forked from mirrors/gecko-dev
		
	Bug 1830757 - Prevent node removal during iteration in conditional css sanitization. r=smaug
				
					
				
			When the whole block is sanitized away, we remove the text node altogether, triggering the assert. While it's not worrisome in this case, the right thing to do is not mutating the DOM during iteration. Differential Revision: https://phabricator.services.mozilla.com/D176917
This commit is contained in:
		
							parent
							
								
									e22d1a4b5b
								
							
						
					
					
						commit
						6d68b86f7c
					
				
					 2 changed files with 10 additions and 3 deletions
				
			
		|  | @ -1823,11 +1823,14 @@ bool nsTreeSanitizer::SanitizeInlineStyle( | |||
| } | ||||
| 
 | ||||
| void nsTreeSanitizer::RemoveConditionalCSSFromSubtree(nsINode* aRoot) { | ||||
|   AutoTArray<RefPtr<nsINode>, 10> nodesToSanitize; | ||||
|   for (nsINode* node : ShadowIncludingTreeIterator(*aRoot)) { | ||||
|     if (!node->IsHTMLElement(nsGkAtoms::style) && | ||||
|         !node->IsSVGElement(nsGkAtoms::style)) { | ||||
|       continue; | ||||
|     if (node->IsHTMLElement(nsGkAtoms::style) || | ||||
|         node->IsSVGElement(nsGkAtoms::style)) { | ||||
|       nodesToSanitize.AppendElement(node); | ||||
|     } | ||||
|   } | ||||
|   for (nsINode* node : nodesToSanitize) { | ||||
|     SanitizeInlineStyle(node->AsElement(), | ||||
|                         StyleSanitizationKind::NoConditionalRules); | ||||
|   } | ||||
|  |  | |||
|  | @ -71,6 +71,10 @@ const kConditionalCSSTestCases = [ | |||
|     data: `#foo { display: none } @media (min-width: 300px) { #bar { display: none } }`, | ||||
|     sanitized: `#foo { display: none }`, | ||||
|   }, | ||||
|   { | ||||
|     data: `@media (min-width: 300px) { #bar { display: none } }`, | ||||
|     sanitized: ``, | ||||
|   }, | ||||
| ]; | ||||
| 
 | ||||
| function run_test() { | ||||
|  |  | |||
		Loading…
	
		Reference in a new issue
	
	 Emilio Cobos Álvarez
						Emilio Cobos Álvarez