Title: [193724] branches/safari-601.4-branch
- Revision
- 193724
- Author
- bshaf...@apple.com
- Date
- 2015-12-08 00:36:55 -0800 (Tue, 08 Dec 2015)
Log Message
Merged r192316. rdar://problem/23787100
Modified Paths
Added Paths
Diff
Modified: branches/safari-601.4-branch/LayoutTests/ChangeLog (193723 => 193724)
--- branches/safari-601.4-branch/LayoutTests/ChangeLog 2015-12-08 08:36:02 UTC (rev 193723)
+++ branches/safari-601.4-branch/LayoutTests/ChangeLog 2015-12-08 08:36:55 UTC (rev 193724)
@@ -1,5 +1,20 @@
2015-12-08 Babak Shafiei <bshaf...@apple.com>
+ Merge r192316.
+
+ 2015-11-10 Jon Honeycutt <jhoneyc...@apple.com>
+
+ Crash loading Blink layout test fast/parser/strip-script-attrs-on-input.html
+ https://bugs.webkit.org/show_bug.cgi?id=150201
+ <rdar://problem/23136478>
+
+ Reviewed by Brent Fulgham.
+
+ * fast/parser/strip-script-attrs-on-input-expected.txt: Added.
+ * fast/parser/strip-script-attrs-on-input.html: Added.
+
+2015-12-08 Babak Shafiei <bshaf...@apple.com>
+
Merge r192281.
2015-11-10 Brent Fulgham <bfulg...@apple.com>
Copied: branches/safari-601.4-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt (from rev 193704, branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt) (0 => 193724)
--- branches/safari-601.4-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt (rev 0)
+++ branches/safari-601.4-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt 2015-12-08 08:36:55 UTC (rev 193724)
@@ -0,0 +1 @@
+Text for WebKit bug #150201. Test passes if it does not crash in an ASan build.
Copied: branches/safari-601.4-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html (from rev 193704, branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html) (0 => 193724)
--- branches/safari-601.4-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html (rev 0)
+++ branches/safari-601.4-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html 2015-12-08 08:36:55 UTC (rev 193724)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<body>
+ <div contenteditable="true" id="target">
+ <input _onblur_="_javascript_:false;" _onclick_="_javascript_:false;" type="text"/>
+ </div>
+ <script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ requestAnimationFrame(function() {
+ var target = document.getElementById("target");
+ var selection = window.getSelection();
+ var range = document.createRange();
+ range.selectNodeContents(target);
+ selection.addRange(range);
+
+ document.execCommand("Cut");
+ document.execCommand("Paste");
+
+ target.innerHTML = '';
+ testRunner.notifyDone();
+ });
+ </script>
+ <p>
+ Text for WebKit bug #<a href=""
+ Test passes if it does not crash in an ASan build.
+ </p>
+</body>
Modified: branches/safari-601.4-branch/Source/WebCore/ChangeLog (193723 => 193724)
--- branches/safari-601.4-branch/Source/WebCore/ChangeLog 2015-12-08 08:36:02 UTC (rev 193723)
+++ branches/safari-601.4-branch/Source/WebCore/ChangeLog 2015-12-08 08:36:55 UTC (rev 193724)
@@ -1,5 +1,25 @@
2015-12-08 Babak Shafiei <bshaf...@apple.com>
+ Merge r192316.
+
+ 2015-11-10 Jon Honeycutt <jhoneyc...@apple.com>
+
+ Crash loading Blink layout test fast/parser/strip-script-attrs-on-input.html
+ https://bugs.webkit.org/show_bug.cgi?id=150201
+ <rdar://problem/23136478>
+
+ Reviewed by Brent Fulgham.
+
+ Test: fast/parser/strip-script-attrs-on-input.html
+
+ * html/parser/HTMLTreeBuilder.cpp:
+ (WebCore::HTMLTreeBuilder::processStartTagForInBody):
+ Get the attribute after calling
+ HTMLConstructionSite::insertSelfClosingHTMLElement(), as this may
+ mutate the token's attributes.
+
+2015-12-08 Babak Shafiei <bshaf...@apple.com>
+
Merge r192281.
2015-11-10 Brent Fulgham <bfulg...@apple.com>
Modified: branches/safari-601.4-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp (193723 => 193724)
--- branches/safari-601.4-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp 2015-12-08 08:36:02 UTC (rev 193723)
+++ branches/safari-601.4-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp 2015-12-08 08:36:55 UTC (rev 193724)
@@ -774,9 +774,9 @@
return;
}
if (token.name() == inputTag) {
- Attribute* typeAttribute = findAttribute(token.attributes(), typeAttr);
m_tree.reconstructTheActiveFormattingElements();
m_tree.insertSelfClosingHTMLElement(&token);
+ Attribute* typeAttribute = findAttribute(token.attributes(), typeAttr);
if (!typeAttribute || !equalIgnoringCase(typeAttribute->value(), "hidden"))
m_framesetOk = false;
return;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes