tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 78ef7e4afb5c7cc7ab9b48c0c8e32da79b119cf6
parent 29ef255b51cb85d7b31cf876f03308989c1bb57c
Author: Tom Schuster <tschuster@mozilla.com>
Date:   Tue, 16 Dec 2025 10:07:53 +0000

Bug 2004112 - Sanitizer: Do not crash for replaceWithChildrenElements: [html]. r=freddyb

Differential Revision: https://phabricator.services.mozilla.com/D276494

Diffstat:

Mdom/security/sanitizer/Sanitizer.cpp | 5++++-


Mtesting/web-platform/tests/sanitizer-api/sanitizer-parseHTML.tentative.html | 29+++++++++++++++++++++++++++++


2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/dom/security/sanitizer/Sanitizer.cpp b/dom/security/sanitizer/Sanitizer.cpp
@@ -1613,7 +1613,10 @@ void Sanitizer::SanitizeChildren(nsINode* aNode, bool aSafe) {
       // and if configuration["replaceWithChildrenElements"] contains
       // elementName:
       if (mReplaceWithChildrenElements &&
-          mReplaceWithChildrenElements->Contains(*elementName)) {
+          mReplaceWithChildrenElements->Contains(*elementName) &&
+          // Temporary fix for Bug 2004112
+          // To be specified by https://github.com/WICG/sanitizer-api/issues/365
+          !!child->GetParent()) {
         // Note: This follows nsTreeSanitizer by first inserting the
         // child's children in place of the current child and then
         // continueing the sanitization from the first inserted grandchild.
diff --git a/testing/web-platform/tests/sanitizer-api/sanitizer-parseHTML.tentative.html b/testing/web-platform/tests/sanitizer-api/sanitizer-parseHTML.tentative.html
@@ -40,6 +40,12 @@ text
 #document
 | <html>
 
+#data
+<html onload="3 + 3"><div>a
+#config
+{ "replaceWithChildrenElements": ["html"], "elements": ["head", "body", "div"] }
+#document
+
 </script>
 <script id="safe" type="html5lib-testcases">
 #data
@@ -81,6 +87,17 @@ text
 |       "a"
 |       "b"
 
+#data
+<html onload="2 + 2"><div>a
+#config
+{ "replaceWithChildrenElements": ["html"], "removeElements": [] }
+#document
+| <html>
+|   <head>
+|   <body>
+|     <div>
+|       "a"
+
 </script>
 <script id="unsafe" type="html5lib-testcases">
 #data
@@ -127,6 +144,18 @@ text
 |       "a"
 |       <!-- xx -->
 |       "b"
+
+#data
+<html onload="2 + 2"><div>a
+#config
+{ "replaceWithChildrenElements": ["html"], "removeElements": [] }
+#document
+| <html>
+|   onload="2 + 2"
+|   <head>
+|   <body>
+|     <div>
+|       "a"
 </script>
 <script id="document" type="html5lib-testcases">
 #data