Drawing text in an SVG font causes load events to be fired.
authorakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Aug 2014 22:56:06 +0000 (22:56 +0000)
committerakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Aug 2014 22:56:06 +0000 (22:56 +0000)
commit2cc710e6befdf5aec707f673895f17b90788cec2
tree0c6b1262fd927cfe2f302d68209a5f6c7221c537
parent8d929eda4e9d90fb749ed734f19762cbb77bed86
Drawing text in an SVG font causes load events to be fired.
<https://webkit.org/b/136269>
<rdar://problem/15724915>

Source/WebCore:

Don't flush pending load events in Document::implicitClose() for frameless documents.
This is a targeted fix for an issue where parsing SVG fonts during layout would cause
event dispatch to happen in the main document, leading to arbitrary JS execution.

Note that the testcase only works in DRT/WTR, since once the SVG font is in cached
by WebCore, we won't reparse it again. Caches are cleared between tests, so it will
correctly fail if this should regress.

Longer-term, we should clean this up and get rid of the global dispatch entirely.

Reviewed by Simon Fraser.

Test: fast/text/svg-font-trigger-load-event.html

* dom/Document.cpp:
(WebCore::Document::implicitClose):

LayoutTests:

Reviewed by Simon Fraser.

* fast/text/svg-font-trigger-load-event-expected.txt: Added.
* fast/text/svg-font-trigger-load-event.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@173028 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/text/svg-font-trigger-load-event-expected.txt [new file with mode: 0644]
LayoutTests/fast/text/svg-font-trigger-load-event.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp