Mercurial > mozreview > gecko / changeset / 19aa708f66fec84280e80ea88986e8c477e47a94
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1404180 - Don't allow associating form elements by ID to <form>s across anonymous subtree boundaries. r?smaug draft
authorCameron McCormack <cam@mcc.id.au>
Mon, 02 Oct 2017 13:10:18 +0800
changeset 673237 19aa708f66fec84280e80ea88986e8c477e47a94
parent 673165 44643fce30b43a8981535c335aaccb45006e456b
child 734040 3da93309013c9e4e9638617d4080777a0bd1b8d0
push id82505
push userbmo:cam@mcc.id.au
push dateMon, 02 Oct 2017 05:14:29 +0000
reviewerssmaug
bugs1404180
milestone58.0a1
Bug 1404180 - Don't allow associating form elements by ID to <form>s across anonymous subtree boundaries. r?smaug MozReview-Commit-ID: KRJjrkL4FgZ
dom/html/nsGenericHTMLElement.cpp file | annotate | diff | comparison | revisions
layout/style/crashtests/1404180-1.html file | annotate | diff | comparison | revisions
layout/style/crashtests/crashtests.list file | annotate | diff | comparison | revisions 
--- a/dom/html/nsGenericHTMLElement.cpp
+++ b/dom/html/nsGenericHTMLElement.cpp
@@ -2314,17 +2314,19 @@ nsGenericHTMLFormElement::UpdateFormOwne
 
         NS_ASSERTION(GetUncomposedDoc(), "The element should be in a document "
                                          "when UpdateFormOwner is called!");
         NS_ASSERTION(!GetUncomposedDoc() ||
                      element == GetUncomposedDoc()->GetElementById(formId),
                      "element should be equals to the current element "
                      "associated with the id in @form!");
 
-        if (element && element->IsHTMLElement(nsGkAtoms::form)) {
+        if (element &&
+            element->IsHTMLElement(nsGkAtoms::form) &&
+            nsContentUtils::IsInSameAnonymousTree(this, element)) {
           SetForm(static_cast<HTMLFormElement*>(element), aBindToTree);
         }
       }
      } else {
       // We now have a parent, so we may have picked up an ancestor form.  Search
       // for it.  Note that if mForm is already set we don't want to do this,
       // because that means someone (probably the content sink) has already set
       // it to the right value.  Also note that even if being bound here didn't
new file mode 100644
--- /dev/null
+++ b/layout/style/crashtests/1404180-1.html
@@ -0,0 +1,22 @@
+<script>
+function jsfuzzer() {
+  try { htmlvar00016.appendChild(htmlvar00017); } catch(e) { }
+  try { htmlvar00016.form.setAttribute("novalidate", "novalidate"); } catch(e) { }
+  try { htmlvar00017.appendChild(htmlvar00036); } catch(e) { }
+  try { svgvar00007.appendChild(htmlvar00008); } catch(e) { }
+}
+</script>
+<body onload=jsfuzzer()>
+<form id="htmlvar00007">
+<legend id="htmlvar00008">
+<output id="htmlvar00016"></output>
+</legend>
+<link id="htmlvar00017"></link>
+<svg>
+<path id="svgvar00006">
+<animateTransform id="svgvar00007"/>
+</path>
+<use xlink:href="#svgvar00006">
+<table id="htmlvar00036">
+<th>
+<output form="htmlvar00007">
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -234,8 +234,9 @@ load 1402366.html
 load 1402419.html
 load 1402472.html
 load 1403028.html
 load 1403433.html
 load 1403465.html
 load 1403592.html
 load 1403615.html
 load 1403712.html
+load 1404180-1.html
gecko
Deployed from 4e825768105f at 2024-04-08T16:23:59Z.