Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cb83583e5f4d955355574006a1bebf4b98a42a5d
https://github.com/WebKit/WebKit/commit/cb83583e5f4d955355574006a1bebf4b98a42a5d
Author: Ryosuke Niwa <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A LayoutTests/fast/dom/trusted-types-iframe-removal-crash-expected.txt
A LayoutTests/fast/dom/trusted-types-iframe-removal-crash.html
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Use-after-free of Document in trustedTypeCompliantString
https://bugs.webkit.org/show_bug.cgi?id=313703
rdar://175673135
Reviewed by Wenson Hsieh and Chris Dumez.
Fixed the bug by deploying more smart pointers.
Test: fast/dom/trusted-types-iframe-removal-crash.html
* LayoutTests/fast/dom/trusted-types-iframe-removal-crash-expected.txt: Added.
* LayoutTests/fast/dom/trusted-types-iframe-removal-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::parseHTMLUnsafe):
(WebCore::Document::write):
(WebCore::Document::execCommand):
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::setHTMLUnsafe):
(WebCore::Element::setOuterHTML):
(WebCore::Element::setInnerHTML):
(WebCore::Element::insertAdjacentHTML):
* Source/WebCore/dom/Range.cpp:
(WebCore::Range::createContextualFragment):
* Source/WebCore/dom/ShadowRoot.cpp:
(WebCore::ShadowRoot::setHTMLUnsafe):
(WebCore::ShadowRoot::setInnerHTML):
Originally-landed-as: 305413.805@safari-7624-branch (64d15c23216d).
rdar://180437947
Canonical link: https://commits.webkit.org/316274@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications