This fuzzer creates random DOM Range objects, selects them, and calls random execCommand functions. It also tests most DOM Range functions.
Created attachment 224054 [details] DOM Range and designMode fuzzer 1.0 (requires fuzz.js) * Converted it to use fuzz.js (see bug 339948). * Now works as a bookmarklet, by stuffing the page into an iframe.
Joe, it would be great if you or someone else working on Editor could fix the crash bugs found with this fuzzer, bug 335995 and bug 336081, as well as a bug that seems to stop the fuzzer (or even the user) from making further changes to the document, bug 336091. Once those three bugs are fixed, another round or two of fuzzing should tell us whether there are any easy-to-find security holes involving the execCommand API.
Created attachment 226750 [details] DOM Range and designMode fuzzer 2.0
Created attachment 242972 [details] DOM Range and designMode fuzzer 3.0
Comment on attachment 242972 [details] DOM Range and designMode fuzzer 3.0 New version in bug 339948.
I ended up splitting this into two DOMFuzz modules, but I'll keep tracking both their bugs here. https://github.com/MozillaSecurity/funfuzz/blob/master/dom/fuzzer/modules/editor.js https://github.com/MozillaSecurity/funfuzz/blob/master/dom/fuzzer/modules/range-and-selection.js