Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cb83583e5f4d955355574006a1bebf4b98a42a5d
      
https://github.com/WebKit/WebKit/commit/cb83583e5f4d955355574006a1bebf4b98a42a5d
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-07-01 (Wed, 01 Jul 2026)

  Changed paths:
    A LayoutTests/fast/dom/trusted-types-iframe-removal-crash-expected.txt
    A LayoutTests/fast/dom/trusted-types-iframe-removal-crash.html
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  Use-after-free of Document in trustedTypeCompliantString
https://bugs.webkit.org/show_bug.cgi?id=313703
rdar://175673135

Reviewed by Wenson Hsieh and Chris Dumez.

Fixed the bug by deploying more smart pointers.

Test: fast/dom/trusted-types-iframe-removal-crash.html

* LayoutTests/fast/dom/trusted-types-iframe-removal-crash-expected.txt: Added.
* LayoutTests/fast/dom/trusted-types-iframe-removal-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::parseHTMLUnsafe):
(WebCore::Document::write):
(WebCore::Document::execCommand):
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::setHTMLUnsafe):
(WebCore::Element::setOuterHTML):
(WebCore::Element::setInnerHTML):
(WebCore::Element::insertAdjacentHTML):
* Source/WebCore/dom/Range.cpp:
(WebCore::Range::createContextualFragment):
* Source/WebCore/dom/ShadowRoot.cpp:
(WebCore::ShadowRoot::setHTMLUnsafe):
(WebCore::ShadowRoot::setInnerHTML):

Originally-landed-as: 305413.805@safari-7624-branch (64d15c23216d). 
rdar://180437947
Canonical link: https://commits.webkit.org/316274@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to