ASSERTION FAILED: url.containsOnlyASCII() in WebCore::checkEncodedString() when parsi...
authoraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 Oct 2016 20:27:33 +0000 (20:27 +0000)
committeraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 Oct 2016 20:27:33 +0000 (20:27 +0000)
commit37ec083df439c19e5d2a05695e75582cf37538fe
tree02a433c056cbacbbac5c6fe04f53f27f5d2fefc7
parenteb78bc1d4f18517633e683436fbe07df9d9773ca
ASSERTION FAILED: url.containsOnlyASCII() in WebCore::checkEncodedString() when parsing an invalid CSS cursor URL
https://bugs.webkit.org/show_bug.cgi?id=162763
<rdar://problem/28572758>

Reviewed by Youenn Fablet.

Source/WebCore:

CSSCursorImageValue copies the URL of its underlying CSSImageValue by using the
ParsedURLString URL constructor on the String returned by CSSImageValue::url(). While
CSSImageValues were always being constructed from a URL implicitly converted to a String,
nothing ensured that the URL was valid. For invalid URLs, URL::string() returns the string
it was constructed with, which might still represent a relative URL or contain non-ASCII
characters, violating the preconditions of the ParsedURLString URL constructor and causing
an assertion to fail in Debug builds.

Fix this by having CSSImageValue store its image URL using a WebCore::URL rather than a
String. CSSCursorImageValue can then copy this URL instead of attempting to re-parse a
possibly-invalid URL string.

Test: fast/css/cursor-with-invalid-url.html

* css/CSSCursorImageValue.cpp:
(WebCore::CSSCursorImageValue::CSSCursorImageValue): Copied m_imageValue.url() into
m_originalURL instead of using the ParsedURLString URL constructor, since
CSSImageValue::url() now returns a WebCore::URL.
(WebCore::CSSCursorImageValue::loadImage): Created a URL from cursorElement->href() by
calling Document::completeURL().
* css/CSSImageValue.cpp:
(WebCore::CSSImageValue::CSSImageValue): Changed to take a URL&& instead of a const String&.
(WebCore::CSSImageValue::loadImage): Stopped calling Document::completeURL(), since m_url is
now a WebCore::URL.
* css/CSSImageValue.h: Changed url() to return a const URL&, and changed m_url to be a URL.
* html/HTMLBodyElement.cpp:
(WebCore::HTMLBodyElement::collectStyleForPresentationAttribute): Removed a call to
URL::string().
* html/HTMLTableElement.cpp:
(WebCore::HTMLTableElement::collectStyleForPresentationAttribute): Ditto.
* html/HTMLTablePartElement.cpp:
(WebCore::HTMLTablePartElement::collectStyleForPresentationAttribute): Ditto.

LayoutTests:

* fast/css/cursor-with-invalid-url.html: Added.
* fast/css/cursor-with-invalid-url-expected.txt: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@206744 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/css/cursor-with-invalid-url-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/cursor-with-invalid-url.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/css/CSSCursorImageValue.cpp
Source/WebCore/css/CSSImageValue.cpp
Source/WebCore/css/CSSImageValue.h
Source/WebCore/html/HTMLBodyElement.cpp
Source/WebCore/html/HTMLTableElement.cpp
Source/WebCore/html/HTMLTablePartElement.cpp