Disallow mutating the internals of TextInput #20051
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Heads up! This PR modifies the following files:
|
highfive
added
the
S-awaiting-review
|
|
jonleighton
force-pushed
the
prevent-invalid-selections
branch
from
6d31431
to
66a0211
Compare
jonleighton
commented
Feb 14, 2018
|
|
||
| if *textinput.single_line_content() != value { | ||
| // Steps 1-2 | ||
| textinput.set_content(value, update_text_cursor); |
There was a problem hiding this comment.
Bit of a shame to reorder this, but it does prevent us setting the value, then getting it for the sanitize step and then setting it again after sanitization... and the outcome is the same.
jonleighton
force-pushed
the
prevent-invalid-selections
branch
from
66a0211
to
1421443
Compare
jdm
requested changes
Feb 15, 2018
| // Step 4. | ||
| if update_text_cursor { | ||
| self.sanitize_value(); | ||
| self.sanitize_value(&mut value); |
There was a problem hiding this comment.
No need to check update_text_cursor any more.
There was a problem hiding this comment.
Done (although that's not really specific to this change, since update_text_cursor is/was always true here)
jdm
added
S-needs-code-changes
jonleighton
force-pushed
the
prevent-invalid-selections
branch
from
1421443
to
cdca352
Compare
highfive
added
S-awaiting-review
jonleighton
force-pushed
the
prevent-invalid-selections
branch
from
cdca352
to
0d11f19
Compare
The TextInput::assert_ok_selection() method is meant to ensure that we are not getting into a state where a selection refers to a location in the control's contents which doesn't exist. However, before this change we could have a situation where the internals of the TextInput are changed by another part of the code, without using its public API. This could lead to us having an invalid selection. I did manage to trigger such a situation (see the test added in this commit) although it is quite contrived. There may be others that I didn't think of, and it's also possible that future changes could introduce new cases. (Including ones which trigger panics, if indexing is used on the assumption that the selection indices are always valid.) The current HTML specification doesn't explicitly say that selectionStart/End must remain within the length of the content, but that does seems to be the consensus reached in a discussion of this: whatwg/html#2424 The test case I've added here is currently undefined in the spec which is why I've added it in tests/wpt/mozilla.
jonleighton
force-pushed
the
prevent-invalid-selections
branch
from
0d11f19
to
32f7812
Compare
|
@bors-servo: r+ |
|
📌 Commit 32f7812 has been approved by |
highfive
added
S-awaiting-merge
4 tasks
bors-servo
pushed a commit
that referenced
this pull request
Feb 22, 2018
Disallow mutating the internals of TextInput The TextInput::assert_ok_selection() method is meant to ensure that we are not getting into a state where a selection refers to a location in the control's contents which doesn't exist. However, before this change we could have a situation where the internals of the TextInput are changed by another part of the code, without using its public API. This could lead to us having an invalid selection. I did manage to trigger such a situation (see the test added in this commit) although it is quite contrived. There may be others that I didn't think of, and it's also possible that future changes could introduce new cases. (Including ones which trigger panics, if indexing is used on the assumption that the selection indices are always valid.) The current HTML specification doesn't explicitly say that selectionStart/End must remain within the length of the content, but that does seems to be the consensus reached in a discussion of this: whatwg/html#2424 The test case I've added here is currently undefined in the spec which is why I've added it in tests/wpt/mozilla. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/20051) <!-- Reviewable:end -->
|
☀️ Test successful - android, arm32, arm64, linux-dev, linux-rel-css, linux-rel-wpt, mac-dev-unit, mac-rel-css1, mac-rel-css2, mac-rel-wpt1, mac-rel-wpt2, mac-rel-wpt3, mac-rel-wpt4, windows-msvc-dev |
highfive
removed
the
S-awaiting-merge
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The TextInput::assert_ok_selection() method is meant to ensure that we
are not getting into a state where a selection refers to a location in
the control's contents which doesn't exist.
However, before this change we could have a situation where the
internals of the TextInput are changed by another part of the code,
without using its public API. This could lead to us having an invalid
selection.
I did manage to trigger such a situation (see the test added in this
commit) although it is quite contrived. There may be others that I
didn't think of, and it's also possible that future changes could
introduce new cases. (Including ones which trigger panics, if indexing
is used on the assumption that the selection indices are always valid.)
The current HTML specification doesn't explicitly say that
selectionStart/End must remain within the length of the content, but
that does seems to be the consensus reached in a discussion of this:
whatwg/html#2424
The test case I've added here is currently undefined in the spec which
is why I've added it in tests/wpt/mozilla.
This change is