LibWeb: Abort early processing frame/iframe attrs for null navigables

We guarded one step against a null navigable, but the very next step also needs to be protected. Let's just abort early instead. This was caught by the following imported WPT test: html/dom/elements/the-innertext-and-outertext-properties/innertext-setter.html This test adds a <frame> element and immediately removes it, but the task to process the src attribute is already queued. Note that <iframe> would have the same issue, but this test does not include them.
Author: https://github.com/trflynn89 Commit: https://github.com/LadybirdBrowser/ladybird/commit/50a31f97284 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/2152 Reviewed-by: https://github.com/tcl3 ✅
2024-11-22 07:30:19 +00:00 · 2024-11-03 21:30:40 -05:00 · 2024-11-03 21:30:40 -05:00 · 50a31f9728 · 2024-11-04 09:55:41 +00:00
commit 50a31f9728
parent 16def85153
3 changed files with 30 additions and 6 deletions
--- a/Tests/LibWeb/Text/expected/HTML/HTMLFrameElement-add-remove.txt
+++ b/Tests/LibWeb/Text/expected/HTML/HTMLFrameElement-add-remove.txt
@ -0,0 +1 @@
+PASS! (Didn't crash)
--- a/Tests/LibWeb/Text/input/HTML/HTMLFrameElement-add-remove.html
+++ b/Tests/LibWeb/Text/input/HTML/HTMLFrameElement-add-remove.html
@ -0,0 +1,20 @@
+<head>
+    <script src="../include.js"></script>
+    <script>
+        asyncTest(done => {
+            let frameset = document.getElementById("frameset");
+
+            let frame = document.createElement("frame");
+            frameset.appendChild(frame);
+            frame.remove();
+
+            // Attempting to load the frame will happen in a task on the event loop, so defer completing this test until
+            // the event loop has spun once.
+            setTimeout(() => {
+                println("PASS! (Didn't crash)");
+                done();
+            })
+        });
+    </script>
+</head>
+<frameset id="frameset"></frameset>
--- a/Userland/Libraries/LibWeb/HTML/NavigableContainer.cpp
+++ b/Userland/Libraries/LibWeb/HTML/NavigableContainer.cpp
@ -194,6 +194,11 @@ HTML::WindowProxy* NavigableContainer::content_window()
 // https://html.spec.whatwg.org/multipage/iframe-embed-object.html#shared-attribute-processing-steps-for-iframe-and-frame-elements
 Optional<URL::URL> NavigableContainer::shared_attribute_processing_steps_for_iframe_and_frame(bool initial_insertion)
 {
+    // AD-HOC: If the element was added and immediately removed, the content navigable will be null. Don't process the
+    //         src attribute any further.
+    if (!m_content_navigable)
+        return {};
+
    // 1. Let url be the URL record about:blank.
    auto url = URL::URL("about:blank");

@ -209,12 +214,10 @@ Optional<URL::URL> NavigableContainer::shared_attribute_processing_steps_for_ifr

    // 3. If the inclusive ancestor navigables of element's node navigable contains a navigable
    //    whose active document's URL equals url with exclude fragments set to true, then return null.
-    if (m_content_navigable) {
-        for (auto const& navigable : document().inclusive_ancestor_navigables()) {
-            VERIFY(navigable->active_document());
-            if (navigable->active_document()->url().equals(url, URL::ExcludeFragment::Yes))
-                return {};
-        }
+    for (auto const& navigable : document().inclusive_ancestor_navigables()) {
+        VERIFY(navigable->active_document());
+        if (navigable->active_document()->url().equals(url, URL::ExcludeFragment::Yes))
+            return {};
    }

    // 4. If url matches about:blank and initialInsertion is true, then perform the URL and history update steps given element's content navigable's active document and url.