diff options
Diffstat (limited to 'editor/libeditor/crashtests')
118 files changed, 2700 insertions, 0 deletions
diff --git a/editor/libeditor/crashtests/1057677.html b/editor/libeditor/crashtests/1057677.html new file mode 100644 index 0000000000..d0b9497a5a --- /dev/null +++ b/editor/libeditor/crashtests/1057677.html @@ -0,0 +1,9 @@ +<html><body></body><script> +document.designMode = "on"; +var hrElem = document.createElement("HR"); +var select = window.getSelection(); +document.body.appendChild(hrElem); +select.collapse(hrElem,0); +document.execCommand("InsertHTML", false, "<div>foo</div><div>bar</div>"); +</script> +</html> diff --git a/editor/libeditor/crashtests/1128787.html b/editor/libeditor/crashtests/1128787.html new file mode 100644 index 0000000000..fc6bff0972 --- /dev/null +++ b/editor/libeditor/crashtests/1128787.html @@ -0,0 +1,17 @@ +<!DOCTYPE html> +<html> +<head> +<title>Bug 1128787</title> +</head> +<body> + <input type="button"/> + <script> + window.onload = function () { + document.designMode = "on"; + } + var input = document.getElementsByTagName("input")[0]; + input.focus(); + input.type = "text"; + </script> +</body> +</html> diff --git a/editor/libeditor/crashtests/1134545.html b/editor/libeditor/crashtests/1134545.html new file mode 100644 index 0000000000..d09fd6beb3 --- /dev/null +++ b/editor/libeditor/crashtests/1134545.html @@ -0,0 +1,26 @@ +<!DOCTYPE html> +<!-- saved from url=(0065)https://bug1134545.bugzilla.mozilla.org/attachment.cgi?id=8566418 --> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // text at end of the <body>. + getSelection().collapse( + document.body.lastChild, + document.body.lastChild.length + ); + const textNode = document.createTextNode(" "); + const editingHost = document.querySelector("div[contenteditable]"); + editingHost.appendChild(textNode); + editingHost.setAttribute('contenteditable', "true"); + textNode.remove(); + getSelection().selectAllChildren(textNode); + document.execCommand("increasefontsize"); +} +</script> +</head> +<body onload="onLoad();"> +<div contenteditable></div> + + +</body></html>
\ No newline at end of file diff --git a/editor/libeditor/crashtests/1158452.html b/editor/libeditor/crashtests/1158452.html new file mode 100644 index 0000000000..56c74abd61 --- /dev/null +++ b/editor/libeditor/crashtests/1158452.html @@ -0,0 +1,10 @@ + +<div> +<div> +aaaaaaa +</script> +<script type="text/javascript"> +document.designMode = "on" +window.getSelection().modify("extend", "backward", "line") +document.execCommand("increasefontsize","",null); +</script> diff --git a/editor/libeditor/crashtests/1158651.html b/editor/libeditor/crashtests/1158651.html new file mode 100644 index 0000000000..27278b5234 --- /dev/null +++ b/editor/libeditor/crashtests/1158651.html @@ -0,0 +1,18 @@ +<script> +onload = function() { + var testContainer = document.createElement("span"); + testContainer.contentEditable = true; + document.body.appendChild(testContainer); + + function queryFormatBlock(content) + { + testContainer.innerHTML = content; + while (testContainer.firstChild) + testContainer = testContainer.firstChild; + window.getSelection().collapse(testContainer, 0); + document.queryCommandValue('formatBlock'); + } + + queryFormatBlock('<ol>hello</ol>'); +}; +</script> diff --git a/editor/libeditor/crashtests/1244894.xhtml b/editor/libeditor/crashtests/1244894.xhtml new file mode 100644 index 0000000000..89a24751e9 --- /dev/null +++ b/editor/libeditor/crashtests/1244894.xhtml @@ -0,0 +1,21 @@ +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<script> + +function boom() +{ + document.designMode = 'on'; + document.execCommand("indent", false, null); + document.execCommand("insertText", false, "a"); + document.execCommand("forwardDelete", false, null); + document.execCommand("justifyfull", false, null); +} + +window.addEventListener("load", boom, false); + +</script> +</head> + +<body> <span class="v"></span></body><body><input type="file" /></body> + +</html> diff --git a/editor/libeditor/crashtests/1264921.html b/editor/libeditor/crashtests/1264921.html new file mode 100644 index 0000000000..b53fcb5fd4 --- /dev/null +++ b/editor/libeditor/crashtests/1264921.html @@ -0,0 +1 @@ +<body style=display:table-footer-group onload=d=document;h=d.all[0];h.appendChild(d.createElement("input"));h.appendChild(d.createElement("iframe"));d.designMode="on">
\ No newline at end of file diff --git a/editor/libeditor/crashtests/1272490.html b/editor/libeditor/crashtests/1272490.html new file mode 100644 index 0000000000..2a8f1d9f9c --- /dev/null +++ b/editor/libeditor/crashtests/1272490.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<html> +<head> +<meta charset="utf-8"> +<script> +window.onload = function () { + var childDocument = document.getElementsByTagName("iframe")[0].contentDocument; + childDocument.designMode = "on"; + function onAttrModified(aEvent) { + childDocument.removeEventListener("DOMAttrModified", onAttrModified); + // Remove the editor from document during executing "insertOrderedList". + document.body.innerHTML = ""; + } + childDocument.addEventListener("DOMAttrModified", onAttrModified); + childDocument.execCommand("insertOrderedList", false, "1"); +} +</script> +</head> +<body><iframe></iframe></body> +</html> diff --git a/editor/libeditor/crashtests/1274050.html b/editor/libeditor/crashtests/1274050.html new file mode 100644 index 0000000000..5b7a5613ef --- /dev/null +++ b/editor/libeditor/crashtests/1274050.html @@ -0,0 +1,17 @@ +<body> +<table contenteditable></table> +</body> +<script> +window.onload = function() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node at end of the <body>. + getSelection().collapse( + document.body.lastChild, + document.body.lastChild.length + ); + document.execCommand("styleWithCSS", false, false); + document.designMode = "on"; + document.execCommand("insertUnorderedList"); + document.execCommand("justifyFull"); +}; +</script> diff --git a/editor/libeditor/crashtests/1317704.html b/editor/libeditor/crashtests/1317704.html new file mode 100644 index 0000000000..2f6d2820c3 --- /dev/null +++ b/editor/libeditor/crashtests/1317704.html @@ -0,0 +1,42 @@ +<!DOCTYPE html> +<html> +<head> +<meta charset="utf-8"> +<script> +addEventListener('DOMContentLoaded', () => { + // For emulating the traditional behavior, collapse Selection to end of the + // text node at end of the <body>. + getSelection().collapse( + document.body.lastChild, + document.body.lastChild.length + ); + document.documentElement.className = 'lizard'; + setTimeout(() => { + document.execCommand('selectAll'); + document.designMode = 'on'; + document.execCommand('removeformat'); + }, 0); +}); +</script> +<style> +.lizard { + -webkit-user-select: all; +} +* { + position: fixed; + display: table-column; +} +</style> +</head> +<body> +<span> +<span contenteditable> +<span class=lizard></span> +<span class=lizard></span> +<span /> +</span> +</span> +</span> +</span> +</body> +</html> diff --git a/editor/libeditor/crashtests/1317718.html b/editor/libeditor/crashtests/1317718.html new file mode 100644 index 0000000000..892b8aee31 --- /dev/null +++ b/editor/libeditor/crashtests/1317718.html @@ -0,0 +1,14 @@ +<!DOCTYPE html> +<html> +<script> +addEventListener('DOMContentLoaded', function() { + let root = document.documentElement; + while(root.firstChild) { + root.firstChild.remove(); + } + document.designMode = 'on'; + document.removeChild(document.documentElement); + document.execCommand('justifyleft', false, null); +}); +</script> +</html> diff --git a/editor/libeditor/crashtests/1324505.html b/editor/libeditor/crashtests/1324505.html new file mode 100644 index 0000000000..4872b9f05d --- /dev/null +++ b/editor/libeditor/crashtests/1324505.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> +<script> +addEventListener("DOMContentLoaded", function(){ + let root = document.documentElement; + while(root.firstChild) { + root.firstChild.remove(); + } + let o_0 = document.createElement("body"); + root.appendChild(o_0); + o_0.appendChild(document.createElement("table")); + o_0.appendChild(document.createElement("canvas")); + let o_1 = document.createElement("canvas"); + o_0.appendChild(o_1); + o_1.setAttribute("contenteditable", "true"); + setTimeout(function(){ + document.execCommand("selectAll", false, "Marker felt"); + document.designMode = 'on'; + document.execCommand("insertorderedlist", false, null); + document.execCommand("insertorderedlist", false, null); + }, 0); +}); +</script> +</html> diff --git a/editor/libeditor/crashtests/1343918.html b/editor/libeditor/crashtests/1343918.html new file mode 100644 index 0000000000..24a3d9041f --- /dev/null +++ b/editor/libeditor/crashtests/1343918.html @@ -0,0 +1,21 @@ +<!DOCTYPE html> +<html> + <head> + <script type="application/javascript"> + let form = document.createElement('form'); + let input1 = document.createElement('input'); + let input2 = document.createElement('input'); + document.documentElement.appendChild(form); + document.documentElement.appendChild(input1); + form.appendChild(input2); + form.contentEditable = true + input1.focus(); + + let range = document.createRange(); + range.selectNode(input2); + window.getSelection().addRange(range); + document.execCommand("italic", false, null); + </script> + </head> + <body></body> +</html> diff --git a/editor/libeditor/crashtests/1344097.html b/editor/libeditor/crashtests/1344097.html new file mode 100644 index 0000000000..7f76957c5a --- /dev/null +++ b/editor/libeditor/crashtests/1344097.html @@ -0,0 +1,20 @@ +<html> + <head> + <script></script> + <script> + document.designMode = 'on'; + o1 = window.getSelection(); + o2 = document.createElement('code'); + o3 = document.createElement('style'); + o4 = document.createElement('style'); + document.head.appendChild(o3); + o1.modify("move", "right", "character"); + document.styleSheets[0].insertRule("* { position: absolute; }", 0); + document.head.appendChild(o4); + window.resizeTo(1,1); + document.documentElement.appendChild(o2); + o1.selectAllChildren(o2); + </script> + </head> + <body></body> +</html> diff --git a/editor/libeditor/crashtests/1345015.html b/editor/libeditor/crashtests/1345015.html new file mode 100644 index 0000000000..3781469578 --- /dev/null +++ b/editor/libeditor/crashtests/1345015.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> +<html> + <head> + <script type="application/javascript"> + document.designMode = "on"; + let selection = window.getSelection(); + + let foo = document.createElement('foo'); + let div = document.createElement('div'); + document.documentElement.appendChild(foo); + document.documentElement.appendChild(div); + foo.outerHTML = '<foo>'; + + let range = document.createRange(); + range.selectNode(div); + selection.addRange(range); + range.setStart(foo, 0); + + range = document.createRange(); + range.selectNode(document.documentElement); + selection.addRange(range); + + document.execCommand('insertparagraph', false, null); + </script> + </head> + <body> + </body> +</html> diff --git a/editor/libeditor/crashtests/1348851.html b/editor/libeditor/crashtests/1348851.html new file mode 100644 index 0000000000..d618f049ee --- /dev/null +++ b/editor/libeditor/crashtests/1348851.html @@ -0,0 +1,19 @@ +<!DOCTYPE> +<html> +<head> +<meta charset="UTF-8"> +<script> +function boom(){ + document.designMode = "on"; + document.execCommand("insertlinebreak"); + document.designMode = "off"; + document.designMode = "on"; + document.execCommand("insertunorderedlist"); +} +addEventListener("DOMContentLoaded", boom); +</script> +</head> +<body style="display:flex;"> +<!--comment--> +</body> +</html> diff --git a/editor/libeditor/crashtests/1350772.html b/editor/libeditor/crashtests/1350772.html new file mode 100644 index 0000000000..e20481527d --- /dev/null +++ b/editor/libeditor/crashtests/1350772.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> +<html> +<head> +<script> +addEventListener("DOMContentLoaded", () => { + try { + document.designMode = 'on'; + document.removeChild(document.documentElement); + document.appendChild(document.createElement("p")); + document.execCommand("insertParagraph", false, null); + } catch(e) { + } +}); +</script> +</head> +</html> diff --git a/editor/libeditor/crashtests/1364133.html b/editor/libeditor/crashtests/1364133.html new file mode 100644 index 0000000000..a1d06fba98 --- /dev/null +++ b/editor/libeditor/crashtests/1364133.html @@ -0,0 +1,42 @@ +<html> + <head> + <script> + var tr = document.createElement('tr'); + document.documentElement.appendChild(tr); + + var a1 = document.createElement('a'); + document.documentElement.appendChild(a1); + var a2 = document.createElement('a'); + tr.appendChild(a2); + + var a3 = document.createElement('a'); + document.documentElement.appendChild(a3); + + var a4 = document.createElement('a'); + document.documentElement.appendChild(a4); + + var a5 = document.createElement('a'); + a1.appendChild(a5); + + var input = document.createElement('input'); + document.documentElement.appendChild(input); + + a3.contentEditable = true; + a5.innerText = "xx"; + a4.outerHTML = ""; + input.select(); + + document.replaceChild(document.documentElement, document.documentElement); + window.find("x", false, false, false, false, false, false); + + var range = document.createRange(); + range.setStart(a1, 1); + window.getSelection().addRange(range); + + document.designMode = "on"; + + range.selectNode(a2); + document.execCommand("forecolor", false, "-moz-default-background-color"); + </script> + </head> +</html> diff --git a/editor/libeditor/crashtests/1366176.html b/editor/libeditor/crashtests/1366176.html new file mode 100644 index 0000000000..cf6841c650 --- /dev/null +++ b/editor/libeditor/crashtests/1366176.html @@ -0,0 +1,30 @@ +<html> +<head> + <script> + + function go() + { + try { o114 = document.createElement('canvas'); } catch(e) {;} + try { o103 = (new DOMParser).parseFromString('/', 'text/html'); } catch(e) {;} + try { o217 = o103.all[1]; } catch(e) {;} + try { o253 = window.getSelection(); } catch(e) {;} + + try { o270 = document.body.appendChild(document.createElement('a')); } catch(e) {;} + + try { o301 = window.getSelection(); } catch(e) {;} + try { o314 = window.getSelection(); } catch(e) {;} + try { document.body.appendChild(o114); } catch(e) {;} + try { document.documentElement.appendChild(o217); } catch(e) {;} + try { document.body.appendChild(o270); } catch(e) {;} + try { o217.contentEditable = true } catch(e) {;} + + try { o253.modify('move','forward','lineboundary'); } catch(e) {;} + try { o314.modify('extend','left','line'); } catch(e) {;} + try { o301.modify('extend','right','line'); } catch(e) {;} + } + </script> +</head> +<body onload="go();"> + <plaintext></plaintext> +</bdoy> +</html> diff --git a/editor/libeditor/crashtests/1375131.html b/editor/libeditor/crashtests/1375131.html new file mode 100644 index 0000000000..4060cf3d4c --- /dev/null +++ b/editor/libeditor/crashtests/1375131.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<html> + <head> + <script type="application/javascript"> + document.designMode = 'on'; + + let div = document.createElement('div'); + let p = document.createElement('p'); + document.documentElement.appendChild(div); + document.documentElement.appendChild( + document.createElement('body')); + document.documentElement.appendChild(p); + document.execCommand('insertimage', false, 'http://localhost/'); + document.execCommand('insertparagraph', false, null); + + document.elementFromPoint(0, 0); + + let selection = window.getSelection(); + selection.modify('extend', 'forward', 'character'); + + let range = document.createRange(); + range.selectNode(p); + selection.addRange(range); + range.setStart(div, 0); + + range = document.createRange(); + range.selectNode(p); + selection.addRange(range); + + document.execCommand('delete', false, null); + </script> + </head> +</html> diff --git a/editor/libeditor/crashtests/1381541.html b/editor/libeditor/crashtests/1381541.html new file mode 100644 index 0000000000..8902e3d032 --- /dev/null +++ b/editor/libeditor/crashtests/1381541.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<html> + <head> + <script type="application/javascript"> + var editable = document.createElement('div'); + document.documentElement.appendChild(editable); + editable.contentEditable = 'true'; + var div = document.createElement('div'); + document.documentElement.appendChild(div); + // Flush content + div.offsetLeft; + document.execCommand('styleWithCSS', false, true); + + var range = new Range(); + window.getSelection().addRange(range); + range.setStart(document.createTextNode(''), 0); + document.queryCommandState('backcolor'); + </script> + </head> +</html> diff --git a/editor/libeditor/crashtests/1383747.html b/editor/libeditor/crashtests/1383747.html new file mode 100644 index 0000000000..1c926cc7ea --- /dev/null +++ b/editor/libeditor/crashtests/1383747.html @@ -0,0 +1,15 @@ +<html> + <head> + <script> + try { o1 = window.getSelection() } catch(e) { } + try { o2 = document.createElement('map') } catch(e) { }; + try { o3 = document.createElement('select') } catch(e) { } + try { document.documentElement.appendChild(o2) } catch(e) { }; + try { o2.contentEditable = 'true' } catch(e) { }; + try { o2.offsetTop } catch(e) { }; + try { document.replaceChild(document.implementation.createHTMLDocument().documentElement, document.documentElement); } catch(e) { } + try { document.documentElement.appendChild(o3) } catch(e) { } + try { o1.modify('extend', 'forward', 'word') } catch(e) { } + </script> + </head> +</html>
\ No newline at end of file diff --git a/editor/libeditor/crashtests/1383755.html b/editor/libeditor/crashtests/1383755.html new file mode 100644 index 0000000000..3cbfe08d17 --- /dev/null +++ b/editor/libeditor/crashtests/1383755.html @@ -0,0 +1,26 @@ +<html> + <head> + <script type="application/javascript"> + let table = document.createElement('table'); + document.documentElement.appendChild(table); + let tr = document.createElement('tr'); + table.appendChild(tr); + let input = document.createElement('input'); + document.documentElement.appendChild(input); + + let img = document.createElement('img'); + input.appendChild(img); + img.contentEditable = 'true' + tr.appendChild(img); + img.offsetParent; + + // Since table's cell is selected by the following, it will show + // object resizer that is anonymous element. + window.getSelection().selectAllChildren(tr); + // Document.adoptNode will remove anonymous element of object resizer + // and it shouldn't cause crash + document.implementation.createDocument('', '').adoptNode(table); + </script> + </head> +</html> + diff --git a/editor/libeditor/crashtests/1383763.html b/editor/libeditor/crashtests/1383763.html new file mode 100644 index 0000000000..a97d685368 --- /dev/null +++ b/editor/libeditor/crashtests/1383763.html @@ -0,0 +1,17 @@ +<xsl:stylesheet id='xsl'> +<script id='script'> +try { o1 = document.createElement('table') } catch(e) { } +try { o3 = document.createElement('area') } catch(e) { } +try { o4 = document.createElement('script'); } catch(e) { } +try { o5 = document.getSelection() } catch(e) { } +try { document.implementation.createDocument('', '', null).adoptNode(o1); } catch(e) { } +try { o1.appendChild(o3) } catch(e) { } +try { o5.addRange(new Range()); } catch(e) { } +try { document.documentElement.appendChild(o4) } catch(e) { } +try { o4.textContent = 'XX' } catch(e) { } +try { o7 = o4.firstChild } catch(e) { } +try { o4.parentNode.insertBefore(o7, o4); } catch(e) { } +try { o5.modify('extend', 'forward', 'line') } catch(e) { } +try { o5.selectAllChildren(o3) } catch(e) { } +try { o7.splitText(1) } catch(e) { } +</script>
\ No newline at end of file diff --git a/editor/libeditor/crashtests/1384161.html b/editor/libeditor/crashtests/1384161.html new file mode 100644 index 0000000000..c7d8ccc292 --- /dev/null +++ b/editor/libeditor/crashtests/1384161.html @@ -0,0 +1,17 @@ +<html> + <head> + <script> + try { o1 = document.createElement('caption') } catch(e) { } + try { o2 = document.createElement('select') } catch(e) { } + try { o3 = document.createElement('map') } catch(e) { } + try { o4 = window.getSelection() } catch(e) { } + try { document.documentElement.appendChild(o1) } catch(e) { } + try { o1.style.display = 'contents' } catch(e) { } + try { document.prepend(o2, document) } catch(e) { } + try { document.designMode = 'on'; } catch(e) { } + try { o3.ownerDocument.execCommand('outdent', false, null) } catch(e) { } + try { document.designMode = 'off'; } catch(e) { } + try { o4.extend(o2, 0) } catch(e) { } + </script> + </head> +</html>
\ No newline at end of file diff --git a/editor/libeditor/crashtests/1388075.html b/editor/libeditor/crashtests/1388075.html new file mode 100644 index 0000000000..c539f97d57 --- /dev/null +++ b/editor/libeditor/crashtests/1388075.html @@ -0,0 +1,60 @@ +<html> +<head> +<script> +try { + var style = document.createElement("style"); +} catch(e) {} +try { + var output = document.createElement("output"); +} catch(e) {} +try { + var input = document.createElement("input"); +} catch(e) {} +try { + var script = document.createElement("script"); +} catch(e) {} +try { + var clonedOutput = output.cloneNode(false); +} catch(e) {} +try { + document.documentElement.appendChild(style); +} catch(e) {} +try { + style.outerHTML = '<a contenteditable="true">'; +} catch(e) {} +// For emulating the traditional behavior, collapse Selection to end of the +// <body> which must be empty (<style> was added after the <body>). +getSelection().collapse(document.body, document.body.childNodes.length); +try { + document.documentElement.appendChild(input); +} catch(e) {} +try { + var text = document.createTextNode(" "); +} catch(e) {} +try { + script.appendChild(text); +} catch(e) {} +try { + document.documentElement.appendChild(script); +} catch(e) {} +try { + var selection = getSelection(); +} catch(e) {} +try { + input.select(); +} catch(e) {} +try { + document.replaceChild(document.documentElement, document.documentElement); +} catch(e) {} +try { + selection.setBaseAndExtent(text, 0, clonedOutput, 0); +} catch(e) {} +try { + document.designMode = "on"; +} catch(e) {} +try { + document.execCommand("insertImage", false, "http://localhost/"); +} catch(e) {} +</script> +</head> +</html> diff --git a/editor/libeditor/crashtests/1393171.html b/editor/libeditor/crashtests/1393171.html new file mode 100644 index 0000000000..0aca3304e7 --- /dev/null +++ b/editor/libeditor/crashtests/1393171.html @@ -0,0 +1,10 @@ +<script> +window.onload=function(){ + window.getSelection().addRange(document.createRange()); + document.getElementById('a').appendChild(document.createElement('option')); + window.getSelection().modify('extend','backward','lineboundary'); +} +</script> +<div></div> +<textarea autofocus='true'></textarea> +<del id='a'> diff --git a/editor/libeditor/crashtests/1402196.html b/editor/libeditor/crashtests/1402196.html new file mode 100644 index 0000000000..8e0a7be0fe --- /dev/null +++ b/editor/libeditor/crashtests/1402196.html @@ -0,0 +1,29 @@ +<!DOCTYPE html> +<html class="reftest-wait"> +<head> +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // <p> which is the deepest last child of the <body> (<spacer> can contain + // <p>). + getSelection().collapse( + document.querySelector("p"), + document.querySelector("p").childNodes.length + ); + document.querySelector("spacer").addEventListener("DOMNodeInserted", () => { + document.querySelector("style").appendChild( + document.querySelector("table") + ); + document.documentElement.classList.remove("reftest-wait"); + }); + document.execCommand("insertOrderedList"); +} +</script> +</head> +<body onload="onLoad()"> +<table></table> +<style></style> +<spacer contenteditable> +<p></p> +</body> +</html> diff --git a/editor/libeditor/crashtests/1402469.html b/editor/libeditor/crashtests/1402469.html new file mode 100644 index 0000000000..06583acb8b --- /dev/null +++ b/editor/libeditor/crashtests/1402469.html @@ -0,0 +1,22 @@ +<html> +<head> +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node at end of the <body>. + getSelection().collapse( + document.body.lastChild, + document.body.lastChild.length + ); + document.execCommand("insertUnorderedList"); +} +</script> +</head> +<body onload="onLoad()"> +<table> + <th contenteditable> + <ol contenteditable> + </th> +</table> +</body> +</html> diff --git a/editor/libeditor/crashtests/1402526.html b/editor/libeditor/crashtests/1402526.html new file mode 100644 index 0000000000..fd75a30eca --- /dev/null +++ b/editor/libeditor/crashtests/1402526.html @@ -0,0 +1,24 @@ +<script>
+function onLoad() {
+ const shadow = document.querySelector("shadow");
+ // For emulating the traditional behavior, collapse Selection to end of the
+ // <shadow> which is the deepest last child of the <body>.
+ getSelection().collapse(shadow, shadow.childNodes.length);
+ try {
+ document.querySelector("dd[contenteditable]").addEventListener(
+ "DOMNodeInserted",
+ () => {
+ try {
+ shadow.replaceWith("1");
+ } catch(e) {}
+ }
+ );
+ } catch(e) {}
+ try {
+ document.execCommand("justifyFull");
+ } catch(e) {}
+}
+</script>
+<body onload="onLoad();">
+<dd contenteditable>
+<shadow></body>
diff --git a/editor/libeditor/crashtests/1402904.html b/editor/libeditor/crashtests/1402904.html new file mode 100644 index 0000000000..544d01208a --- /dev/null +++ b/editor/libeditor/crashtests/1402904.html @@ -0,0 +1,38 @@ +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // parent of <embed> (<embed> is not a container, therefore, its parent is the + // deepest last child container element of the <body>). + getSelection().collapse( + document.querySelector("embed").parentElement, + document.querySelector("embed").parentElement.childNodes.length + ); // Point the <embed> + const option = document.querySelector("option"); + option.addEventListener("click", () => { + document.execCommand("forwardDelete"); + }); + const li2 = document.getElementById("li2"); + li2.addEventListener("DOMNodeInserted", () => { + option.click(); + }); + const select = document.querySelector("select"); + select.parentElement.setAttribute("onpageshow", "onPageShow()"); +} + +function onPageShow() { + const li1 = document.getElementById("li1"); + li1.addEventListener("DOMSubtreeModified", () => { + document.execCommand("selectAll"); + document.execCommand("indent"); + }); + li1.appendChild(document.createElement("legend")); +} +</script> +<body onload="onLoad()"> +<select> +<option></option> +</select> +<li id="li1"></li> +<ul contenteditable="true"> +<li id="li2"></li> +<embed>a;#2 diff --git a/editor/libeditor/crashtests/1405747.html b/editor/libeditor/crashtests/1405747.html new file mode 100644 index 0000000000..dae3a130f0 --- /dev/null +++ b/editor/libeditor/crashtests/1405747.html @@ -0,0 +1,40 @@ +<script> +let th; +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // <colgroup> which is the last child of the <body>. + getSelection().collapse( + document.querySelector("colgroup"), + document.querySelector("colgroup").childNodes.length + ); + th = document.querySelector("th"); // Cache the target for removing the event handler. + try { + th.addEventListener("DOMSubtreeModified", onDOMSubtreeModified); + } catch(e) {} + try { + th.align = ""; + } catch(e) {} +} + +let count = 0; +function onDOMSubtreeModified() { + if (count++ == 1) { + // If we didn't stop testing this, this event handler would be called too + // many times. It's enough to run twice to reproduce the bug report. + th.removeEventListener("DOMSubtreeModified", onDOMSubtreeModified); + } + try { + document.execCommand("selectAll"); + } catch(e) {} + try { + document.execCommand("justifyCenter"); + } catch(e) {} + try { + document.execCommand("forwardDelete"); + } catch(e) {} +} +</script> +<body onload="onLoad()"> +<table contenteditable> +<th></th> +<colgroup></body> diff --git a/editor/libeditor/crashtests/1405897.html b/editor/libeditor/crashtests/1405897.html new file mode 100644 index 0000000000..60118628b5 --- /dev/null +++ b/editor/libeditor/crashtests/1405897.html @@ -0,0 +1,23 @@ +<style> +* { position: absolute; } +</style> +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node in the <iframe> which is the last child of the <body>. Note that + // <iframe> is treated as a container in HTMLEditor. + const iframe = document.querySelector("iframe"); + getSelection().collapse(iframe.firstChild, iframe.firstChild.length); + document.querySelector("del").addEventListener("DOMSubtreeModified", () => { + document.execCommand("italic"); + document.execCommand("selectAll"); + }); + const anchor = document.querySelector("a[contenteditable]"); + anchor.replaceChild(iframe, anchor.childNodes[0]); +} +</script> +<body onload="onLoad()"> +<a contenteditable> +<del> +<iframe> +</body>
\ No newline at end of file diff --git a/editor/libeditor/crashtests/1408170.html b/editor/libeditor/crashtests/1408170.html new file mode 100644 index 0000000000..66119e9da3 --- /dev/null +++ b/editor/libeditor/crashtests/1408170.html @@ -0,0 +1,40 @@ +<script> +function onLoad() { + try { + document.execCommand("insertUnorderedList"); + } catch(e) {} + try { + document.execCommand("delete"); + } catch(e) {} +} + +function onToggle1() { + try { + getSelection().collapse( + document.querySelector("font"), + 1 + ); + } catch(e) {} +} + +function onToggle2() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node in the <summary> which is the last child of the <body>. + const summary = document.querySelector("summary"); + getSelection().collapse(summary.firstChild, summary.firstChild.length); + try { + document.querySelector("label").appendChild( + document.querySelector("font") + ); + } catch(e) {} +} +</script> +<body onload="onLoad()"> +<label contenteditable> +<details ontoggle="onToggle2()" open> +</details> +</label> +<details ontoggle="onToggle1()" open> +<font dir="rtl"> +<summary> +</details></font></summary></body> diff --git a/editor/libeditor/crashtests/1414581.html b/editor/libeditor/crashtests/1414581.html new file mode 100644 index 0000000000..17cdc2f8c8 --- /dev/null +++ b/editor/libeditor/crashtests/1414581.html @@ -0,0 +1,31 @@ +<!DOCTYPE html>
+<html>
+<head>
+<script>
+function jsfuzzer() {
+ document.execCommand("outdent", false);
+}
+function eventhandler2() {
+ document.execCommand("styleWithCSS", false, true);
+}
+function eventhandler3() {
+ document.execCommand("delete", false);
+ var element1 = document.getElementById("element1");
+ document.getSelection().setPosition(element1, 0);
+ var element1 = document.getElementById("element2");
+ element2.ownerDocument.execCommand("insertOrderedList", false);
+ var element1 = document.getElementById("element3");
+ element3.addEventListener("DOMSubtreeModified", eventhandler3);
+ document.activeElement.setAttribute("contenteditable", "true");
+}
+</script>
+</head>
+<body onload=jsfuzzer()>
+<i id="element1">
+<audio i src="x"></audio>
+<da id="element2">
+<br id="element3" style="">
+<svg onload="eventhandler3()">
+<animate onbegin="eventhandler2()">
+<body>
+</html>
diff --git a/editor/libeditor/crashtests/1415231.html b/editor/libeditor/crashtests/1415231.html new file mode 100644 index 0000000000..d8702e4542 --- /dev/null +++ b/editor/libeditor/crashtests/1415231.html @@ -0,0 +1,26 @@ +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node in the <option> which is in the last child of the <body>. + const option = document.querySelector("option"); + getSelection().collapse(option.firstChild, option.firstChild.length); + document.querySelector("ins").addEventListener( + "DOMNodeRemoved", + onDOMNodeRemoved + ); + getSelection().setPosition( + document.querySelector("shadow") + ); + document.execCommand("insertText", false, "1"); +} +function onDOMNodeRemoved() { + document.execCommand("insertHorizontalRule"); + document.execCommand("justifyCenter"); +} +</script> +<body onload="onLoad()"> +<li contenteditable> +<shadow> +<ins> +<option> +</li></shadow></ins></option></body> diff --git a/editor/libeditor/crashtests/1423767.html b/editor/libeditor/crashtests/1423767.html new file mode 100644 index 0000000000..777cf58036 --- /dev/null +++ b/editor/libeditor/crashtests/1423767.html @@ -0,0 +1,17 @@ +<script> +function onLoad() { + const label = document.querySelector("label"); + // For emulating the traditional behavior, collapse Selection to end of the + // <label> which is the last child of the <body>, i.e., at the comment node. + getSelection().collapse(label, label.childNodes.length); + label.addEventListener("DOMNodeRemoved", () => { + document.querySelector("a").innerText = ""; + }); + document.execCommand("indent"); +} +</script> +<body onload="onLoad()"> +<li contenteditable> +<a> +<label></br> +<!--- diff --git a/editor/libeditor/crashtests/1423776.html b/editor/libeditor/crashtests/1423776.html new file mode 100644 index 0000000000..4790a79f31 --- /dev/null +++ b/editor/libeditor/crashtests/1423776.html @@ -0,0 +1,25 @@ +<script> +function onLoad() { + const svg = document.querySelector("svg"); + const feConvolveMatrix = document.querySelectorAll("feConvolveMatrix"); + // For emulating the traditional behavior, collapse Selection to end of the + // text node in the last <svg> which is the deepest last child of the <body> + // (i.e., at end of the text node after the last <feConvolveMatrix>). + getSelection().collapse(svg.lastChild, svg.lastChild.length); + feConvolveMatrix[0].addEventListener("DOMNodeInserted", () => { + svg.appendChild(feConvolveMatrix[1]); + document.execCommand("insertOrderedList", false); + }); + feConvolveMatrix[0].insertAdjacentHTML( + "afterBegin", + document.querySelector("table").outerHTML + ); +} +</script> +<body onload="onLoad()"> +<table></table> +<b contenteditable> +<svg> +<feConvolveMatrix/> +<feConvolveMatrix/> +</svg></body> diff --git a/editor/libeditor/crashtests/1424450.html b/editor/libeditor/crashtests/1424450.html new file mode 100644 index 0000000000..bd0fd98a42 --- /dev/null +++ b/editor/libeditor/crashtests/1424450.html @@ -0,0 +1,51 @@ +<script> +function onLoad() { + const feComponentTransfer = document.querySelector("feComponentTransfer"); + // For emulating the traditional behavior, collapse Selection to end of the + // text node in the <feComponentTransfer> which is the deepest last child of + // the <body>. + getSelection().collapse( + feComponentTransfer.firstChild, + feComponentTransfer.firstChild.length + ); + getSelection().setPosition( + document.querySelector("pre[contenteditable]"), + 1 + ); + getSelection().setBaseAndExtent( + document.querySelector("fieldset"), + 0, + document.querySelector("use"), + 0 + ); + feComponentTransfer.before( + document.querySelector("font-face-uri").previousElementSibling + ); + + document.execCommand("removeFormat"); + document.execCommand("hiliteColor", false, "-moz-buttondefault"); + document.execCommand("insertText", false, ""); +} +function onBegin() { + document.querySelector("desc").appendChild( + document.querySelector("fieldset") + ); + document.querySelector("span").appendChild( + document.querySelector("a[hidden][contenteditable]") + ); +} +</script> +<body onload="onLoad()"> +<span> +<pre contenteditable> +<fieldset></fieldset> +<iframe srcdoc="H"></iframe> +<a hidden contenteditable> +<svg> +<set onbegin="onBegin()"/> +<use> +<desc></desc> +</use> +<font-face-uri/> +<feComponentTransfer> +</feComponentTransfer></svg></a></pre></body> diff --git a/editor/libeditor/crashtests/1425091.html b/editor/libeditor/crashtests/1425091.html new file mode 100644 index 0000000000..be8f051931 --- /dev/null +++ b/editor/libeditor/crashtests/1425091.html @@ -0,0 +1,25 @@ +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node at end of the <body>, i.e., end of the text node after the + // <meter>. + getSelection().collapse( + document.body.lastChild, + document.body.lastChild.length + ); + document.scrollingElement.addEventListener("DOMNodeInserted", () => { + document.execCommand("selectAll"); + document.execCommand("insertOrderedList"); + }); + document.querySelector("style").appendChild( + document.createElement("e") + ); +} +</script> +<body onload="onLoad()"> +<meter contenteditable> +<dialog> +<style></style> +</dialog> +</meter> +</body> diff --git a/editor/libeditor/crashtests/1426709.html b/editor/libeditor/crashtests/1426709.html new file mode 100644 index 0000000000..0026176e98 --- /dev/null +++ b/editor/libeditor/crashtests/1426709.html @@ -0,0 +1,27 @@ +<script> +function onLoad() { + const pre = document.querySelector("pre[contenteditable]"); + // For emulating the traditional behavior, collapse Selection to end of the + // text node at end of the <pre> which is the deepest last child of the + // <body>, i.e., end of the text node after the <input>. + getSelection().collapse(pre.lastChild, pre.lastChild.length); + document.querySelector("li").setAttribute("contenteditable", "true"); + pre.addEventListener("DOMNodeRemoved", onDOMNodeRemoved); + pre.appendChild( + document.querySelector("input") + ); +} +function onDOMNodeRemoved() { + document.body.appendChild( + document.querySelector("pre[contenteditable]") + ); + document.execCommand("justifyFull"); + document.execCommand("delete"); +} +</script> +<body onload="onLoad()"> +<li> +A +<pre contenteditable> +<input autofocus> +</pre></li></body> diff --git a/editor/libeditor/crashtests/1429523.html b/editor/libeditor/crashtests/1429523.html new file mode 100644 index 0000000000..67b227d20b --- /dev/null +++ b/editor/libeditor/crashtests/1429523.html @@ -0,0 +1,18 @@ +<html class="reftest-wait"> + <head> + <script> + document.designMode = "on"; + Promise.all([ + new Promise(resolve => addEventListener("load", resolve)), + new Promise(resolve => addEventListener("focus", resolve)), + ]).then(() => { + document.body.firstChild.data = ""; + document.documentElement.removeAttribute("class"); + }); + blur(); + focus(); + getSelection().collapse(document.body, 0); + </script> + </head> + <body><!-- comment --></body> +</html> diff --git a/editor/libeditor/crashtests/1429523.xhtml b/editor/libeditor/crashtests/1429523.xhtml new file mode 100644 index 0000000000..da2fe16b30 --- /dev/null +++ b/editor/libeditor/crashtests/1429523.xhtml @@ -0,0 +1,18 @@ +<html xmlns="http://www.w3.org/1999/xhtml" class="reftest-wait"> + <head> + <script> + document.designMode = "on"; + Promise.all([ + new Promise(resolve => addEventListener("load", resolve)), + new Promise(resolve => addEventListener("focus", resolve)), + ]).then(() => { + document.body.firstChild.data = ""; + document.documentElement.removeAttribute("class"); + }); + blur(); + focus(); + getSelection().collapse(document.body, 0); + </script> + </head> + <body><![CDATA[ CDATA ]]></body> +</html> diff --git a/editor/libeditor/crashtests/1441619.html b/editor/libeditor/crashtests/1441619.html new file mode 100644 index 0000000000..08343feeed --- /dev/null +++ b/editor/libeditor/crashtests/1441619.html @@ -0,0 +1,12 @@ +<html> + <head> + <script> + try { o1 = window.getSelection() } catch (e) {} + try { o2 = document.createRange() } catch (e) {} + try { document.head.replaceWith('', document.documentElement) } catch (e) {} + try { o1.addRange(o2) } catch (e) {} + try { document.designMode = 'on' } catch (e) {} + try { o1.focusNode.execCommand('justifyleft', false, null) } catch (e) {} + </script> + </head> +</html> diff --git a/editor/libeditor/crashtests/1443664.html b/editor/libeditor/crashtests/1443664.html new file mode 100644 index 0000000000..b197d3cd49 --- /dev/null +++ b/editor/libeditor/crashtests/1443664.html @@ -0,0 +1,15 @@ +<style> +input:focus { counter-increment: c; } +</style> +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node at end of the <body>, i.e., end of the text node after the + // <input contenteditable>. + getSelection().collapse(document.body, document.body.childNodes.length); + document.querySelector("input[type=number][contenteditable]").select(); +} +</script> +<body onload="onLoad()"> +<input type="number" contenteditable> +</body> diff --git a/editor/libeditor/crashtests/1444630.html b/editor/libeditor/crashtests/1444630.html new file mode 100644 index 0000000000..72ce9afced --- /dev/null +++ b/editor/libeditor/crashtests/1444630.html @@ -0,0 +1,29 @@ +<!DOCTYPE HTML> +<html class="reftest-wait"> +<head> +<script type="text/javascript"> +function load() +{ + let textarea = document.getElementById("editor"); + textarea.focus(); + + const { maybeOnSpellCheck } = SpecialPowers.ChromeUtils.import( + "resource://reftest/AsyncSpellCheckTestHelper.jsm" + ); + maybeOnSpellCheck(textarea, () => { + let isc = SpecialPowers.wrap(textarea).editor.getInlineSpellChecker(false); + let sc = isc.spellChecker; + + textarea.setAttribute("lang", "en-US"); + sc.UpdateCurrentDictionary(() => { + document.documentElement.classList.remove("reftest-wait"); + }); + sc.UninitSpellChecker(); + }); +} +</script> +</head> +<body onload="load()"> +<textarea id="editor" spellchecker="true">ABC</textarea> +</body> +</html> diff --git a/editor/libeditor/crashtests/1446451.html b/editor/libeditor/crashtests/1446451.html new file mode 100644 index 0000000000..56c887dc3b --- /dev/null +++ b/editor/libeditor/crashtests/1446451.html @@ -0,0 +1,13 @@ +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node in the <dialog> which is the deepest last child of the <body>. + const dialog = document.querySelector("dialog"); + getSelection().collapse(dialog.lastChild, dialog.lastChild.length); + document.execCommand("insertImage", false, "o") +} +</script> +<body onload="onLoad()"> +<meter contenteditable> +<dialog> +</dialog></meter></body> diff --git a/editor/libeditor/crashtests/1464251.html b/editor/libeditor/crashtests/1464251.html new file mode 100644 index 0000000000..afe7e87561 --- /dev/null +++ b/editor/libeditor/crashtests/1464251.html @@ -0,0 +1,25 @@ +<script> +var count = 0; +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node in the <s> which is the deepest last child (and a container) of + // the <body> (i.e., end of the the text node after the last comment node). + const s = document.querySelector("s"); + getSelection().collapse(s.lastChild, s.lastChild.length); + document.execCommand("delete"); +} + +function onInputOrDOMNodeInserted() { + if (++count >= 3) { + return; + } + addEventListener("DOMNodeInserted", onInputOrDOMNodeInserted); + document.execCommand("removeFormat"); + document.execCommand("insertText", false, "1"); +} +</script> +<body onload="onLoad()"> +<ol oninput="onInputOrDOMNodeInserted()" contenteditable> +<!-- x --> +<s> +<!-- x --> diff --git a/editor/libeditor/crashtests/1470926.html b/editor/libeditor/crashtests/1470926.html new file mode 100644 index 0000000000..9c39710a97 --- /dev/null +++ b/editor/libeditor/crashtests/1470926.html @@ -0,0 +1,9 @@ +<script> +function go() { + a.select(); + a.setAttribute("hidden", ""); + a.setRangeText("f"); +} +</script> +<body onload=go()> +<textarea id="a">-</textarea> diff --git a/editor/libeditor/crashtests/1474978.html b/editor/libeditor/crashtests/1474978.html new file mode 100644 index 0000000000..d7eb01e03b --- /dev/null +++ b/editor/libeditor/crashtests/1474978.html @@ -0,0 +1,21 @@ +<script> +function onLoad() { + const dd = document.querySelector("dd[contenteditable]"); + // For emulating the traditional behavior, collapse Selection to end of the + // text node at end of the <dd contenteditable> which is the deepest last + // child of the <body> (end of the text node after the <template>). + getSelection().collapse(dd.lastChild, dd.lastChild.length); + getSelection().setPosition( + document.querySelector("template") + ); + dd.addEventListener("DOMNodeInserted", () => { + document.execCommand("selectAll"); + document.execCommand("insertText", false, ""); + }); + document.execCommand("insertImage", false, "#"); +} +</script> +<body onload="onLoad()"> +<dd contenteditable> +<template></template> +</dd></body> diff --git a/editor/libeditor/crashtests/1517028.html b/editor/libeditor/crashtests/1517028.html new file mode 100644 index 0000000000..cbc3b71c0a --- /dev/null +++ b/editor/libeditor/crashtests/1517028.html @@ -0,0 +1,23 @@ +<!-- COMMENT --> +abc +<head> +<script> +document.addEventListener('DOMContentLoaded', () => { + // For emulating the traditional behavior, collapse Selection to end of the + // <em> which is the deepest last child of the <body> (at the comment node). + getSelection().collapse( + document.querySelector("em[contenteditable]"), + document.querySelector("em[contenteditable]").childNodes.length + ); + document.execCommand("justifyLeft"); + document.designMode = 'on'; + document.execCommand("insertParagraph"); +}); +</script> +</head> +<h4> +<em contenteditable> +<big> +<button autofocus formnovalidate formtarget=""> +</button> +<!-- COMMENT --></big></em></h4></body> diff --git a/editor/libeditor/crashtests/1525481.html b/editor/libeditor/crashtests/1525481.html new file mode 100644 index 0000000000..d96e1c2d0d --- /dev/null +++ b/editor/libeditor/crashtests/1525481.html @@ -0,0 +1,23 @@ +<script> +function onLoad() { + const button = document.querySelector("button"); + // For emulating the traditional behavior, collapse Selection to end of the + // <button> which is the deepest last child of the <body>. + getSelection().collapse(button, button.childNodes.length); + document.execCommand("styleWithCSS", false, true); + document.execCommand("delete"); + document.querySelector("ul[contenteditable]") + .addEventListener("DOMNodeRemoved", () => { + const range = document.createRange(); + range.setEndAfter(button); + getSelection().addRange(range); + getSelection().deleteFromDocument(); + }); + document.execCommand("outdent"); +} +</script> +<body onload="onLoad()"> +<ul contenteditable style="margin: -1px 0px 1px 6px"> +<dd></dd> +<dd> +<button></button>></dd></ul></body> diff --git a/editor/libeditor/crashtests/1533913.html b/editor/libeditor/crashtests/1533913.html new file mode 100644 index 0000000000..3009bbb660 --- /dev/null +++ b/editor/libeditor/crashtests/1533913.html @@ -0,0 +1,19 @@ +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node which is the last child of the <dd contenteditable> which is the + // last child of the <body>. + const dd = document.querySelector("dd[contenteditable]"); + getSelection().collapse(dd.lastChild, dd.lastChild.length); + document.execCommand("justifyFull"); + document.execCommand("selectAll"); + window.top.addEventListener("DOMNodeRemoved", () => { + document.execCommand("insertHTML", false, undefined) + }); + document.execCommand("heading", false, "H1") +} +</script> +<body onload="onLoad()"> +<dd contenteditable>A +<!-- A --> +</dd></body> diff --git a/editor/libeditor/crashtests/1534394.html b/editor/libeditor/crashtests/1534394.html new file mode 100644 index 0000000000..c254aa5f52 --- /dev/null +++ b/editor/libeditor/crashtests/1534394.html @@ -0,0 +1,29 @@ +<html> +<head> + <script> + + function start () { + const sel = document.getSelection() + const range_1 = new Range() + const noscript = document.getElementById('id_24') + const map = document.getElementById('id_26') + sel.selectAllChildren(noscript) + const range_2 = range_1.cloneRange() + range_2.selectNode(map) + const frag = range_2.extractContents() + range_2.insertNode(noscript) + document.documentElement.contentEditable = true + document.execCommand('removeFormat', false,) + noscript.contentEditable = false + document.execCommand('insertText', false, '�\n') + } + + window.addEventListener('load', start) + </script> +</head> +<body> +<big class=""> + <map class="" id="id_26"> + <noscript class="" id="id_24"> +</body> +</html> diff --git a/editor/libeditor/crashtests/1547897.html b/editor/libeditor/crashtests/1547897.html new file mode 100644 index 0000000000..9543048e6c --- /dev/null +++ b/editor/libeditor/crashtests/1547897.html @@ -0,0 +1,25 @@ +<html> +<head> +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // last text node of the <body> (end of the text node after the <p hidden>). + getSelection().collapse( + document.body.lastChild, + document.body.lastChild.length + ); + getSelection().setPosition( + document.querySelector("hr"), + 0 + ); + document.execCommand("delete"); +} +</script> +<body onload="onLoad()"> +<p hidden> + <canvas contenteditable> + <hr contenteditable> + 3uW4*</hr></canvas> +</p> +</body> +</html> diff --git a/editor/libeditor/crashtests/1547898.html b/editor/libeditor/crashtests/1547898.html new file mode 100644 index 0000000000..696e429e0b --- /dev/null +++ b/editor/libeditor/crashtests/1547898.html @@ -0,0 +1,16 @@ +<html> +<head> + <script> + function jsfuzzer () { + window.find('1') + const selection = window.getSelection() + selection.extend(document.getElementById('list_item')) + document.getElementById('list_item').contentEditable = 'true' + document.execCommand('indent', false) + } + </script> +</head> +<body onload=jsfuzzer()> +<li id="list_item">16</li> +</body> +</html> diff --git a/editor/libeditor/crashtests/1556799.html b/editor/libeditor/crashtests/1556799.html new file mode 100644 index 0000000000..7c213b1f27 --- /dev/null +++ b/editor/libeditor/crashtests/1556799.html @@ -0,0 +1,18 @@ +<script> +function onError() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node in the <dl> which is the last deepest child of the <body>. + const dl = document.querySelector("dl"); + getSelection().collapse(dl.lastChild, dl.lastChild.length); + getSelection().selectAllChildren( + document.querySelector("img") + ); + document.execCommand("insertUnorderedList"); + document.execCommand("enableObjectResizing"); +} +</script> +<dd contenteditable="true"> +<audio src="data:text/html,foo" onerror="onError()"> +<img></img> +<dl> +</dl></audio><dd></body> diff --git a/editor/libeditor/crashtests/1574544.html b/editor/libeditor/crashtests/1574544.html new file mode 100644 index 0000000000..26b2fee5ff --- /dev/null +++ b/editor/libeditor/crashtests/1574544.html @@ -0,0 +1,17 @@ +<style> +* { display: table-caption } +body { display: contents } +</style> +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node in the <th> which is the deepest last child of the <body>. + const th = document.querySelector("th"); + getSelection().collapse(th.lastChild, th.lastChild.length); + document.execCommand("enableInlineTableEditing"); +} +</script> +<body onload="onLoad()"> +<table contenteditable> +<th> +</th></table></body> diff --git a/editor/libeditor/crashtests/1578916.html b/editor/libeditor/crashtests/1578916.html new file mode 100644 index 0000000000..f1d79be804 --- /dev/null +++ b/editor/libeditor/crashtests/1578916.html @@ -0,0 +1,28 @@ +<script>
+function onLoad() {
+ const data = document.querySelector("data");
+ const source = document.querySelector("source");
+ // For emulating the traditional behavior, collapse Selection to end of the
+ // <data> which is the deepest last child (and a container) of the <body>.
+ getSelection().collapse(data, data.childNodes.length);
+ source.appendChild(
+ document.body.firstChild // The invisible text node
+ );
+ getSelection().setBaseAndExtent(
+ data.appendChild(source),
+ 0,
+ source,
+ 1
+ );
+ document.querySelector("audio")
+ .addEventListener("DOMCharacterDataModified", () => {
+ getSelection().removeAllRanges()
+ });
+ document.execCommand("delete");
+}
+</script>
+<body onload="onLoad()">
+<audio>
+<li contenteditable>
+<data>
+<source>
diff --git a/editor/libeditor/crashtests/1579934.html b/editor/libeditor/crashtests/1579934.html new file mode 100644 index 0000000000..55be305e2f --- /dev/null +++ b/editor/libeditor/crashtests/1579934.html @@ -0,0 +1,39 @@ +<html><script>
+window["_gaUserPrefs"] = { ioo : function() { return true; } }
+</script><head>
+<meta charset="windows-1252"><script>
+function onLoad() {
+ const form = document.querySelector("form");
+ form.addEventListener("DOMCharacterDataModified", () => {
+ document.documentElement.appendChild(form);
+ });
+ document.execCommand("delete");
+}
+
+function onToggle() {
+ // For emulating the traditional behavior, collapse Selection to end of the
+ // text node node in the <button> which is the deepest last child of the
+ // <body>.
+ const button = document.querySelector("button");
+ getSelection().collapse(button.lastChild, button.lastChild.length);
+ document.querySelector("form").reset();
+}
+</script>
+</head><body onload="onLoad()">
+<details ontoggle="onToggle()" open>
+<dt contenteditable>
+</dt>
+</details><aside style="
+ position: fixed;
+ top: 0px;
+ right: 0px;
+ font-family: "Lucida Console", monospace;
+ background-color: rgb(242, 230, 217);
+ padding: 3px;
+ z-index: 10000;
+ text-align: center;
+ max-width: 120px;
+ opacity: 0;
+ transition: opacity 0.5s linear 0s;">1194 x 73</aside></body><form id="b"><keygen>
+<button autofocus>
+</button></form></html>
diff --git a/editor/libeditor/crashtests/1581246.html b/editor/libeditor/crashtests/1581246.html new file mode 100644 index 0000000000..e9c472c7d9 --- /dev/null +++ b/editor/libeditor/crashtests/1581246.html @@ -0,0 +1,21 @@ +<script>
+function onLoad() {
+ // For emulating the traditional behavior, collapse Selection to end of the
+ // text node in the <textarea> which is the last child of the <body>.
+ // However, it may be omitted by the parser. Therefore, this test tries to
+ // check the text node, but if it does not exist, uses the <textarea>.
+ const textarea = document.querySelector("textarea");
+ const textareaOrTextNode = textarea.lastChild ? textarea.lastChild : textarea;
+ getSelection().collapse(textareaOrTextNode, textareaOrTextNode.length);
+ document.querySelector("script").appendChild(
+ document.querySelector("li[contenteditable=false]")
+ );
+ document.execCommand("indent");
+ document.execCommand("delete");
+}
+</script>
+<body onload="onLoad()">
+<ul contenteditable>
+<li contenteditable="false">
+<textarea autofocus>
+</textarea>></li></ul></body>
diff --git a/editor/libeditor/crashtests/1596516.html b/editor/libeditor/crashtests/1596516.html new file mode 100644 index 0000000000..37b9c5889c --- /dev/null +++ b/editor/libeditor/crashtests/1596516.html @@ -0,0 +1,18 @@ +<html> +<head> + <script> + function start () { + const italic = document.createElementNS('http://www.w3.org/1999/xhtml', 'i') + italic.dir = '' + document.documentElement.contentEditable = 'true' + const selection = document.getSelection() + const range = selection.getRangeAt(0) + const attribute = italic.attributes.getNamedItem('dir') + range.setEnd(attribute, (2361162229 % attribute.childNodes)) + document.queryCommandState('heading') + } + + document.addEventListener('DOMContentLoaded', start) + </script> +</head> +</html> diff --git a/editor/libeditor/crashtests/1605741.html b/editor/libeditor/crashtests/1605741.html new file mode 100644 index 0000000000..7868adcf96 --- /dev/null +++ b/editor/libeditor/crashtests/1605741.html @@ -0,0 +1,14 @@ +<script> +addEventListener("load", () => { + const editingHost = document.querySelector("div[contenteditable]"); + // For emulating the traditional behavior, collapse Selection to end of the + // text node in the <div contenteditable> which is the last child of the + // <body>. + getSelection().collapse(editingHost.lastChild, editingHost.lastChild.length); + editingHost.addEventListener("DOMNodeRemoved", () => { + getSelection().collapse(null); + }); + document.execCommand("delete"); +}); +</script> +<div contenteditable>x</link></body> diff --git a/editor/libeditor/crashtests/1613521.html b/editor/libeditor/crashtests/1613521.html new file mode 100644 index 0000000000..7d59667559 --- /dev/null +++ b/editor/libeditor/crashtests/1613521.html @@ -0,0 +1,16 @@ +<script> +function go() { + window.find("1", true, false) + a.setAttribute("contenteditable", "true") + document.execCommand("forwardDelete", false) + document.execCommand("enableObjectResizing", false) +} +</script> +<dl id="a"> +<table> +<th> +GjdR1W3 +<svg> +<animateMotion onbegin="go()" /> +</tr> +<details ontoggle="go()" open> diff --git a/editor/libeditor/crashtests/1618906.html b/editor/libeditor/crashtests/1618906.html new file mode 100644 index 0000000000..cdb278f018 --- /dev/null +++ b/editor/libeditor/crashtests/1618906.html @@ -0,0 +1,17 @@ +<html> +<head> + <script> + window.addEventListener('load', () => { + const range = new Range() + const fragment = range.cloneContents() + range.selectNodeContents(document) + document.designMode = 'on' + document.replaceChild(fragment, document.documentElement) + const selection = window.getSelection() + selection.addRange(range) + document.execCommand('indent', false, null) + }) + </script> +</head> +</html> +<!-- COMMENT --> diff --git a/editor/libeditor/crashtests/1623166.html b/editor/libeditor/crashtests/1623166.html new file mode 100644 index 0000000000..75bbb20872 --- /dev/null +++ b/editor/libeditor/crashtests/1623166.html @@ -0,0 +1,21 @@ +<html> +<head> +<script> +document.addEventListener('DOMContentLoaded', () => { + const code = document.querySelector("code[contenteditable=false]"); + // For emulating the traditional behavior, collapse Selection to end of the + // last text node in the <code> which is the last inline container of the + // <body>. + getSelection().collapse(code.lastChild, code.lastChild.length); + code.querySelector("br").contentEditable = true; + document.execCommand("indent"); +}); +</script> +<body> +<b contenteditable hidden> + <script></script> + <code contenteditable="false"> + <br> +</body> +</head> +</html> diff --git a/editor/libeditor/crashtests/1623913.html b/editor/libeditor/crashtests/1623913.html new file mode 100644 index 0000000000..291bd65197 --- /dev/null +++ b/editor/libeditor/crashtests/1623913.html @@ -0,0 +1,30 @@ +<html> +<head> + <script> + async function start () { + const element_0 = document.createElementNS('', 's') + const svg = document.getElementById('id_8') + const math = document.getElementById('id_20') + const selection = window.getSelection() + const range = new Range() + range.setStartAfter(math) + range.insertNode(svg) + range.selectNodeContents(element_0) + document.documentElement.contentEditable = true + range.setStart(svg, (2760506212 % svg.childNodes)) + selection.addRange(range) + document.execCommand('insertOrderedList', false, null) + document.execCommand('insertParagraph', false, null) + } + + document.addEventListener('DOMContentLoaded', start) + </script> +</head> +<body> +<svg id='id_8'> + <metadata xml:space='preserve'> +</svg> +<math id='id_20'> +</math> +</body> +</html> diff --git a/editor/libeditor/crashtests/1624005.html b/editor/libeditor/crashtests/1624005.html new file mode 100644 index 0000000000..9d277db6ed --- /dev/null +++ b/editor/libeditor/crashtests/1624005.html @@ -0,0 +1,14 @@ +<html> +<head> + <script> + window.addEventListener('load', () => { + const element = document.createElementNS('', 't') + document.designMode = 'on' + const range = new Range() + range.selectNodeContents(element) + range.surroundContents(document.documentElement) + document.execCommand('insertHorizontalRule', false, null) + }) + </script> +</head> +</html> diff --git a/editor/libeditor/crashtests/1624007.html b/editor/libeditor/crashtests/1624007.html new file mode 100644 index 0000000000..06e35e1d50 --- /dev/null +++ b/editor/libeditor/crashtests/1624007.html @@ -0,0 +1,19 @@ +<html> +<head> + <script> + window.addEventListener('load', () => { + const element = document.createElement('t') + document.documentElement.appendChild(element) + document.documentElement.contentEditable = true + const selection = self.getSelection() + const range_1 = new Range() + range_1.setStart(element, (1715865858 % element.childNodes)) + document.execCommand('enableObjectResizing', false, true) + const range_2 = new Range() + selection.addRange(range_2) + selection.addRange(range_1) + document.execCommand('bold', false, null) + }) + </script> +</head> +</html> diff --git a/editor/libeditor/crashtests/1624011.html b/editor/libeditor/crashtests/1624011.html new file mode 100644 index 0000000000..98267f848d --- /dev/null +++ b/editor/libeditor/crashtests/1624011.html @@ -0,0 +1,12 @@ +<html> +<head> + <script> + window.addEventListener('load', () => { + document.designMode = 'on' + const selection = document.getSelection() + selection.empty() + document.queryCommandIndeterm('justifyFull') + }) + </script> +</head> +</html> diff --git a/editor/libeditor/crashtests/1626002.html b/editor/libeditor/crashtests/1626002.html new file mode 100644 index 0000000000..55099cb648 --- /dev/null +++ b/editor/libeditor/crashtests/1626002.html @@ -0,0 +1,27 @@ +<html> +<head> +<script> +addEventListener("load", () => { + const anchor = document.createElement("a"); + const b = document.createElement("b"); + const c = document.createElement("c"); + document.documentElement.appendChild(anchor); + anchor.appendChild(b); + b.setAttribute("contenteditable", "true"); + // For emulating the traditional behavior, collapse Selection to end of the + // <body> which must be empty because this test appends the new elements after + // the <body>. + const selection = self.getSelection(); + selection.collapse(document.body, document.body.childNodes.length); + b.appendChild(c); + c.outerHTML = '<s contenteditable="false"><b contenteditable="true">'; + selection.setBaseAndExtent(document, 0, document.documentElement, 0); + const range = selection.getRangeAt((260523900 % selection.rangeCount)); + selection.selectAllChildren(b); + range.collapse(false); + range.setEndAfter(document.documentElement); + range.extractContents(); +}); +</script> +</head> +</html> diff --git a/editor/libeditor/crashtests/1636541.html b/editor/libeditor/crashtests/1636541.html new file mode 100644 index 0000000000..71a92817d8 --- /dev/null +++ b/editor/libeditor/crashtests/1636541.html @@ -0,0 +1,14 @@ +<html> +<head> + <script> + window.addEventListener('load', () => { + document.documentElement.contentEditable = true + document.execCommand('indent', false, null) + const selection = document.getSelection() + selection.collapse(document.documentElement, (3474956128 % document.documentElement.childNodes)) + document.execCommand('indent', false, null) + document.execCommand('outdent', false, null) + }) + </script> +</head> +</html> diff --git a/editor/libeditor/crashtests/1644903.html b/editor/libeditor/crashtests/1644903.html new file mode 100644 index 0000000000..175c6afda7 --- /dev/null +++ b/editor/libeditor/crashtests/1644903.html @@ -0,0 +1,19 @@ +<script> +window.onload = () => { + document.execCommand("undo"); +} +function onToggle() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node at end of the <details> (<p> is closed before the <details>). + const details = document.querySelector("details"); + getSelection().collapse(details.lastChild, details.lastChild.length); + const link = document.querySelector("link"); + document.execCommand("delete"); + document.querySelector("iframe").contentDocument.adoptNode(link); +} +</script> +<p contenteditable> +<link item=""> +<details open ontoggle="onToggle()"> +<iframe></iframe> +</details></body> diff --git a/editor/libeditor/crashtests/1645983-1.html b/editor/libeditor/crashtests/1645983-1.html new file mode 100644 index 0000000000..c1bb7219a5 --- /dev/null +++ b/editor/libeditor/crashtests/1645983-1.html @@ -0,0 +1,11 @@ +<div contenteditable> a</div> +<script> +// For emulating the traditional behavior, collapse Selection to end of the +// text node in this <script>. +const script = document.querySelector("script"); +getSelection().collapse(script.lastChild, script.lastChild.length); +const editingHost = document.querySelector("div[contenteditable]"); +editingHost.insertBefore(document.createTextNode(""), editingHost.firstChild); +getSelection().collapse(editingHost.firstChild.nextSibling, 2); +document.execCommand("delete"); +</script></body> diff --git a/editor/libeditor/crashtests/1645983-2.html b/editor/libeditor/crashtests/1645983-2.html new file mode 100644 index 0000000000..132c1381f3 --- /dev/null +++ b/editor/libeditor/crashtests/1645983-2.html @@ -0,0 +1,14 @@ +<!doctype html> +<div contenteditable>abc<span></span><span></span></div> +<script> +// For emulating the traditional behavior, collapse Selection to end of the +// text node after this <script>. +getSelection().collapse( + document.body.lastChild, + document.body.lastChild.length +); +const editingHost = document.querySelector("div[contenteditable]"); +getSelection().collapse(editingHost, 3); +document.execCommand("insertText", false, " "); +</script> +</body> diff --git a/editor/libeditor/crashtests/1648564.html b/editor/libeditor/crashtests/1648564.html new file mode 100644 index 0000000000..f82ec3d8e6 --- /dev/null +++ b/editor/libeditor/crashtests/1648564.html @@ -0,0 +1,29 @@ +<script> +window.addEventListener('load', () => { + // For emulating the traditional behavior, collapse Selection to end of the + // <body> (at the comment node). + getSelection().collapse(document.body, document.body.childNodes.length); + const map = document.querySelector("map"); + const anchor = document.querySelector("a"); + map.replaceChild( + anchor, + map.childNodes[(2828994049 % map.childNodes.length)] + ); + anchor.innerHTML = "<o>"; + getSelection().setBaseAndExtent( + document, + (2019424593 % document.childNodes.length), + document.documentElement, + (3503355750 % document.documentElement.childNodes.length) + ); + document.designMode = "on"; + document.execCommand("forwardDelete"); + document.execCommand("forwardDelete"); +}); +</script> +<sub contenteditable> +<map> +<address></address> +<a> +</a> +<!-- COMMENT --></body> diff --git a/editor/libeditor/crashtests/1655508.html b/editor/libeditor/crashtests/1655508.html new file mode 100644 index 0000000000..e30aba0ca0 --- /dev/null +++ b/editor/libeditor/crashtests/1655508.html @@ -0,0 +1,34 @@ +<html> +<head> +<script> +document.addEventListener("DOMContentLoaded", () => { + // For emulating the traditional behavior, collapse Selection to end of the + // text node at end of the <body> (end of the text node after the <h3>). + getSelection().collapse( + document.body.lastChild, + document.body.lastChild.length + ); + const textarea = document.querySelector("textarea"); + const abbr = document.querySelector("abbr"); + let node; + document.addEventListener("DOMAttrModified", event => { + node = event.originalTarget.getRootNode({}); + abbr.insertBefore(textarea, abbr.childNodes[0]); + }, false); + abbr.contentEditable = false; + node.normalize(); + document.designMode = "on"; + document.execCommand("insertParagraph"); +}); +</script> +</head> +<body> +<dfn contenteditable> + <abbr></abbr> +</dfn> +<h3> + <textarea autofocus></textarea> + <script></script> +</h3> +</body> +</html> diff --git a/editor/libeditor/crashtests/1655539.html b/editor/libeditor/crashtests/1655539.html new file mode 100644 index 0000000000..094c7b2e30 --- /dev/null +++ b/editor/libeditor/crashtests/1655539.html @@ -0,0 +1,15 @@ +<script> + document.addEventListener('DOMContentLoaded', () => { + selection = document.getSelection() + element = document.createElementNS('', 'm') + document.documentElement.appendChild(element) + range = new Range() + range.setStartBefore(element) + selection.addRange(range) + document.documentElement.contentEditable = true + document.execCommand('forwardDelete', false, null) + }) +</script> +<iframe class='\'>'> +</iframe> +<!-- COMMENT -->
\ No newline at end of file diff --git a/editor/libeditor/crashtests/1655988.html b/editor/libeditor/crashtests/1655988.html new file mode 100644 index 0000000000..666a5f8cb8 --- /dev/null +++ b/editor/libeditor/crashtests/1655988.html @@ -0,0 +1,29 @@ +<html> +<head> +<script> +document.addEventListener("DOMContentLoaded", () => { + // For emulating the traditional behavior, collapse Selection to end of the + // text node at end of the <body> (end of the text node after the + // <feDistantLight>). + getSelection().collapse( + document.body.lastChild, + document.body.lastChild.length + ); + const feDistantLight = document.querySelector("feDistantLight"); + const li = document.querySelector("li"); + li.after('foo'); + feDistantLight.addEventListener("DOMAttrModified", () => { + window.find("foo"); + document.execCommand("insertImage", false, "#"); + }) + feDistantLight.setAttribute("i", ""); +}); +</script> +</head> +<body> +<feDistantLight contenteditable> + <li>A</li> + <!-- COMMENT --> +</feDistantLight> +</body> +</html> diff --git a/editor/libeditor/crashtests/1659717.html b/editor/libeditor/crashtests/1659717.html new file mode 100644 index 0000000000..a3e9c59699 --- /dev/null +++ b/editor/libeditor/crashtests/1659717.html @@ -0,0 +1,14 @@ +<html><script type="text/javascript" id="__gaOptOutExtension">window["_gaUserPrefs"] = { ioo : function() { return true; } }</script><head>
+<meta http-equiv="content-type" content="text/html; charset=windows-1252">
+ <script>
+ document.addEventListener('DOMContentLoaded', async () => {
+ const selection = document.getSelection()
+ document.designMode = 'on'
+ selection.collapse(document, 0)
+ document.execCommand('forwardDelete', false, null)
+ })
+ </script>
+</head>
+<body>
+<aside style="position:fixed;top:0px;right:0px;font-family:"Lucida Console",monospace;background-color:#f2e6d9;padding:3px;z-index:10000;text-align:center;max-width:120px;opacity:0;transition:opacity linear;"></aside></body></html>
+<!-- COMMENT -->
\ No newline at end of file diff --git a/editor/libeditor/crashtests/1663725.html b/editor/libeditor/crashtests/1663725.html new file mode 100644 index 0000000000..7f4ffd62eb --- /dev/null +++ b/editor/libeditor/crashtests/1663725.html @@ -0,0 +1,18 @@ +<script> +window.onload = () => { + // For emulating the traditional behavior, collapse Selection to end of the + // <body> (at the text node after the <input>). + getSelection().collapse(document.body, document.body.childNodes.length); + document.execCommand("insertHorizontalRule"); + getSelection().collapse( + document.querySelector("b") + ); + document.execCommand("forwardDelete"); +} +function onFocusChangeOfInput() { + document.getSelection().setPosition(document.querySelector("pre")); +} +</script> +<pre> +<time contenteditable>a|</t> +<input onfocus="onFocusChangeOfInput()" autofocus onblur="onFocusChangeOfInput()"> diff --git a/editor/libeditor/crashtests/1666556.html b/editor/libeditor/crashtests/1666556.html new file mode 100644 index 0000000000..8c8c18574a --- /dev/null +++ b/editor/libeditor/crashtests/1666556.html @@ -0,0 +1,28 @@ +<script> +function onError() { + document.querySelector("details").appendChild( + document.querySelector("p") + ); + document.execCommand("indent"); +} + +function onLoadOfStyle() { + document.execCommand("delete"); + document.querySelector("details").contentEditable = "true"; + // For emulating the traditional behavior, collapse Selection to end of the + // text node at end of the <style> (end of the text node after the comment + // node). + const style = document.querySelector("style"); + getSelection().collapse(style.lastChild, style.lastChild.length); + document.querySelector("input").select(); +} +</script> +<video focus="false"> +<source onerror="onError()"> +</video> +<details open> +<p> +<input contenteditable="false"> +<style onload="onLoadOfStyle()"> +<!-- x --> +</style></p></details></body> diff --git a/editor/libeditor/crashtests/1677566.html b/editor/libeditor/crashtests/1677566.html new file mode 100644 index 0000000000..1546bb4601 --- /dev/null +++ b/editor/libeditor/crashtests/1677566.html @@ -0,0 +1,31 @@ +<!DOCTYPE html> +<html> +<head> +<script> +document.addEventListener('DOMContentLoaded', () => { + const table = document.querySelector("table"); + // For emulating traditional behavior, collapse Selection to end of the + // text node after the <p> (<table> does not close the <p>). + getSelection().collapse( + document.body.lastChild, + document.body.lastChild.length + ); + const paragraph = document.querySelector("p"); + document.documentElement.contentEditable = true; + getSelection().setBaseAndExtent(document, 0, document.documentElement, 1); + paragraph.contentEditable = false; + table.insertRow(0); + document.execCommand("forwardDelete"); +}); +</script> +</head> +<p> + <del> + <button contenteditable> + </button> + <table> + </table> + </del> +</p> +</body> +</html> diff --git a/editor/libeditor/crashtests/1691051.html b/editor/libeditor/crashtests/1691051.html new file mode 100644 index 0000000000..29aeae551c --- /dev/null +++ b/editor/libeditor/crashtests/1691051.html @@ -0,0 +1,15 @@ +<!DOCTYPE html> +<html> +<head> + <script> + window.addEventListener('load', () => { + document.documentElement.contentEditable = true + document.execCommand('selectAll', false, null) + document.addEventListener('DOMNodeRemoved', async (e) => { + e.currentTarget.writeln() + }, {}) + document.execCommand('insertLineBreak', false, null) + }) + </script> +</head> +</html> diff --git a/editor/libeditor/crashtests/1699866.html b/editor/libeditor/crashtests/1699866.html new file mode 100644 index 0000000000..f8d700ec9c --- /dev/null +++ b/editor/libeditor/crashtests/1699866.html @@ -0,0 +1,22 @@ +<script> +window.onload = () => { + const font = document.querySelector("font"); + // For emulating traditional behavior, collapse Selection to end of the + // text node in the <font>. + getSelection().collapse(font.lastChild, font.lastChild.length); + const meta = document.querySelector("meta"); + meta.style.setProperty( + "text-decoration", + "overline underline line-through" + ); + meta.appendChild(font); + document.execCommand("selectAll"); + getSelection().extend(meta, 0); + document.execCommand("underline"); +} +</script> +<ins contenteditable> +a +<meta></meta> +<font> +</font></ins></body> diff --git a/editor/libeditor/crashtests/1701348.html b/editor/libeditor/crashtests/1701348.html new file mode 100644 index 0000000000..1e8c2fbaa7 --- /dev/null +++ b/editor/libeditor/crashtests/1701348.html @@ -0,0 +1,10 @@ +<style>
+.c { resize: both }
+</style>
+<script>
+window.onload = () => {
+ a.className = "a"
+ document.execCommand("delete", false)
+}
+</script>
+<input id="a" autofocus="autofocus" class="c">
diff --git a/editor/libeditor/crashtests/1707630.html b/editor/libeditor/crashtests/1707630.html new file mode 100644 index 0000000000..e62df20b1b --- /dev/null +++ b/editor/libeditor/crashtests/1707630.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> +<html> +<head> + <script> + window.addEventListener('load', () => { + document = document + document.documentElement = document.documentElement + document.addEventListener('DOMNodeInserted', (e) => { + e.currentTarget.removeChild(e.currentTarget.childNodes[(2731378636 % e.currentTarget.childNodes.length)]) + }, {}) + document.documentElement.contentEditable = true + document.execCommand('insertParagraph', false, null) + }) + </script> +</head> +</html> diff --git a/editor/libeditor/crashtests/336081-1.xhtml b/editor/libeditor/crashtests/336081-1.xhtml new file mode 100644 index 0000000000..5a499d9f51 --- /dev/null +++ b/editor/libeditor/crashtests/336081-1.xhtml @@ -0,0 +1,52 @@ +<html xmlns="http://www.w3.org/1999/xhtml" class="reftest-wait"> +<head> +<script> +<![CDATA[ + +function foop(targetWindow) +{ + var targetDocument = targetWindow.document; + + var r1 = targetDocument.createRange(); + r1.setStart(targetDocument.getElementById("out1"), 0); + r1.setEnd (targetDocument.getElementById("out2"), 0); + targetWindow.getSelection().addRange(r1); + + var r2 = targetDocument.createRange(); + r2.setStart(targetDocument.getElementById("in1"), 0); + r2.setEnd (targetDocument.getElementById("in2"), 0); + targetWindow.getSelection().addRange(r2); + + targetDocument.execCommand('removeformat', false, null); + targetDocument.execCommand('outdent', false, null); +} + +function init() +{ + setTimeout(function() + { + var fd = window.frames[0].document; + fd.body.appendChild(fd.importNode(document.getElementById('rootish'), true)); + fd.designMode = 'on'; + foop(window.frames[0]); + document.documentElement.removeAttribute("class"); + }, 100); +} + +]]> +</script> +</head> + +<body onload="init()"> + +<iframe srcdoc="<html></html>" style="width: 95%; height: 500px;"/> + +<div id="rootish"> +<div id="out1"/> +<div id="in1"/> +<div id="in2"/> +<div id="out2"/> +</div> + +</body> +</html> diff --git a/editor/libeditor/crashtests/403965-1.xhtml b/editor/libeditor/crashtests/403965-1.xhtml new file mode 100644 index 0000000000..02993914d9 --- /dev/null +++ b/editor/libeditor/crashtests/403965-1.xhtml @@ -0,0 +1,7 @@ +<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> +<tbody contenteditable="true"/> +<frameset/> +<xul:box onbeforecopy="event.explicitOriginalTarget.parentNode.parentNode.removeChild(event.explicitOriginalTarget.parentNode)"> +<xul:box/> +</xul:box> +</html>
\ No newline at end of file diff --git a/editor/libeditor/crashtests/428489-1.html b/editor/libeditor/crashtests/428489-1.html new file mode 100644 index 0000000000..8eec1268b9 --- /dev/null +++ b/editor/libeditor/crashtests/428489-1.html @@ -0,0 +1,8 @@ +<html>
+<head>
+<title>Crash [@ nsHTMLEditor::GetPositionAndDimensions] when window gets removed during click on contenteditable absolute positioned element</title>
+</head>
+<body>
+<iframe id="content" src="data:text/html;charset=utf-8,%3Chtml%3E%3Chead%3E%0A%3Cscript%3E%0Awindow.addEventListener%28%27DOMAttrModified%27%2C%20function%28e%29%20%7Bdump%28%27DOMAttrModified\n%27%29%3Bwindow.frameElement.parentNode.removeChild%28window.frameElement%29%3B%7D%2C%20true%29%3B%0A%3C/script%3E%0A%3C/head%3E%0A%3Cbody%3E%0A%3Cdiv%20style%3D%22position%3A%20absolute%3B%22%20contenteditable%3D%22true%22%3EClicking%20on%20this%20should%20not%20crash%20Mozilla%0A%3C/body%3E%0A%3C/html%3E" style="width:1000px;height: 300px;"></iframe>
+</body>
+</html>
diff --git a/editor/libeditor/crashtests/429586-1.html b/editor/libeditor/crashtests/429586-1.html new file mode 100644 index 0000000000..a32df3b721 --- /dev/null +++ b/editor/libeditor/crashtests/429586-1.html @@ -0,0 +1,8 @@ +<html>
+<head>
+<title>Bug 429586 - Crash [@ nsEditor::EndUpdateViewBatch] with pasting and domattrmodified removing iframe</title>
+</head>
+<body>
+<iframe id="content" src="data:text/html;charset=utf-8,%3Chtml%3E%0A%3Chead%3E%0A%3C/head%3E%0A%3Cbody%20contenteditable%3D%22true%22%3E%0A%0A%3Cscript%3E%0Afunction%20dokey%28%29%7B%0Adocument.body.focus%28%29%3B%0Adocument.execCommand%28%27insertParagraph%27%2C%20false%2C%20%27%27%29%3B%0A%7D%0AsetTimeout%28dokey%2C200%29%3B%0A%0Adocument.addEventListener%28%27DOMAttrModified%27%2C%20function%28%29%20%7Bwindow.frameElement.parentNode.removeChild%28window.frameElement%29%7D%2C%20true%29%3B%0A%3C/script%3E%0A%3C/body%3E%0A%3C/html%3E"></iframe>
+</body>
+</html>
diff --git a/editor/libeditor/crashtests/431086-1.xhtml b/editor/libeditor/crashtests/431086-1.xhtml new file mode 100644 index 0000000000..c6c5d8d992 --- /dev/null +++ b/editor/libeditor/crashtests/431086-1.xhtml @@ -0,0 +1,22 @@ +<div xmlns="http://www.w3.org/1999/xhtml"> + +<script type="text/javascript"> + +function boom() +{ + var r = document.documentElement; + r.style.position = "absolute"; + r.contentEditable = "true"; + r.focus(); + r.contentEditable = "false"; + r.focus(); + r.contentEditable = "true"; + document.execCommand("subscript", false, null); + r.contentEditable = "false"; +} + +window.addEventListener("load", boom, false); + +</script> + +</div> diff --git a/editor/libeditor/crashtests/475132-1.xhtml b/editor/libeditor/crashtests/475132-1.xhtml new file mode 100644 index 0000000000..e721c55639 --- /dev/null +++ b/editor/libeditor/crashtests/475132-1.xhtml @@ -0,0 +1,21 @@ +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<script type="text/javascript"> +function onLoad() { + document.querySelector("td").contentEditable = "true"; + getSelection().collapse( + document.querySelector("td"), + document.querySelector("td").childNodes.length + ); + document.querySelector("td").focus(); + document.documentElement.contentEditable = "true"; + document.documentElement.focus(); + document.execCommand("indent"); + document.execCommand("insertParagraph"); +} +</script> +</head> + +<body onload="onLoad();" contenteditable="false"><td></td></body> + +</html> diff --git a/editor/libeditor/crashtests/503709-1.xhtml b/editor/libeditor/crashtests/503709-1.xhtml new file mode 100644 index 0000000000..867bebf1a9 --- /dev/null +++ b/editor/libeditor/crashtests/503709-1.xhtml @@ -0,0 +1,11 @@ +<html contenteditable="true" xmlns="http://www.w3.org/1999/xhtml"><head><script> + +function boom() +{ + document.execCommand("selectAll", false, ""); + try { document.execCommand("justifyfull", false, null); } catch(e) { } + try { document.execCommand("inserthorizontalrule", false, "false"); } catch(e) { } + document.execCommand("delete", false, null); +} + +</script></head>x y z<body onload="boom();"><div/></body></html> diff --git a/editor/libeditor/crashtests/513375-1.xhtml b/editor/libeditor/crashtests/513375-1.xhtml new file mode 100644 index 0000000000..4db5a42159 --- /dev/null +++ b/editor/libeditor/crashtests/513375-1.xhtml @@ -0,0 +1,19 @@ +<html xmlns="http://www.w3.org/1999/xhtml"> +<head contenteditable="true"> +<script type="text/javascript"> +<![CDATA[ +function onLoad() { + getSelection().collapse(document.body, document.body.childNodes.length); + const r = document.createRange(); + r.selectNode(document.body); + r.deleteContents(); + try { + document.execCommand("selectAll"); + } catch(e) {} +} +]]> +</script> +</head> + +<body onload="onLoad();" contenteditable="true"></body> +</html> diff --git a/editor/libeditor/crashtests/535632-1.xhtml b/editor/libeditor/crashtests/535632-1.xhtml new file mode 100644 index 0000000000..92470b8258 --- /dev/null +++ b/editor/libeditor/crashtests/535632-1.xhtml @@ -0,0 +1 @@ +<body xmlns="http://www.w3.org/1999/xhtml" style="margin: 200px;" contenteditable="true" onload="document.execCommand('outdent', false, null);" />
\ No newline at end of file diff --git a/editor/libeditor/crashtests/574558-1.xhtml b/editor/libeditor/crashtests/574558-1.xhtml new file mode 100644 index 0000000000..4e61ad02e7 --- /dev/null +++ b/editor/libeditor/crashtests/574558-1.xhtml @@ -0,0 +1,15 @@ +<html xmlns="http://www.w3.org/1999/xhtml"><head><script> +<![CDATA[ +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // text node in the <textarea> which is the deepest last child of the <body>. + const textarea = document.querySelector("textarea"); + getSelection().collapse(textarea.lastChild, textarea.lastChild.length); + document.execCommand("selectAll"); + document.execCommand("selectAll"); + document.execCommand("inserthtml", false, "<span><div>"); + const span = document.createElementNS("http://www.w3.org/1999/xhtml", "span"); + textarea.appendChild(span); +} +]]> +</script></head><div contenteditable="true"></div><body onload="onLoad();"><textarea>f</textarea></body></html> diff --git a/editor/libeditor/crashtests/580151-1.xhtml b/editor/libeditor/crashtests/580151-1.xhtml new file mode 100644 index 0000000000..3799411117 --- /dev/null +++ b/editor/libeditor/crashtests/580151-1.xhtml @@ -0,0 +1,26 @@ +<!DOCTYPE html> +<html> +<head> +<script> + +var t; + +function boom() +{ + var b = document.createElementNS("http://www.w3.org/1999/xhtml", "body"); + t = document.createElementNS("http://www.w3.org/1999/xhtml", "textarea"); + b.appendChild(t); + document.removeChild(document.documentElement) + document.appendChild(b) + document.removeChild(document.documentElement) + var ns = document.createElementNS("http://www.w3.org/1999/xhtml", "script"); + var nt = document.createTextNode("t.appendChild(document.createTextNode(' '));"); + ns.appendChild(nt); + b.appendChild(ns); + document.appendChild(b); +} + +</script> +</head> +<body onload="boom();"></body> +</html> diff --git a/editor/libeditor/crashtests/582138-1.xhtml b/editor/libeditor/crashtests/582138-1.xhtml new file mode 100644 index 0000000000..afcec2eba1 --- /dev/null +++ b/editor/libeditor/crashtests/582138-1.xhtml @@ -0,0 +1,10 @@ +<html xmlns="http://www.w3.org/1999/xhtml"><mtr xmlns="http://www.w3.org/1998/Math/MathML"><td id="cell" xmlns="http://www.w3.org/1999/xhtml"></td></mtr><script> +function boom() +{ + document.getElementById("cell").contentEditable = true; + document.getElementById("cell").focus(); + document.execCommand("inserthtml", false, "x"); +} + +window.addEventListener("load", boom, false); +</script></html> diff --git a/editor/libeditor/crashtests/633709.xhtml b/editor/libeditor/crashtests/633709.xhtml new file mode 100644 index 0000000000..75ad518b8f --- /dev/null +++ b/editor/libeditor/crashtests/633709.xhtml @@ -0,0 +1,68 @@ +<html xmlns="http://www.w3.org/1999/xhtml" class="reftest-wait"> + +<body><div contenteditable="true"></div><div><input><div></div></input></div></body> + +<script> +<![CDATA[ +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // parent <div> of the <input>. In XHTML document, the <input> may have the + // <div> child. Therefore, the deepest last child container element of the + // <body> is the parent of the <input>. + getSelection().collapse( + document.querySelector("input").parentElement, + document.querySelector("input").parentElement.childNodes.length + ); + document.querySelector("input").focus(); + + try { + document.execCommand("stylewithcss", false, "true"); + } catch(e) {} + try { + document.execCommand("inserthtml", false, "<x>X</x>"); + } catch(e) {} + try { + document.execCommand("underline"); + } catch(e) {} + try { + document.execCommand("justifyfull"); + } catch(e) {} + try { + document.execCommand("underline"); + } catch(e) {} + try { + document.execCommand("insertParagraph"); + } catch(e) {} + try { + document.execCommand("delete"); + } catch(e) {} + + try { + document.execCommand("stylewithcss", false, "false"); + } catch(e) {} + try { + document.execCommand("inserthtml", false, "<x>X</x>"); + } catch(e) {} + try { + document.execCommand("underline"); + } catch(e) {} + try { + document.execCommand("justifyfull"); + } catch(e) {} + try { + document.execCommand("underline"); + } catch(e) {} + try { + document.execCommand("insertParagraph"); + } catch(e) {} + try { + document.execCommand("delete"); + } catch(e) {} + + document.documentElement.removeAttribute("class"); +} +addEventListener("load", onLoad); +]]> +</script> + +</html> diff --git a/editor/libeditor/crashtests/639736-1.xhtml b/editor/libeditor/crashtests/639736-1.xhtml new file mode 100644 index 0000000000..1aea3040e0 --- /dev/null +++ b/editor/libeditor/crashtests/639736-1.xhtml @@ -0,0 +1,19 @@ +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<script> +function onLoad() { + // For emulating the traditional behavior, collapse Selection to end of the + // <td> which is the deepest last child of the <body>. + getSelection().collapse( + document.querySelector("td"), + document.querySelector("td").childNodes.length + ); + try { + document.execCommand("removeformat"); + } catch(e) {} + document.adoptNode(document.documentElement); +} +</script> +</head> +<body onload="onLoad();"><td contenteditable="true"/></body> +</html> diff --git a/editor/libeditor/crashtests/713427-2.xhtml b/editor/libeditor/crashtests/713427-2.xhtml new file mode 100644 index 0000000000..39ac18ed07 --- /dev/null +++ b/editor/libeditor/crashtests/713427-2.xhtml @@ -0,0 +1,28 @@ +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<script> +<![CDATA[ + +function boom() +{ + while (document.documentElement.firstChild) { + document.documentElement.firstChild.remove(); + } + + var td = document.createElementNS("http://www.w3.org/1999/xhtml", "td"); + td.setAttributeNS(null, "contenteditable", "true"); + (document.documentElement).appendChild(td); + var head = document.createElementNS("http://www.w3.org/1999/xhtml", "head"); + (document.documentElement).appendChild(head); + + head.appendChild(td); +} + +window.addEventListener("load", boom); + +]]> +</script> +</head> + +<body></body> +</html> diff --git a/editor/libeditor/crashtests/766360.html b/editor/libeditor/crashtests/766360.html new file mode 100644 index 0000000000..76c30456d6 --- /dev/null +++ b/editor/libeditor/crashtests/766360.html @@ -0,0 +1,18 @@ +<!DOCTYPE html> +<html> +<head> +<script> + +function boom() +{ + var r = document.createRange(); + r.setEnd(document.createTextNode("x"), 0); + window.getSelection().addRange(r); + document.execCommand("inserthtml", false, "y"); +} + +</script> +</head> + +<body contenteditable="true" onload="boom();"></body> +</html> diff --git a/editor/libeditor/crashtests/766387.html b/editor/libeditor/crashtests/766387.html new file mode 100644 index 0000000000..a819bf7f89 --- /dev/null +++ b/editor/libeditor/crashtests/766387.html @@ -0,0 +1,21 @@ +<!DOCTYPE html> +<html> +<head> +<script> +function onLoad() { + const editingHost = document.querySelectorAll("div[contenteditable]"); + // For emulating the traditional behavior, collapse Selection to end of the + // last <div contenteditable> which is the deepest last child of the <body>. + getSelection().collapse(editingHost[1], editingHost[1].childNodes.length); + getSelection().removeAllRanges(); + const r = document.createRange(); + r.setStart(editingHost[0], 1); + r.setEnd(editingHost[1], 0); + getSelection().addRange(r); + document.execCommand("insertOrderedList"); +} +</script> +</head> + +<body onload="onLoad();"><div contenteditable>a</div><div contenteditable></div></body> +</html> diff --git a/editor/libeditor/crashtests/766413.html b/editor/libeditor/crashtests/766413.html new file mode 100644 index 0000000000..1a7092d92a --- /dev/null +++ b/editor/libeditor/crashtests/766413.html @@ -0,0 +1,42 @@ +<!DOCTYPE html> +<html> +<head> +<script> + +function boom() +{ + var root = document.documentElement; + while (root.firstChild) { + root.firstChild.remove(); + } + + var space = document.createTextNode(" "); + var body = document.createElementNS("http://www.w3.org/1999/xhtml", "body"); + root.contentEditable = "true"; + root.focus(); + document.execCommand("contentReadOnly", false, null); + root.appendChild(body); + root.contentEditable = "false"; + root.appendChild(space); + root.removeChild(body); + root.contentEditable = "true"; + + window.getSelection().removeAllRanges(); + var r1 = document.createRange(); + r1.setStart(root, 0); + r1.setEnd(root, 0); + window.getSelection().addRange(r1); + looseText = document.createTextNode("c"); + var r2 = document.createRange(); + r2.setStart(looseText, 0); + r2.setEnd(looseText, 0); + window.getSelection().addRange(r2); + + document.execCommand("forwardDelete", false, null); +} + +</script> +</head> + +<body onload="boom();"></body> +</html> diff --git a/editor/libeditor/crashtests/766795.html b/editor/libeditor/crashtests/766795.html new file mode 100644 index 0000000000..b4ade30209 --- /dev/null +++ b/editor/libeditor/crashtests/766795.html @@ -0,0 +1,21 @@ +<html> +<head> +<script> + +function boom() +{ + var fragEl = document.createElement("span"); + fragEl.setAttribute("contenteditable", "true"); + fragEl.setAttribute("style", "position: absolute;"); + + var frag = document.createDocumentFragment(); + frag.appendChild(fragEl); + + window.getSelection().selectAllChildren(fragEl); +} + +</script> +</head> + +<body contenteditable="true" onload="boom();"></body> +</html> diff --git a/editor/libeditor/crashtests/766845.xhtml b/editor/libeditor/crashtests/766845.xhtml new file mode 100644 index 0000000000..409e210109 --- /dev/null +++ b/editor/libeditor/crashtests/766845.xhtml @@ -0,0 +1,27 @@ +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<script> +<![CDATA[ + +function boom() +{ + window.getSelection().removeAllRanges(); + var r1 = document.createRange(); + r1.setStart(document.body, 0); + r1.setEnd (document.body, 1); + window.getSelection().addRange(r1); + var r2 = document.createRange(); + r2.setStart(document.body, 1); + r2.setEnd (document.body, 2); + window.getSelection().addRange(r2); + if (document.queryCommandEnabled("inserthtml")) + document.execCommand("inserthtml", false, "1"); +} + +]]> +</script> +</head> + +<body contenteditable="true" onload="boom();"><div></div><div></div></body> + +</html> diff --git a/editor/libeditor/crashtests/767169.html b/editor/libeditor/crashtests/767169.html new file mode 100644 index 0000000000..a7673bce62 --- /dev/null +++ b/editor/libeditor/crashtests/767169.html @@ -0,0 +1,23 @@ +<html> +<head> +<script> + +// Document must not have a doctype to trigger the bug + +function boom() +{ + var root = document.documentElement; + while (root.firstChild) { root.firstChild.remove(); } + root.contentEditable = "true"; + document.removeChild(root); + document.appendChild(root); + window.getSelection().collapse(root, 0); + window.getSelection().extend(document, 1); + document.removeChild(root); +} + +</script> +</head> + +<body onload="boom();"></body> +</html> diff --git a/editor/libeditor/crashtests/768748.html b/editor/libeditor/crashtests/768748.html new file mode 100644 index 0000000000..09206dce3f --- /dev/null +++ b/editor/libeditor/crashtests/768748.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> +<html contenteditable="true"> +<head> +<script> + +function boom() +{ + var looseText = document.createTextNode("x"); + window.getSelection().collapse(looseText, 0); + document.queryCommandState("insertorderedlist"); +} + +</script> +</head> +<body onload="setTimeout(boom, 0)"></body> +</html> diff --git a/editor/libeditor/crashtests/768765.html b/editor/libeditor/crashtests/768765.html new file mode 100644 index 0000000000..551e4ec6c3 --- /dev/null +++ b/editor/libeditor/crashtests/768765.html @@ -0,0 +1,36 @@ +<!DOCTYPE html> +<html> +<head> +<script> + +function boom() +{ + var root = document.documentElement; + + while (root.firstChild) { root.firstChild.remove(); } + + var body = document.createElementNS("http://www.w3.org/1999/xhtml", "body"); + var div = document.createElementNS("http://www.w3.org/1999/xhtml", "div"); + root.contentEditable = "true"; + root.appendChild(div); + root.removeChild(div); + root.insertBefore(body, root.firstChild); + + window.getSelection().removeAllRanges(); + var r0 = document.createRange(); + r0.setStart(body, 0); + r0.setEnd(body, 0); + window.getSelection().addRange(r0); + var r1 = document.createRange(); + r1.setStart(div, 0); + r1.setEnd(div, 0); + window.getSelection().addRange(r1); + + document.execCommand("inserthtml", false, "1"); +} + +</script> +</head> + +<body onload="boom();"></body> +</html> diff --git a/editor/libeditor/crashtests/769008-1.html b/editor/libeditor/crashtests/769008-1.html new file mode 100644 index 0000000000..8ea8a3601d --- /dev/null +++ b/editor/libeditor/crashtests/769008-1.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> +<head> +<script> + +function boom() +{ + var x = document.getElementById("x"); + + window.getSelection().removeAllRanges(); + + var range = document.createRange(); + range.setStart(x, 0); + range.setEnd(x, 0); + window.getSelection().addRange(range); + + document.execCommand("delete", false, "null"); +} + +</script> +</head> +<body contenteditable="true" onload="boom();"><div></div><span id="x"></span></body> +</html> diff --git a/editor/libeditor/crashtests/769967.xhtml b/editor/libeditor/crashtests/769967.xhtml new file mode 100644 index 0000000000..af07571591 --- /dev/null +++ b/editor/libeditor/crashtests/769967.xhtml @@ -0,0 +1,16 @@ +<html xmlns="http://www.w3.org/1999/xhtml" contenteditable="true" style="user-select: all;"><sub>x</sub><script> +function boom() +{ + window.getSelection().removeAllRanges(); + var r = document.createRange(); + r.setStart(document.documentElement, 0); + r.setEnd(document.documentElement, 0); + window.getSelection().addRange(r); + + document.execCommand("subscript", false, null); + document.execCommand("insertText", false, "y"); +} + +window.addEventListener("load", boom, false); + +</script></html> diff --git a/editor/libeditor/crashtests/771749.html b/editor/libeditor/crashtests/771749.html new file mode 100644 index 0000000000..9237364f2d --- /dev/null +++ b/editor/libeditor/crashtests/771749.html @@ -0,0 +1,21 @@ +<!DOCTYPE html> +<html> +<head> +<script> + +function boom() +{ + var root = document.documentElement; + root.contentEditable = "true"; + document.removeChild(root); + document.appendChild(root); + document.execCommand("insertunorderedlist", false, null); + document.execCommand("inserthtml", false, "<span></span>"); + document.execCommand("outdent", false, null); +} + +</script> +</head> + +<body onload="boom();"></body> +</html> diff --git a/editor/libeditor/crashtests/772282.html b/editor/libeditor/crashtests/772282.html new file mode 100644 index 0000000000..bba3d6bd67 --- /dev/null +++ b/editor/libeditor/crashtests/772282.html @@ -0,0 +1,27 @@ +<!DOCTYPE html> +<html> +<head> +<script> + +function boom() +{ + var root = document.documentElement; + while(root.firstChild) { root.firstChild.remove(); } + var body = document.createElementNS("http://www.w3.org/1999/xhtml", "body"); + body.setAttributeNS(null, "contenteditable", "true"); + var img = document.createElementNS("http://www.w3.org/1999/xhtml", "img"); + body.appendChild(img); + root.appendChild(body); + document.removeChild(root); + document.appendChild(root); + document.execCommand("insertText", false, "5"); + document.execCommand("selectAll", false, null); + document.execCommand("insertParagraph", false, null); + document.execCommand("increasefontsize", false, null); +} + +</script> +</head> + +<body onload="boom();"></body> +</html> diff --git a/editor/libeditor/crashtests/776323.html b/editor/libeditor/crashtests/776323.html new file mode 100644 index 0000000000..9fc2776c37 --- /dev/null +++ b/editor/libeditor/crashtests/776323.html @@ -0,0 +1,18 @@ +<!DOCTYPE html> +<html contenteditable="true"> +<head> +<script> + +function boom() +{ + document.execCommand("inserthtml", false, "b"); + var myrange = document.createRange(); + myrange.selectNodeContents(document.getElementsByTagName("img")[0]); + window.getSelection().addRange(myrange); + document.execCommand("strikethrough", false, null); +} + +</script> +</head> +<body onload="boom();"><img></body> +</html> diff --git a/editor/libeditor/crashtests/793866.html b/editor/libeditor/crashtests/793866.html new file mode 100644 index 0000000000..4984474dbc --- /dev/null +++ b/editor/libeditor/crashtests/793866.html @@ -0,0 +1,21 @@ +<!DOCTYPE html> +<html> +<head> +<script> + +function boom() +{ + var b = document.body; + b.contentEditable = "true"; + document.execCommand("contentReadOnly", false, null); + b.focus(); + b.contentEditable = "false"; + document.documentElement.contentEditable = "true"; + document.createDocumentFragment().appendChild(b); + document.documentElement.focus(); +} + +</script> +</head> +<body onload="boom();"></body> +</html> diff --git a/editor/libeditor/crashtests/848644.html b/editor/libeditor/crashtests/848644.html new file mode 100644 index 0000000000..95570fabe3 --- /dev/null +++ b/editor/libeditor/crashtests/848644.html @@ -0,0 +1,2 @@ +<!DOCTYPE html> +<iframe src="data:text/html;charset=utf-8;base64,PGh0bWw+CjxoZWFkPgoJPHNjcmlwdD4KCQoJCXZhciBuID0gMDsKCQkKICAgICAgICB2YXIgU3ByYXkgPSBbXTsgICAgICAgICAgICAKICAgICAgICB2YXIgblNwcmF5ID0gMHgxMDA7ICAgICAgICAKCiAgICAKICAgIGZ1bmN0aW9uIHB0clRvU3RyaW5nKHB0cikKICAgIHsKICAgICAgICB2YXIgdGVtcCA9IHB0ci50b1N0cmluZygxNik7CiAgICAgICAgd2hpbGUgKHRlbXAubGVuZ3RoIDwgOCkKICAgICAgICAgICAgdGVtcCA9ICIwIiArIHRlbXA7CiAgICAgICAgYWQgPSAiJXUiOwogICAgICAgIGZvciAodmFyIGk9MDsgaTw0OyBpKyspCiAgICAgICAgICAgIGFkID0gYWQgKyB0ZW1wLmNoYXJBdCg0K2kpOwogICAgICAgIGFkICs9ICIldSI7CiAgICAgICAgZm9yICh2YXIgaT0wOyBpPDQ7IGkrKykKICAgICAgICAgICAgYWQgPSBhZCArIHRlbXAuY2hhckF0KGkpOwogICAgICAgIHJldHVybiBhZDsKICAgIH0KCiAgICAgICBmdW5jdGlvbiBzcHJheU1lbW9yeSgpCiAgICB7CiAgICAgICAgdmFyIHBhZ2Vfc2l6ZSA9IDB4MTAwMDAwIC0gMHgxMDAwOwogICAgICAgIHZhciBibG9jayA9ICIiOwoKICAgICAgICB3aGlsZSAoYmxvY2subGVuZ3RoICogMiA8IDB4MEM0KzB4MjAyMCkKICAgICAgICAgICAgYmxvY2sgKz0gcGFjaygweDkwOTA5MDkwKTsKICAgICAgICAKICAgICAgICB3aGlsZSAoYmxvY2subGVuZ3RoICogMiA8IHBhZ2Vfc2l6ZSkKICAgICAgICAgICAgYmxvY2sgKz0gIlx1OTA5MFx1OTA5MCI7CiAgICAgICAgICAgIAogICAgICAgIHZhciBzcHIgPSBibG9jay5zdWJzdHJpbmcoMCwgcGFnZV9zaXplIC8gMik7CiAgICAgICAgCiAgICAgICAgZm9yICh2YXIgaSA9IDA7IGkgPCBuU3ByYXk7IGkrKykKICAgICAgICAgICAgU3ByYXlbaV0gPSBbc3ByXS5qb2luKCIiKTsKICAgIH0KICAgICAgICAKCQlmdW5jdGlvbiBwYWNrKGEpCgkJewoJCQlyZXR1cm4gU3RyaW5nLmZyb21DaGFyQ29kZShhICYgMHhGRkZGKSArIFN0cmluZy5mcm9tQ2hhckNvZGUoYSA+PiAxNik7CgkJfQoJCQoJCXZhciAkID0gZnVuY3Rpb24oaWQpIHsgcmV0dXJuIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKGlkKTsgfQoJCQoJCXZhciBhbGxvYyA9IGZ1bmN0aW9uKHN6LCBwYXR0ZXJuPSdcdTQxNDEnKQoJCXsKCQkJc3ogLT0gMjsKCQkJaWYgKHN6IDwgMCkKCQkJCXJldHVybiBudWxsOwoJCQkKCQkJdmFyIHN0ciA9IHBhdHRlcm47CgkJCXdoaWxlIChzdHIubGVuZ3RoICogMiA8IHN6KQoJCQkJc3RyICs9IHBhdHRlcm47CgkJCgkJCXJldHVybiBzdHIuc3Vic3RyaW5nKDAsIHN6LzIpOwoJCX0KCQkKCQlmdW5jdGlvbiBhcHBlbmRJbnB1dChuLCB3aXRoSWRzPWZhbHNlKSAKCQl7CgkJCXZhciBib2R5ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiYm9keSIpCgkJCXZhciBibG9jayA9IHBhY2soMHgyMDIwMjAyMCk7CgkJCXdoaWxlIChibG9jay5sZW5ndGggKiAyIDwgMHg1NCkKCQkJCWJsb2NrICs9IHBhY2soMHgyMDIwMjAyMCk7CgkJCWJsb2NrICs9IHBhY2soMHgyMDIwMjAyMCk7CgkJCXdoaWxlIChibG9jay5sZW5ndGggKiAyIDwgMHhDNCkKCQkJCWJsb2NrICs9IHBhY2soMHgyMDIwMjAyMCk7CgkJCWJsb2NrICs9IHBhY2soMHgyMDIwMjAyMCk7CgkJCXdoaWxlIChibG9jay5sZW5ndGggKiAyIDwgMHgyRDQgLSAyKQoJCQkJYmxvY2sgKz0gcGFjaygweDIwMjAyMDIwKTsKCQkgICAgdmFyIGIgPSBibG9jay5zdWJzdHJpbmcoMCwgMHgyRDIpOwoJCQlmb3IgKHZhciBpID0wOyBpPG47IGkrKykgCgkJCXsKCQkJCXZhciBpbnB1dCA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ2lucHV0JykKCQkJCWlmICh3aXRoSWRzID09IHRydWUpCgkJCQkJaW5wdXQuc2V0QXR0cmlidXRlKCdpZCcsICdpbnB1dCcgKyBpKTsKCQkJCWlucHV0LnZhbHVlID0gYgoJCQkJZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChpbnB1dCkKCQkJfQoJCX0KCQkKCQlmdW5jdGlvbiBjcmFmdEhlYXAobikKCQl7CgkJCWFwcGVuZElucHV0KG4sIHRydWUpOwoJCQlmb3IgKHZhciBpID0gMDsgaSA8IG47IGkgKz0gMikKCQkJCWRvY3VtZW50LmJvZHkucmVtb3ZlQ2hpbGQoJCgnaW5wdXQnICsgaSkpOwoJCX0KCQkKCQlmdW5jdGlvbiBzdGFydEZ1bigpCgkJewogICAgICAgICAgICAgICAgICAgICAgICBkb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuZ2V0Qm91bmRpbmdDbGllbnRSZWN0KCk7CgkJCWNyYWZ0SGVhcCgweDEwKTsKCQkJZG9jdW1lbnQuZGVzaWduTW9kZSA9ICJvbiI7CgkJCWRvY3VtZW50LmRvY3VtZW50RWxlbWVudC5zdHlsZS5oZWlnaHQgPSAiMjAwcHgiOwoJCQkkKCdpZDEnKS5vZmZzZXRUb3A7CgkJfQoJCQoJCQoJCWZ1bmN0aW9uIGNhbGNNZUJhYmUoKQoJCXsKCQkJbisrOwoJCQlkb2N1bWVudC5leGVjQ29tbWFuZCgiaW5zZXJ0T3JkZXJlZExpc3QiLGZhbHNlLHRydWUpOwoJCQlkb2N1bWVudC53cml0ZSgnQUFBQUFBQUFBQUFBJyk7CQkKICAgICAgICAgICAgc3ByYXlNZW1vcnkoKTsKCQkJYXBwZW5kSW5wdXQoMHgxMDApOwoJCQkKCQkJZG9jdW1lbnQuZG9jdW1lbnRFbGVtZW50LnN0eWxlLmhlaWdodCA9ICIzMDBweCI7CgkJCWlmIChuID09IDIpCgkJCXsKICAgICAgICAgICAgICAgIHdpbmRvdy5yZW1vdmVFdmVudExpc3RlbmVyKCJyZXNpemUiLCBjYWxjTWVCYWJlLCBmYWxzZSk7CgkJCQloaXN0b3J5LmdvKC0xKTsKCQkJfQoKCQl9CgkJd2luZG93LmFkZEV2ZW50TGlzdGVuZXIoInJlc2l6ZSIsIGNhbGNNZUJhYmUsIGZhbHNlKTsKCTwvc2NyaXB0Pgo8L2hlYWQ+Cgk8Ym9keT4KCQk8ZGl2IGlkPSdpZDEnPiAgICA8L2Rpdj4KCQk8c2NyaXB0PnN0YXJ0RnVuKCk7PC9zY3JpcHQ+Cgk8L2JvZHk+CjwvaHRtbD4K" style="width: 100px; height: 100px"></iframe> diff --git a/editor/libeditor/crashtests/crashtests.list b/editor/libeditor/crashtests/crashtests.list new file mode 100644 index 0000000000..bc9b7a3f2d --- /dev/null +++ b/editor/libeditor/crashtests/crashtests.list @@ -0,0 +1,117 @@ +load 336081-1.xhtml +load 403965-1.xhtml +load 428489-1.html +load 429586-1.html +load 431086-1.xhtml +load 475132-1.xhtml +load 503709-1.xhtml +load 513375-1.xhtml +load 535632-1.xhtml +load 574558-1.xhtml +load 580151-1.xhtml +load 582138-1.xhtml +load 633709.xhtml +load 639736-1.xhtml +load 713427-2.xhtml +load 766360.html +load 766387.html +load 766413.html +load 766795.html +load 766845.xhtml +load 767169.html +load 768748.html +load 768765.html +load 769008-1.html +load 769967.xhtml +needs-focus load 771749.html +load 772282.html +load 776323.html +needs-focus load 793866.html +load 848644.html +load 1057677.html +needs-focus load 1128787.html +load 1134545.html +load 1158452.html +load 1158651.html +load 1244894.xhtml +load 1264921.html +load 1272490.html +load 1274050.html +load 1317704.html +load 1317718.html +load 1324505.html +needs-focus load 1343918.html +load 1344097.html +load 1345015.html +load 1348851.html +load 1350772.html +load 1364133.html +load 1366176.html +load 1375131.html +load 1381541.html +load 1383747.html +load 1383755.html +load 1383763.html +load 1384161.html +load 1388075.html +load 1393171.html +needs-focus load 1402196.html +load 1402469.html +load 1402526.html +pref(dom.document.exec_command.nested_calls_allowed,true) asserts(1) load 1402904.html # assertion is that mutation event listener caused by execCommand calls another execCommand +pref(dom.document.exec_command.nested_calls_allowed,true) asserts(1) load 1405747.html # assertion is that mutation event listener caused by execCommand calls another execCommand +load 1405897.html +load 1408170.html +asserts(0-1) load 1414581.html +load 1415231.html +load 1423767.html +needs-focus load 1423776.html +skip-if(ThreadSanitizer) needs-focus load 1424450.html # bug 1718775, permafail on tsan +load 1425091.html +load 1426709.html +needs-focus load 1429523.html +needs-focus load 1429523.xhtml +load 1441619.html +load 1443664.html +skip-if(Android) needs-focus load 1444630.html +load 1446451.html +pref(dom.document.exec_command.nested_calls_allowed,true) load 1464251.html +pref(layout.accessiblecaret.enabled,true) load 1470926.html +pref(dom.document.exec_command.nested_calls_allowed,true) asserts(2) load 1474978.html # assertion is that mutation event listener caused by execCommand calls another execCommand +load 1517028.html +load 1525481.html +load 1533913.html +load 1534394.html +load 1547897.html +load 1547898.html +load 1556799.html +load 1579934.html +load 1574544.html +load 1578916.html +load 1581246.html +load 1596516.html +load 1605741.html +load 1613521.html +load 1618906.html +load 1623166.html +load 1623913.html +load 1624005.html # throws +load 1624007.html +load 1624011.html +load 1626002.html +load 1636541.html +load 1644903.html +load 1645983-1.html +load 1645983-2.html +load 1648564.html +load 1655539.html +load 1659717.html +load 1663725.html # throws +load 1655508.html +load 1655988.html +pref(dom.document.exec_command.nested_calls_allowed,true) load 1666556.html +load 1677566.html +load 1691051.html +load 1699866.html +load 1701348.html +load 1707630.html |