tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit ee56bb811043767d6740716b6b361077a56a74ef
parent c9050affc08bad0c2fdaf9768f40c4929918d12e
Author: Jan-Niklas Jaeschke <jjaschke@mozilla.com>
Date:   Sun,  7 Dec 2025 12:12:47 +0000

Bug 2004005 - CSS Highlight API: Don't add invalid static ranges to Selection. r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D275360

Diffstat:

Mdom/base/AbstractRange.h | 3+--


Mdom/base/Selection.cpp | 4+++-


Atesting/web-platform/tests/css/css-highlight-api/Highlight-invalid-static-range-crash.html | 23+++++++++++++++++++++++


3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/dom/base/AbstractRange.h b/dom/base/AbstractRange.h
@@ -168,8 +168,7 @@ class AbstractRange : public nsISupports,
    */
   bool IsInAnySelection() const { return !mSelections.IsEmpty(); }
 
-  MOZ_CAN_RUN_SCRIPT void RegisterSelection(
-      mozilla::dom::Selection& aSelection);
+  void RegisterSelection(mozilla::dom::Selection& aSelection);
 
   void UnregisterSelection(const mozilla::dom::Selection& aSelection,
                            IsUnlinking aIsUnlinking = IsUnlinking::No);
diff --git a/dom/base/Selection.cpp b/dom/base/Selection.cpp
@@ -1293,7 +1293,6 @@ nsresult Selection::StyledRanges::AddRangeAndIgnoreOverlaps(
   MOZ_ASSERT(mSelection.mSelectionType == SelectionType::eHighlight);
   if (aRange->IsStaticRange() && !aRange->AsStaticRange()->IsValid()) {
     mInvalidStaticRanges.AppendElement(StyledRange(aRange));
-    aRange->RegisterSelection(MOZ_KnownLive(mSelection));
     return NS_OK;
   }
 
@@ -1644,6 +1643,9 @@ void Selection::StyledRanges::ReorderRangesIfNecessary() {
       MOZ_ASSERT(iter->mRange->IsStaticRange());
       if (iter->mRange->AsStaticRange()->IsValid()) {
         mRanges.AppendElement(*iter);
+        if (!iter->mRange->IsInSelection(mSelection)) {
+          iter->mRange->RegisterSelection(mSelection);
+        }
         iter = mInvalidStaticRanges.RemoveElementAt(iter);
       } else {
         ++iter;
diff --git a/testing/web-platform/tests/css/css-highlight-api/Highlight-invalid-static-range-crash.html b/testing/web-platform/tests/css/css-highlight-api/Highlight-invalid-static-range-crash.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+
+<body onload="boom()">
+    <p id="A"></p>
+    <p id="B"></p>
+</body>
+
+<script>
+function boom() {
+    let highlight0 = new Highlight();
+
+    let range = new StaticRange({
+        endContainer: document.getElementById("A"),
+        startOffset: 1,
+        startContainer: document.getElementById("B"),
+        endOffset: 1,
+    });
+    CSS.highlights.set("highlight0", highlight0);
+
+    document.getElementById("A").remove();
+    highlight0.add(range);
+}
+</script>