From 0b6548613a4126193034d38242fb58a231e2c435 Mon Sep 17 00:00:00 2001
From: Gaming4JC <g4jc@hyperbola.info>
Date: Sat, 18 Jan 2020 20:26:28 -0500
Subject: Bug 1378079 - Part 2: Introduce throw-on-dynamic-markup-insertion
 counter.

Per spec, document objects have a throw-on-dynamic-markup-insertion counter, which is used in conjunction with the create an element for the token algorithm to prevent custom element constructors from being able to use document.open(), document.close(), and document.write() when they are invoked by the parser.

Tag UXP Issue #1344
---
 dom/html/nsHTMLDocument.cpp | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'dom/html/nsHTMLDocument.cpp')

diff --git a/dom/html/nsHTMLDocument.cpp b/dom/html/nsHTMLDocument.cpp
index 1eeef737a..f530d75e1 100644
--- a/dom/html/nsHTMLDocument.cpp
+++ b/dom/html/nsHTMLDocument.cpp
@@ -1401,6 +1401,11 @@ nsHTMLDocument::Open(JSContext* cx,
     return nullptr;
   }
 
+  if (ShouldThrowOnDynamicMarkupInsertion()) {
+    aError.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);
+    return nullptr;
+  }
+
   // Set up the content type for insertion
   nsAutoCString contentType;
   contentType.AssignLiteral("text/html");
@@ -1608,6 +1613,11 @@ nsHTMLDocument::Close(ErrorResult& rv)
     return;
   }
 
+  if (ShouldThrowOnDynamicMarkupInsertion()) {
+    rv.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);
+    return;
+  }
+
   if (!mParser || !mParser->IsScriptCreated()) {
     return;
   }
@@ -1683,6 +1693,10 @@ nsHTMLDocument::WriteCommon(JSContext *cx,
     return NS_ERROR_DOM_INVALID_STATE_ERR;
   }
 
+  if (ShouldThrowOnDynamicMarkupInsertion()) {
+    return NS_ERROR_DOM_INVALID_STATE_ERR;
+  }
+
   if (mParserAborted) {
     // Hixie says aborting the parser doesn't undefine the insertion point.
     // However, since we null out mParser in that case, we track the
-- 
cgit v1.2.3