Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 02b302f0d254c42a63c5cc9131017bc069b6899f
https://github.com/WebKit/WebKit/commit/02b302f0d254c42a63c5cc9131017bc069b6899f
Author: Nathan Solomon <[email protected]>
Date: 2026-05-29 (Fri, 29 May 2026)
Changed paths:
M Source/WebCore/dom/ContainerNode.cpp
Log Message:
-----------
Cherry-pick 313912@main (4c43686c301a).
https://bugs.webkit.org/show_bug.cgi?id=315251
Fix ContainerNode::replaceAll not removing existing children when inserting
an Element
https://bugs.webkit.org/show_bug.cgi?id=315251
rdar://177576067
Reviewed by Ryosuke Niwa.
In ContainerNode::replaceAll, 288944@main inlined the
removeAllChildrenWithScriptAssertion()
call into the right-hand side of a || expression. When the newly inserted
node is an Element, the
short-circuit evaluation of auto replacedAllChildren = is<Element>(*node) ||
removeAllChildrenWithScriptAssertionMaybeAsync skips the call and the
existing
children are never removed.
Split the removal back into its own statement so it executes unconditionally
regardless of the inserted node type. The bug is currently unreachable
because all
callers pass a Text node or nullptr, but this would break correctness if
replaceAll is ever called with an Element. There is even an existing FIXME
in
HTMLElement::setInnerText() that states that the method should use
replaceAlll() on
elements, so the risk of causing correctness issues in the future without
this being
fixed is real.
No new tests. This obviously should not regress correctness. In its current
state this should technically not "fix" anything, but it can in the future.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::ContainerNode::replaceAll):
Canonical link: https://commits.webkit.org/313912@main
Canonical link: https://commits.webkit.org/305877.692@webkitglib/2.52
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
