Closed Bug 384870 Opened 12 years ago Closed 12 years ago
IContent* used in ns XBLAttribute Entry
nsXBLAttributeEntry has a raw pointer to nsIContent. That might cause crashes if nsIContent gets deleted. I don't have a testcase yet.
Assignee: nobody → jonas
Whiteboard: [sg:investigate] no known vuln but asking for trouble
Martijn made some testcases to try to crash and because there weren't any crashes, I looked at the code and realized that nsXBLAttributeEntry has pointers only to the xbl document's nsIContent objects, and that document is loaded as data and not accessible from the main (bound element's ownerDoc) document, so scripts can't modify it. (This applies also to inline xbl.) So as far as I see, this bug is invalid.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Or wontfix. whatever :)
You need to log in before you can comment on or make changes to this bug.