtectionSpace.h +++ b/src/3rdparty/webkit/WebCore/platform/network/ProtectionSpace.h @@ -47,6 +47,7 @@ enum ProtectionSpaceAuthenticationScheme { ProtectionSpaceAuthenticationSchemeHTMLForm = 4, ProtectionSpaceAuthenticationSchemeNTLM = 5, ProtectionSpaceAuthenticationSchemeNegotiate = 6, + ProtectionSpaceAuthenticationSchemeUnknown = 100, }; class ProtectionSpace { diff --git a/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp b/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp index 09af518..4d6b88c 100644 --- a/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp +++ b/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp @@ -166,8 +166,7 @@ int FixedTableLayout::calcWidthArray(int) int usedSpan = 0; int i = 0; - while (usedSpan < span) { - ASSERT(cCol + i < nEffCols); + while (usedSpan < span && cCol + i < nEffCols) { int eSpan = m_table->spanOfEffCol(cCol + i); // Only set if no col element has already set it. if (m_width[cCol + i].isAuto() && w.type() != Auto) { diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderButton.h b/src/3rdparty/webkit/WebCore/rendering/RenderButton.h index 7fd6ab0..1fc5eb6 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderButton.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderButton.h @@ -57,12 +57,14 @@ public: virtual bool canHaveChildren() const; -protected: +private: virtual void styleWillChange(StyleDifference, const RenderStyle* newStyle); virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle); virtual bool hasLineIfEmpty() const { return true; } + virtual bool requiresForcedStyleRecalcPropagation() const { return true; } + void timerFired(Timer<RenderButton>*); RenderTextFragment* m_buttonText; diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderDataGrid.h b/src/3rdparty/webkit/WebCore/rendering/RenderDataGrid.h index 467edcc..ce221ea 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderDataGrid.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderDataGrid.h @@ -53,6 +53,8 @@ public: private: virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle); + virtual bool requiresForcedStyleRecalcPropagation() const { return true; } + RenderStyle* columnStyle(DataGridColumn*); RenderStyle* headerStyle(DataGridColumn*); void recalcStyleForColumns(); diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h b/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h index 99dd35c..a5f3367 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h @@ -56,6 +56,8 @@ private: virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle); + virtual bool requiresForcedStyleRecalcPropagation() const { return true; } + // FileChooserClient methods. void valueChanged(); void repaint() { RenderBlock::repaint(); } diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderInline.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderInline.cpp index 1d76742..5b1deff 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderInline.cpp +++ b/src/3rdparty/webkit/WebCore/rendering/RenderInline.cpp @@ -274,7 +274,7 @@ void RenderInline::splitInlines(RenderBlock* fromBlock, RenderBlock* toBlock, // has to move into the inline continuation. Call updateBeforeAfterContent to ensure that the inline's :after // content gets properly destroyed. if (document()->usesBeforeAfterRules()) - inlineCurr->children()->updateBeforeAfterContent(this, AFTER); + inlineCurr->children()->updateBeforeAfterContent(inlineCurr, AFTER); // Now we need to take all of the children starting from the first child // *after* currChild and append them all to the clone. diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp index a012868..2aec361 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp +++ b/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp @@ -3178,22 +3178,33 @@ void RenderLayer::updateHoverActiveState(const HitTestRequest& request, HitTestR // Locate the common ancestor render object for the two renderers. RenderObject* ancestor = commonAncestor(oldHoverObj, newHoverObj); + Vector<RefPtr<Node>, 32> nodesToRemoveFromChain; + Vector<RefPtr<Node>, 32> nodesToAddToChain; + if (oldHoverObj != newHoverObj) { // The old hover path only needs to be cleared up to (and not including) the common ancestor; for (RenderObject* curr = oldHoverObj; curr && curr != ancestor; curr = curr->hoverAncestor()) { - if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain())) { - curr->node()->setActive(false); - curr->node()->setHovered(false); - } + if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain())) + nodesToRemoveFromChain.append(curr->node()); } } // Now set the hover state for our new object up to the root. for (RenderObject* curr = newHoverObj; curr; curr = curr->hoverAncestor()) { - if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain())) { - curr->node()->setActive(request.active()); - curr->node()->setHovered(true); - } + if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain())) + nodesToAddToChain.append(curr->node()); + } + + size_t removeCount = nodesToRemoveFromChain.size(); + for (size_t i = 0; i < removeCount; ++i) { + nodesToRemoveFromChain[i]->setActive(false); + nodesToRemoveFromChain[i]->setHovered(false); + } + + size_t addCount = nodesToAddToChain.size(); + for (size_t i = 0; i < addCount; ++i) { + nodesToAddToChain[i]->setActive(request.active()); + nodesToAddToChain[i]->setHovered(true); } } diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderListItem.h b/src/3rdparty/webkit/WebCore/rendering/RenderListItem.h index c4c41dc..d140979 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderListItem.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderListItem.h @@ -63,6 +63,8 @@ private: virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle); + virtual bool requiresForcedStyleRecalcPropagation() const { return true; } + void updateMarkerLocation(); inline int calcValue() const; void updateValueNow() const; diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp index d0353ee..6c8f769 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp +++ b/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp @@ -101,8 +101,10 @@ static inline String toAlphabeticOrNumeric(int number, const UChar* sequence, in int length = 1; if (type == AlphabeticSequence) { - while ((numberShadow /= sequenceSize) > 0) - letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize - 1]; + while ((numberShadow /= sequenceSize) > 0) { + --numberShadow; + letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize]; + } } else { while ((numberShadow /= sequenceSize) > 0) letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize]; diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderMedia.h b/src/3rdparty/webkit/WebCore/rendering/RenderMedia.h index 0d24c4c..32d6d65 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderMedia.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderMedia.h @@ -118,6 +118,8 @@ private: virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle); + virtual bool requiresForcedStyleRecalcPropagation() const { return true; } + RefPtr<HTMLElement> m_controlsShadowRoot; RefPtr<MediaControlElement> m_panel; RefPtr<MediaControlMuteButtonElement> m_muteButton; diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderMenuList.h b/src/3rdparty/webkit/WebCore/rendering/RenderMenuList.h index aeb6205..5ee8588 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderMenuList.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderMenuList.h @@ -78,6 +78,8 @@ private: virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle); + virtual bool requiresForcedStyleRecalcPropagation() const { return true; } + // PopupMenuClient methods virtual String itemText(unsigned listIndex) const; virtual String itemToolTip(unsigned listIndex) const; diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderObject.h b/src/3rdparty/webkit/WebCore/rendering/RenderObject.h index d928521..593fa52 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderObject.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderObject.h @@ -322,6 +322,8 @@ public: bool cellWidthChanged() const { return m_cellWidthChanged; } void setCellWidthChanged(bool b = true) { m_cellWidthChanged = b; } + virtual bool requiresForcedStyleRecalcPropagation() const { return false; } + #if ENABLE(MATHML) virtual bool isRenderMathMLBlock() const { return false; } #endif // ENABLE(MATHML) @@ -412,7 +414,6 @@ public: void drawArcForBoxSide(GraphicsContext*, int x, int y, float thickness, IntSize radius, int angleStart, int angleSpan, BoxSide, Color, const Color& textcolor, EBorderStyle, bool firstCorner); -public: // The pseudo element style can be cached or uncached. Use the cached method if the pseudo element doesn't respect // any pseudo classes (and therefore has no concept of changing state). RenderStyle* getCachedPseudoStyle(PseudoId, RenderStyle* parentStyle = 0) const; diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderProgress.h b/src/3rdparty/webkit/WebCore/rendering/RenderProgress.h index 0a90fde..7aa1efe 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderProgress.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderProgress.h @@ -40,6 +40,8 @@ private: virtual void calcPrefWidths(); virtual void layout(); virtual void updateFromElement(); + virtual bool requiresForcedStyleRecalcPropagation() const { return true; } + int m_position; }; diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderSlider.h b/src/3rdparty/webkit/WebCore/rendering/RenderSlider.h index 92ad73b..fc8ce24 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderSlider.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderSlider.h @@ -58,6 +58,8 @@ namespace WebCore { virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle); + virtual bool requiresForcedStyleRecalcPropagation() const { return true; } + PassRefPtr<RenderStyle> createThumbStyle(const RenderStyle* parentStyle); int trackSize(); diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp index 307db64..c08adc2 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp +++ b/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp @@ -203,7 +203,7 @@ void RenderText::deleteTextBoxes() PassRefPtr<StringImpl> RenderText::originalText() const { Node* e = node(); - return e ? static_cast<Text*>(e)->dataImpl() : 0; + return (e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : 0; } void RenderText::absoluteRects(Vector<IntRect>& rects, int tx, int ty) diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderTextControl.h b/src/3rdparty/webkit/WebCore/rendering/RenderTextControl.h index 2fc8edc..984f41d 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderTextControl.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderTextControl.h @@ -107,6 +107,8 @@ private: virtual bool canBeProgramaticallyScrolled(bool) const { return true; } + virtual bool requiresForcedStyleRecalcPropagation() const { return true; } + String finishText(Vector<UChar>&) const; bool m_wasChangedSinceLastChangeEvent; diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp index f3398a3..1e15d66 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp +++ b/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp @@ -47,7 +47,7 @@ RenderTextFragment::RenderTextFragment(Node* node, StringImpl* str) PassRefPtr<StringImpl> RenderTextFragment::originalText() const { Node* e = node(); - RefPtr<StringImpl> result = (e ? static_cast<Text*>(e)->dataImpl() : contentString()); + RefPtr<StringImpl> result = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString()); if (result && (start() > 0 || start() < result->length())) result = result->substring(start(), end()); return result.release(); @@ -80,7 +80,7 @@ UChar RenderTextFragment::previousCharacter() { if (start()) { Node* e = node(); - StringImpl* original = (e ? static_cast<Text*>(e)->dataImpl() : contentString()); + StringImpl* original = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString()); if (original) return (*original)[start() - 1]; } |