Bad cast introduced in bug 1690984
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox85 | --- | unaffected |
firefox86 | --- | unaffected |
firefox87 | --- | fixed |
People
(Reporter: emilio, Assigned: freddy)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
https://searchfox.org/mozilla-central/rev/7067bbd8194f4346ec59d77c33cd88f06763e090/dom/base/nsTreeSanitizer.cpp#1352 only checks for the node name, not the namespace, so if I have an <svg:template>
element or something the sanitizer will get confused.
I think this might only be an issue for the "only conditional CSS" flag which TB uses, as I assume otherwise MustPrune
gets rid of these?
Probably the right fix is to remove the !mOnlyConditionalCSS
from before MustPrune
and move it into the if
, ensuring we continue
.
For safety probably that cast should use HTMLTemplateElement::FromNode
, or at least assert.
Assignee | ||
Comment 2•3 years ago
|
||
Assignee | ||
Comment 3•3 years ago
|
||
TBH, I'm not 100% sure I understand the logic change with mOnlyConditionalCSS. My proposed patch tests for the right namespace and uses HTMLTemplateElement::FromNode instead now..
Updated•3 years ago
|
Comment 4•3 years ago
|
||
Set release status flags based on info from the regressing bug 1690984
Updated•3 years ago
|
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/396c4eb0222a fix bad cast r=emilio
Comment 6•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Description
•