Bad cast introduced in bug 1690984
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox85 | --- | unaffected |
| firefox86 | --- | unaffected |
| firefox87 | --- | fixed |
People
(Reporter: emilio, Assigned: freddy)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
https://searchfox.org/mozilla-central/rev/7067bbd8194f4346ec59d77c33cd88f06763e090/dom/base/nsTreeSanitizer.cpp#1352 only checks for the node name, not the namespace, so if I have an <svg:template> element or something the sanitizer will get confused.
I think this might only be an issue for the "only conditional CSS" flag which TB uses, as I assume otherwise MustPrune gets rid of these?
Probably the right fix is to remove the !mOnlyConditionalCSS from before MustPrune and move it into the if, ensuring we continue.
For safety probably that cast should use HTMLTemplateElement::FromNode, or at least assert.
|
Assignee | |
Comment 2•3 years ago
|
||
|
|
Assignee | |
Comment 3•3 years ago
|
||
TBH, I'm not 100% sure I understand the logic change with mOnlyConditionalCSS. My proposed patch tests for the right namespace and uses HTMLTemplateElement::FromNode instead now..
|
||
Updated•3 years ago
|
|
||
Comment 4•3 years ago
|
||
Set release status flags based on info from the regressing bug 1690984
|
|
||
Updated•3 years ago
|
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/396c4eb0222a fix bad cast r=emilio
|
||
Comment 6•3 years ago
|
||
| bugherder | ||
|
||
Updated•3 years ago
|
Description
•