Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9dac73538145b8c77fa67608000f777e6e0ade99
https://github.com/WebKit/WebKit/commit/9dac73538145b8c77fa67608000f777e6e0ade99
Author: Chris Dumez <[email protected]>
Date: 2026-04-08 (Wed, 08 Apr 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/dom/ranges/Range-extractContents-dynamic-end-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/dom/ranges/Range-extractContents-dynamic-end.html
M Source/WebCore/dom/Range.cpp
Log Message:
-----------
Range.extractContents should not extract out-of-bounds nodes if end container
is removed during extraction
https://bugs.webkit.org/show_bug.cgi?id=311700
Reviewed by Anne van Kesteren.
When Range::extractContents() processes nodes, removing an iframe can fire a
synchronous
unload event. If that event handler removes the Range's end container from the
DOM, the
extraction loop loses its end boundary (processEnd becomes null) and continues
extracting
all remaining siblings of the common root, including nodes that were outside
the original range.
Fix this by skipping the middle node processing when processEnd is null and the
original
end container is no longer a descendant of the common root.
Test:
imported/w3c/web-platform-tests/dom/ranges/Range-extractContents-dynamic-end.html
This test was contributed upstream by Blink. It fails in shipping Safari but
passes with
this fix. This is thus aligning our behavior with Blink.
*
LayoutTests/imported/w3c/web-platform-tests/dom/ranges/Range-extractContents-dynamic-end-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/dom/ranges/Range-extractContents-dynamic-end.html:
Added.
* Source/WebCore/dom/Range.cpp:
(WebCore::Range::processContents):
Canonical link: https://commits.webkit.org/310770@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
