Cherry-pick WebKit security fix (webkit.org r68096) Do not merge

See http://trac.webkit.org/changeset/68096

Note that this is not an exact cherry pick of the above webkit
CL as it is dependant on http://trac.webkit.org/changeset/61094
that we do not have and provides the Element::isIdAttributName and
Element::getIdAttribute methods. 61094 is a large change so we do
not take it, rather use methods that achieve the same effect.

Change-Id: Ifae90116f794673a610dd7988ba366a0b51888d9

4 files changed, 25 insertions, 5 deletions

diff --git a/WebCore/dom/Attr.cpp b/WebCore/dom/Attr.cpp
index 2ef5f9b..1272b38 100644
--- a/WebCore/dom/Attr.cpp
+++ b/WebCore/dom/Attr.cpp
@@ -117,13 +117,21 @@ String Attr::nodeValue() const
     return value();
 }
 
-void Attr::setValue(const AtomicString& value, ExceptionCode&)
+void Attr::setValue(const AtomicString& value)
 {
     m_ignoreChildrenChanged++;
     removeChildren();
     m_attribute->setValue(value);
     createTextChild();
     m_ignoreChildrenChanged--;
+}
+
+void Attr::setValue(const AtomicString& value, ExceptionCode&)
+{
+    if (m_element && m_attribute->name() == m_element->idAttributeName())
+        m_element->updateId(m_element->getIDAttribute(), value);
+
+    setValue(value);
 
     if (m_element)
         m_element->attributeChanged(m_attribute.get());
@@ -167,7 +175,10 @@ void Attr::childrenChanged(bool changedByParser, Node* beforeChange, Node* after
         if (n->isTextNode())
             val += static_cast<Text *>(n)->data();
     }
-    
+
+    if (m_element && m_attribute->name() == m_element->idAttributeName())
+        m_element->updateId(m_attribute->value(), val);
+
     m_attribute->setValue(val.impl());
     if (m_element)
         m_element->attributeChanged(m_attribute.get());
diff --git a/WebCore/dom/Attr.h b/WebCore/dom/Attr.h
index 2e02a02..e76d2fa 100644
--- a/WebCore/dom/Attr.h
+++ b/WebCore/dom/Attr.h
@@ -48,6 +48,7 @@ public:
 
     const AtomicString& value() const { return m_attribute->value(); }
     void setValue(const AtomicString&, ExceptionCode&);
+    void setValue(const AtomicString&);
 
     Attribute* attr() const { return m_attribute.get(); }
     const QualifiedName& qualifiedName() const { return m_attribute->name(); }
diff --git a/WebCore/dom/Document.cpp b/WebCore/dom/Document.cpp
index c631956..9b8ffb7 100644
--- a/WebCore/dom/Document.cpp
+++ b/WebCore/dom/Document.cpp
@@ -1112,8 +1112,10 @@ void Document::removeElementById(const AtomicString& elementId, Element* element
 
     if (m_elementsById.get(elementId.impl()) == element)
         m_elementsById.remove(elementId.impl());
-    else
+    else {
+        ASSERT(m_inRemovedLastRefFunction || m_duplicateIds.contains(elementId.impl()));
         m_duplicateIds.remove(elementId.impl());
+    }
 }
 
 Element* Document::getElementByAccessKey(const String& key) const
diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp
index e12d326..93200a7 100644
--- a/WebCore/dom/Element.cpp
+++ b/WebCore/dom/Element.cpp
@@ -528,7 +528,10 @@ void Element::setAttribute(const AtomicString& name, const AtomicString& value,
     else if (!old && !value.isNull())
         namedAttrMap->addAttribute(createAttribute(QualifiedName(nullAtom, localName, nullAtom), value));
     else if (old && !value.isNull()) {
-        old->setValue(value);
+        if (Attr* attrNode = old->attr())
+            attrNode->setValue(value);
+        else
+            old->setValue(value);
         attributeChanged(old);
     }
 
@@ -557,7 +560,10 @@ void Element::setAttribute(const QualifiedName& name, const AtomicString& value,
     else if (!old && !value.isNull())
         namedAttrMap->addAttribute(createAttribute(name, value));
     else if (old) {
-        old->setValue(value);
+        if (Attr* attrNode = old->attr())
+            attrNode->setValue(value);
+        else
+            old->setValue(value);
         attributeChanged(old);
     }