Bug 1830757 - Prevent node removal during iteration in conditional css sanitization. r=smaug

When the whole block is sanitized away, we remove the text node altogether, triggering the assert. While it's not worrisome in this case, the right thing to do is not mutating the DOM during iteration. Differential Revision: https://phabricator.services.mozilla.com/D176917
2023-05-02 14:52:23 +00:00 · 2023-05-02 14:52:23 +00:00 · 6d68b86f7c
commit 6d68b86f7c
parent e22d1a4b5b
2 changed files with 10 additions and 3 deletions
--- a/dom/base/nsTreeSanitizer.cpp
+++ b/dom/base/nsTreeSanitizer.cpp
@ -1823,11 +1823,14 @@ bool nsTreeSanitizer::SanitizeInlineStyle(
 }

 void nsTreeSanitizer::RemoveConditionalCSSFromSubtree(nsINode* aRoot) {
+  AutoTArray<RefPtr<nsINode>, 10> nodesToSanitize;
  for (nsINode* node : ShadowIncludingTreeIterator(*aRoot)) {
-    if (!node->IsHTMLElement(nsGkAtoms::style) &&
-        !node->IsSVGElement(nsGkAtoms::style)) {
-      continue;
+    if (node->IsHTMLElement(nsGkAtoms::style) ||
+        node->IsSVGElement(nsGkAtoms::style)) {
+      nodesToSanitize.AppendElement(node);
    }
+  }
+  for (nsINode* node : nodesToSanitize) {
    SanitizeInlineStyle(node->AsElement(),
                        StyleSanitizationKind::NoConditionalRules);
  }
--- a/parser/xml/test/unit/test_sanitizer_style.js
+++ b/parser/xml/test/unit/test_sanitizer_style.js
@ -71,6 +71,10 @@ const kConditionalCSSTestCases = [
    data: `#foo { display: none } @media (min-width: 300px) { #bar { display: none } }`,
    sanitized: `#foo { display: none }`,
  },
+  {
+    data: `@media (min-width: 300px) { #bar { display: none } }`,
+    sanitized: ``,
+  },
 ];

 function run_test() {