# HG changeset patch # User Henri Sivonen # Date 1603457336 0 # Fri Oct 23 12:48:56 2020 +0000 # Node ID 9143f95d5ab3896f5461fa1666500f6fc1f9e73b # Parent b067b0d3670b37daad95505b87bddca6bb113d11 Bug 1667113. r=smaug Differential Revision: https://phabricator.services.mozilla.com/D93482 diff -r b067b0d3670b -r 9143f95d5ab3 browser/base/content/test/static/browser_parsable_css.js --- a/browser/base/content/test/static/browser_parsable_css.js Fri Oct 23 12:48:52 2020 +0000 +++ b/browser/base/content/test/static/browser_parsable_css.js Fri Oct 23 12:48:56 2020 +0000 @@ -496,9 +496,9 @@ checkWhitelist(propNameWhitelist); // Clean up to avoid leaks: - iframe.remove(); doc.head.innerHTML = ""; doc = null; + iframe.remove(); iframe = null; win = null; hiddenFrame.destroy(); diff -r b067b0d3670b -r 9143f95d5ab3 dom/base/nsContentUtils.cpp --- a/dom/base/nsContentUtils.cpp Fri Oct 23 12:48:52 2020 +0000 +++ b/dom/base/nsContentUtils.cpp Fri Oct 23 12:48:56 2020 +0000 @@ -4817,6 +4817,7 @@ nsIContent* target = aTargetNode; + RefPtr inert; RefPtr fragment; // We sanitize if the fragment occurs in a system privileged // context, an about: page, or if there are explicit sanitization flags. @@ -4828,8 +4828,12 @@ nodePrincipal->SchemeIs("about") || aFlags >= 0; if (shouldSanitize) { if (!AllowsUnsanitizedContentForAboutNewTab(nodePrincipal)) { - fragment = new (aTargetNode->OwnerDoc()->NodeInfoManager()) - DocumentFragment(aTargetNode->OwnerDoc()->NodeInfoManager()); + inert = nsContentUtils::CreateInertHTMLDocument(aTargetNode->OwnerDoc()); + if (!inert) { + return NS_ERROR_FAILURE; + } + fragment = new (inert->NodeInfoManager()) + DocumentFragment(inert->NodeInfoManager()); target = fragment; } } @@ -4908,22 +4908,7 @@ MOZ_ASSERT(contentsink, "Sink doesn't QI to nsIContentSink!"); sXMLFragmentParser->SetContentSink(contentsink); - sXMLFragmentSink->SetTargetDocument(aDocument); - sXMLFragmentSink->SetPreventScriptExecution(aPreventScriptExecution); - - nsresult rv = sXMLFragmentParser->ParseFragment(aSourceBuffer, aTagStack); - if (NS_FAILED(rv)) { - // Drop the fragment parser and sink that might be in an inconsistent state - NS_IF_RELEASE(sXMLFragmentParser); - NS_IF_RELEASE(sXMLFragmentSink); - return rv; - } - - rv = sXMLFragmentSink->FinishFragmentParsing(aReturn); - - sXMLFragmentParser->Reset(); - NS_ENSURE_SUCCESS(rv, rv); - + RefPtr doc; nsCOMPtr nodePrincipal = aDocument->NodePrincipal(); #ifdef DEBUG @@ -4929,6 +4929,27 @@ // an about: scheme principal. bool shouldSanitize = nodePrincipal->IsSystemPrincipal() || nodePrincipal->SchemeIs("about") || aFlags >= 0; + if (shouldSanitize) { + doc = nsContentUtils::CreateInertXMLDocument(aDocument); + } else { + doc = aDocument; + } + + sXMLFragmentSink->SetTargetDocument(doc); + sXMLFragmentSink->SetPreventScriptExecution(aPreventScriptExecution); + + nsresult rv = sXMLFragmentParser->ParseFragment(aSourceBuffer, aTagStack); + if (NS_FAILED(rv)) { + // Drop the fragment parser and sink that might be in an inconsistent state + NS_IF_RELEASE(sXMLFragmentParser); + NS_IF_RELEASE(sXMLFragmentSink); + return rv; + } + + rv = sXMLFragmentSink->FinishFragmentParsing(aReturn); + + sXMLFragmentParser->Reset(); + NS_ENSURE_SUCCESS(rv, rv); if (shouldSanitize) { uint32_t sanitizationFlags =