The Vulnerability History Project

Warning: Our website does not support Internet Explorer, please use Edge instead.

This patch changes inserted HTML sanitize process to check whether tree is in tree or not, for avoiding null pointer reference.

      This case is caused by  ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuilder() when paragraph element contains prohibited paragraph child, e.g. address, article, ..., table, ..., specified in HTML Editing APIs specification.

BUG=257557
R=tkent@chromium.org

Review URL: https://codereview.chromium.org/18960004

git-svn-id: svn://svn.chromium.org/blink/trunk@153983 bbb929c8-8fbe-4397-9dbb-9b2b20218538

by Milton the Roseate Spoonbill 2013-07-11 07:00:55 UTC

commit a7b6221b53b10c803440be1d62faa5dcff9bd6f2

Chromium

third_party/WebKit/LayoutTests/editing/inserting/insert-table-in-paragraph-crash-expected.txt

-5

third_party/WebKit/LayoutTests/editing/inserting/insert-table-in-paragraph-crash.html

-16

third_party/WebKit/Source/core/editing/ReplaceSelectionCommand.cpp

+2 -2

third_party/WebKit/Source/core/editing/SimplifyMarkupCommand.cpp

-2