Closed Bug 1549319 Opened 5 years ago Closed 5 years ago

Make template methods which are marked as MOZ_CAN_RUN_SCRIPT take only EditorDOMPoint

Categories

(Core :: DOM: Editor, task)

Product:
Core
Component:
DOM: Editor
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox68 --- fixed

People

(Reporter: masayuki, Assigned: masayuki)

References

Details

Attachments

(1 file)

Bug 1549319 - Make template methods marked as MOZ_CAN_RUN_SCRIPT take only EditorDOMPoint (i.e., not allow EditorRawDOMPoint)
47 bytes, text/x-phabricator-request
Details | Review

If the caller sets EditorRawDOMPoint and it refers the container or child content, it may cause security issues. Therefore, even if some template methods do not refer given DOM point after running script, they should take EditorDOMPoint.

It'd be better to change copy constructor of EditorDOMPointBase to explicit,
but it'd require too many changes in editor code. So, this patch just changes
each method callers only.

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/80c8ca102b81
Make template methods marked as MOZ_CAN_RUN_SCRIPT take only EditorDOMPoint (i.e., not allow EditorRawDOMPoint) r=m_kato

https://hg.mozilla.org/mozilla-central/rev/80c8ca102b81

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: