Fix <https://bugs.webkit.org/show_bug.cgi?id=25164> / <rdar://problem/6786319>.

Reviewed by Darin Adler.

We need to ensure that XMLTokenizer sets the current DocLoader before calling in to
any libxml2 methods that may trigger a load.  The presence of a DocLoader indicates
that the load was originated by WebCore's use of libxml2 and that we should enforce
the same-origin policy on it.  XMLTokenizer::initializeParserContext,
XMLTokenizer::doWrite and XMLTokenizer::doEnd were three methods that were not setting
the current DocLoader when they should have.

The XMLTokenizerScope class is introduced to simplify the pattern of saving, setting and
restoring the current DocLoader and libxml2 error handlers.  The DocLoader and error handlers
are saved and set when the scope is allocated, and restored to their previous values when
the scope is exited.

Test: http/tests/security/xss-DENIED-xml-external-entity.xhtml

* GNUmakefile.am:
* WebCore.pro:
* WebCore.scons:
* WebCore.vcproj/WebCore.vcproj:
* WebCore.xcodeproj/project.pbxproj:
* dom/XMLTokenizer.cpp:
* dom/XMLTokenizer.h:
* dom/XMLTokenizerLibxml2.cpp:
(WebCore::matchFunc):
(WebCore::shouldAllowExternalLoad):
(WebCore::openFunc):
(WebCore::XMLTokenizer::doWrite):
(WebCore::XMLTokenizer::initializeParserContext):
(WebCore::XMLTokenizer::doEnd):
(WebCore::xmlDocPtrForString):
* dom/XMLTokenizerScope.cpp:
(WebCore::XMLTokenizerScope::XMLTokenizerScope):
(WebCore::XMLTokenizerScope::~XMLTokenizerScope):
* dom/XMLTokenizerScope.h:
* xml/XSLStyleSheet.cpp:
(WebCore::XSLStyleSheet::parseString):
* xml/XSLTProcessor.cpp:

git-svn-id: svn://svn.chromium.org/blink/trunk@42738 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/ChangeLog

+2009-04-21  Mark Rowe  <mrowe@apple.com>
+
+        Reviewed by Darin Adler.
+
+        Test for <https://bugs.webkit.org/show_bug.cgi?id=25164> / <rdar://problem/6786319>.
+
+        * http/tests/security/xss-DENIED-xml-external-entity-expected.txt: Copied from LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt.
+        * http/tests/security/xss-DENIED-xml-external-entity.xhtml: Copied from LayoutTests/http/tests/security/resources/xsl-using-external-entity.xsl.
+
 2009-04-21  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Dan Bernstein.

third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-xml-external-entity-expected.txt

+This test includes a cross-origin external entity. It passes if the load fails and thus there is no text below this line.
+

third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-xml-external-entity.xhtml

+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE doc [ <!ENTITY ent SYSTEM "http://localhost:8000/security/resources/target.xml"> ]>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<body>
+<script>
+if (window.layoutTestController)
+  layoutTestController.dumpAsText();
+</script>
+<div>This test includes a cross-origin external entity.  It passes if the load
+fails and thus there is no text below this line.</div>
+<div>&ent;</div>
+</body>
+</html>

third_party/WebKit/WebCore/ChangeLog

+2009-04-21  Mark Rowe  <mrowe@apple.com>
+
+        Reviewed by Darin Adler.
+
+        Fix <https://bugs.webkit.org/show_bug.cgi?id=25164> / <rdar://problem/6786319>.
+
+        We need to ensure that XMLTokenizer sets the current DocLoader before calling in to
+        any libxml2 methods that may trigger a load.  The presence of a DocLoader indicates
+        that the load was originated by WebCore's use of libxml2 and that we should enforce
+        the same-origin policy on it.  XMLTokenizer::initializeParserContext,
+        XMLTokenizer::doWrite and XMLTokenizer::doEnd were three methods that were not setting
+        the current DocLoader when they should have.
+
+        The XMLTokenizerScope class is introduced to simplify the pattern of saving, setting and
+        restoring the current DocLoader and libxml2 error handlers.  The DocLoader and error handlers
+        are saved and set when the scope is allocated, and restored to their previous values when
+        the scope is exited.
+
+        Test: http/tests/security/xss-DENIED-xml-external-entity.xhtml
+
+        * GNUmakefile.am:
+        * WebCore.pro:
+        * WebCore.scons:
+        * WebCore.vcproj/WebCore.vcproj:
+        * WebCore.xcodeproj/project.pbxproj:
+        * dom/XMLTokenizer.cpp:
+        * dom/XMLTokenizer.h:
+        * dom/XMLTokenizerLibxml2.cpp:
+        (WebCore::matchFunc):
+        (WebCore::shouldAllowExternalLoad):
+        (WebCore::openFunc):
+        (WebCore::XMLTokenizer::doWrite):
+        (WebCore::XMLTokenizer::initializeParserContext):
+        (WebCore::XMLTokenizer::doEnd):
+        (WebCore::xmlDocPtrForString):
+        * dom/XMLTokenizerScope.cpp:
+        (WebCore::XMLTokenizerScope::XMLTokenizerScope):
+        (WebCore::XMLTokenizerScope::~XMLTokenizerScope):
+        * dom/XMLTokenizerScope.h:
+        * xml/XSLStyleSheet.cpp:
+        (WebCore::XSLStyleSheet::parseString):
+        * xml/XSLTProcessor.cpp:
+
 2009-04-21  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Dan Bernstein.

third_party/WebKit/WebCore/GNUmakefile.am

@@ -725,6 +725,8 @@ webcore_sources += \
 	WebCore/dom/XMLTokenizer.cpp \
 	WebCore/dom/XMLTokenizer.h \
 	WebCore/dom/XMLTokenizerLibxml2.cpp \
+	WebCore/dom/XMLTokenizerScope.cpp \
+	WebCore/dom/XMLTokenizerScope.h \
 	WebCore/editing/AppendNodeCommand.cpp \
 	WebCore/editing/AppendNodeCommand.h \
 	WebCore/editing/ApplyStyleCommand.cpp \

third_party/WebKit/WebCore/WebCore.pro

@@ -653,6 +653,7 @@ SOURCES += \
     dom/WheelEvent.cpp \
     dom/XMLTokenizer.cpp \
     dom/XMLTokenizerQt.cpp \
+    dom/XMLTokenizerScope.cpp \
     editing/AppendNodeCommand.cpp \
     editing/ApplyStyleCommand.cpp \
     editing/BreakBlockquoteCommand.cpp \

third_party/WebKit/WebCore/WebCore.scons

@@ -143,6 +143,7 @@ sources['dom'] = [
     'dom/WheelEvent.cpp',
     'dom/XMLTokenizer.cpp',
     'dom/XMLTokenizerLibxml2.cpp',
+    'dom/XMLTokenizerScope.cpp',
 ]
 sources['editing'] = [
     'editing/AppendNodeCommand.cpp',

third_party/WebKit/WebCore/WebCore.vcproj/WebCore.vcproj

@@ -9283,6 +9283,14 @@
 				RelativePath="..\dom\XMLTokenizerLibxml2.cpp"
 				>
 			</File>
+			<File
+				RelativePath="..\dom\XMLTokenizerScope.h"
+				>
+			</File>
+			<File
+				RelativePath="..\dom\XMLTokenizerScope.cpp"
+				>
+			</File>
 		</Filter>
 		<Filter
 			Name="workers"

third_party/WebKit/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -865,6 +865,8 @@
 		54C50F7B0E801DF3009832A0 /* XMLTokenizerLibxml2.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 54C50F7A0E801DF3009832A0 /* XMLTokenizerLibxml2.cpp */; };
 		550A0BC9085F6039007353D6 /* QualifiedName.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 550A0BC7085F6039007353D6 /* QualifiedName.cpp */; };
 		550A0BCA085F6039007353D6 /* QualifiedName.h in Headers */ = {isa = PBXBuildFile; fileRef = 550A0BC8085F6039007353D6 /* QualifiedName.h */; settings = {ATTRIBUTES = (Private, ); }; };
+		5D15E3AB0F9E6AC1009E0E3F /* XMLTokenizerScope.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5D15E3A90F9E6AC1009E0E3F /* XMLTokenizerScope.cpp */; };
+		5D15E3AC0F9E6AC1009E0E3F /* XMLTokenizerScope.h in Headers */ = {isa = PBXBuildFile; fileRef = 5D15E3AA0F9E6AC1009E0E3F /* XMLTokenizerScope.h */; };
 		5D874F130D161D3200796C3B /* NetscapePlugInStreamLoader.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 93E227DD0AF589AD00D48324 /* NetscapePlugInStreamLoader.cpp */; };
 		5D925B670F64D4DD00B847F0 /* ScrollBehavior.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5D925B650F64D4DD00B847F0 /* ScrollBehavior.cpp */; };
 		5D925B680F64D4DD00B847F0 /* ScrollBehavior.h in Headers */ = {isa = PBXBuildFile; fileRef = 5D925B660F64D4DD00B847F0 /* ScrollBehavior.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -5811,6 +5813,8 @@
 		54C50F7A0E801DF3009832A0 /* XMLTokenizerLibxml2.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = XMLTokenizerLibxml2.cpp; sourceTree = "<group>"; };
 		550A0BC7085F6039007353D6 /* QualifiedName.cpp */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.cpp.cpp; path = QualifiedName.cpp; sourceTree = "<group>"; tabWidth = 8; usesTabs = 0; };
 		550A0BC8085F6039007353D6 /* QualifiedName.h */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.c.h; path = QualifiedName.h; sourceTree = "<group>"; tabWidth = 8; usesTabs = 0; };
+		5D15E3A90F9E6AC1009E0E3F /* XMLTokenizerScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = XMLTokenizerScope.cpp; sourceTree = "<group>"; };
+		5D15E3AA0F9E6AC1009E0E3F /* XMLTokenizerScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = XMLTokenizerScope.h; sourceTree = "<group>"; };
 		5D925B650F64D4DD00B847F0 /* ScrollBehavior.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ScrollBehavior.cpp; sourceTree = "<group>"; };
 		5D925B660F64D4DD00B847F0 /* ScrollBehavior.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ScrollBehavior.h; sourceTree = "<group>"; };
 		5DCF836C0D59159800953BC6 /* PluginInfoStore.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PluginInfoStore.h; sourceTree = "<group>"; };
@@ -14583,6 +14587,8 @@
 				F523D30902DE4476018635CA /* XMLTokenizer.cpp */,
 				F523D30A02DE4476018635CA /* XMLTokenizer.h */,
 				54C50F7A0E801DF3009832A0 /* XMLTokenizerLibxml2.cpp */,
+				5D15E3AA0F9E6AC1009E0E3F /* XMLTokenizerScope.h */,
+				5D15E3A90F9E6AC1009E0E3F /* XMLTokenizerScope.cpp */,
 			);
 			path = dom;
 			sourceTree = "<group>";
@@ -16844,6 +16850,7 @@
 				A8F5C0B80F9285AC0098E06B /* RenderSVGModelObject.h in Headers */,
 				93D3C1590F97A9D70053C013 /* DOMHTMLCanvasElement.h in Headers */,
 				93B2D8160F9920D2006AE6B2 /* SuddenTermination.h in Headers */,
+				5D15E3AC0F9E6AC1009E0E3F /* XMLTokenizerScope.h in Headers */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -18857,6 +18864,7 @@
 				FE700DD10F92D81A008E2BFE /* JSCoordinatesCustom.cpp in Sources */,
 				A8F5C0B90F9285AC0098E06B /* RenderSVGModelObject.cpp in Sources */,
 				93B2D8180F9920EE006AE6B2 /* SuddenTermination.mm in Sources */,
+				5D15E3AB0F9E6AC1009E0E3F /* XMLTokenizerScope.cpp in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};

third_party/WebKit/WebCore/dom/XMLTokenizer.cpp

@@ -320,4 +320,3 @@ void XMLTokenizer::pauseParsing()
 }
 
 }
-

third_party/WebKit/WebCore/dom/XMLTokenizer.h

@@ -173,7 +173,6 @@ public:
 
 #if ENABLE(XSLT)
 void* xmlDocPtrForString(DocLoader*, const String& source, const String& url);
-void setLoaderForLibXMLCallbacks(DocLoader*);
 #endif
 
 HashMap<String, String> parseAttributes(const String&, bool& attrsOK);

third_party/WebKit/WebCore/dom/XMLTokenizerLibxml2.cpp

@@ -50,6 +50,7 @@
 #include "ScriptSourceCode.h"
 #include "ScriptValue.h"
 #include "TextResourceDecoder.h"
+#include "XMLTokenizerScope.h"
 #include <libxml/parser.h>
 #include <libxml/parserInternals.h>
 #include <wtf/Platform.h>
@@ -325,14 +326,13 @@ private:
 // --------------------------------
 
 static int globalDescriptor = 0;
-static DocLoader* globalDocLoader = 0;
 static ThreadIdentifier libxmlLoaderThread = 0;
 
 static int matchFunc(const char*)
 {
     // Only match loads initiated due to uses of libxml2 from within XMLTokenizer to avoid
     // interfering with client applications that also use libxml2.  http://bugs.webkit.org/show_bug.cgi?id=17353
-    return globalDocLoader && currentThread() == libxmlLoaderThread;
+    return XMLTokenizerScope::currentDocLoader && currentThread() == libxmlLoaderThread;
 }
 
 class OffsetBuffer {
@@ -382,8 +382,8 @@ static bool shouldAllowExternalLoad(const KURL& url)
     // retrieved content.  If we had more context, we could potentially allow
     // the parser to load a DTD.  As things stand, we take the conservative
     // route and allow same-origin requests only.
-    if (!globalDocLoader->doc()->securityOrigin()->canRequest(url)) {
-        globalDocLoader->printAccessDeniedMessage(url);
+    if (!XMLTokenizerScope::currentDocLoader->doc()->securityOrigin()->canRequest(url)) {
+        XMLTokenizerScope::currentDocLoader->printAccessDeniedMessage(url);
         return false;
     }
 
@@ -392,7 +392,7 @@ static bool shouldAllowExternalLoad(const KURL& url)
 
 static void* openFunc(const char* uri)
 {
-    ASSERT(globalDocLoader);
+    ASSERT(XMLTokenizerScope::currentDocLoader);
     ASSERT(currentThread() == libxmlLoaderThread);
 
     KURL url(KURL(), uri);
@@ -403,15 +403,16 @@ static void* openFunc(const char* uri)
     ResourceError error;
     ResourceResponse response;
     Vector<char> data;
-    
-    DocLoader* docLoader = globalDocLoader;
-    globalDocLoader = 0;
-    // FIXME: We should restore the original global error handler as well.
 
-    if (docLoader->frame()) 
-        docLoader->frame()->loader()->loadResourceSynchronously(url, AllowStoredCredentials, error, response, data);
 
-    globalDocLoader = docLoader;
+    {
+        DocLoader* docLoader = XMLTokenizerScope::currentDocLoader;
+        XMLTokenizerScope scope(0);
+        // FIXME: We should restore the original global error handler as well.
+
+        if (docLoader->frame()) 
+            docLoader->frame()->loader()->loadResourceSynchronously(url, AllowStoredCredentials, error, response, data);
+    }
 
     // We have to check the URL again after the load to catch redirects.
     // See <https://bugs.webkit.org/show_bug.cgi?id=21963>.
@@ -453,11 +454,6 @@ static void errorFunc(void*, const char*, ...)
 }
 #endif
 
-void setLoaderForLibXMLCallbacks(DocLoader* docLoader)
-{
-    globalDocLoader = docLoader;
-}
-
 static bool didInit = false;
 
 static xmlParserCtxtPtr createStringParser(xmlSAXHandlerPtr handlers, void* userData)
@@ -625,6 +621,7 @@ void XMLTokenizer::doWrite(const String& parseString)
         const unsigned char BOMHighByte = *reinterpret_cast<const unsigned char*>(&BOM);
         xmlSwitchEncoding(m_context, BOMHighByte == 0xFF ? XML_CHAR_ENCODING_UTF16LE : XML_CHAR_ENCODING_UTF16BE);
 
+        XMLTokenizerScope scope(m_doc->docLoader());
         xmlParseChunk(m_context, reinterpret_cast<const char*>(parseString.characters()), sizeof(UChar) * parseString.length(), 0);
     }
     
@@ -1186,6 +1183,7 @@ void XMLTokenizer::initializeParserContext(const char* chunk)
     m_sawXSLTransform = false;
     m_sawFirstElement = false;
 
+    XMLTokenizerScope scope(m_doc->docLoader());
     if (m_parsingFragment)
         m_context = createMemoryParser(&sax, this, chunk);
     else
@@ -1207,8 +1205,11 @@ void XMLTokenizer::doEnd()
 
     if (m_context) {
         // Tell libxml we're done.
-        xmlParseChunk(m_context, 0, 0, 1);
-        
+        {
+            XMLTokenizerScope scope(m_doc->docLoader());
+            xmlParseChunk(m_context, 0, 0, 1);
+        }
+
         if (m_context->myDoc)
             xmlFreeDoc(m_context->myDoc);
         xmlFreeParserCtxt(m_context);
@@ -1228,21 +1229,12 @@ void* xmlDocPtrForString(DocLoader* docLoader, const String& source, const Strin
     const UChar BOM = 0xFEFF;
     const unsigned char BOMHighByte = *reinterpret_cast<const unsigned char*>(&BOM);
 
-    xmlGenericErrorFunc oldErrorFunc = xmlGenericError;
-    void* oldErrorContext = xmlGenericErrorContext;
-    
-    setLoaderForLibXMLCallbacks(docLoader);        
-    xmlSetGenericErrorFunc(0, errorFunc);
-    
+    XMLTokenizerScope scope(docLoader, errorFunc, 0);
     xmlDocPtr sourceDoc = xmlReadMemory(reinterpret_cast<const char*>(source.characters()),
                                         source.length() * sizeof(UChar),
                                         url.latin1().data(),
                                         BOMHighByte == 0xFF ? "UTF-16LE" : "UTF-16BE", 
                                         XSLT_PARSE_OPTIONS);
-    
-    setLoaderForLibXMLCallbacks(0);
-    xmlSetGenericErrorFunc(oldErrorContext, oldErrorFunc);
-    
     return sourceDoc;
 }
 #endif

third_party/WebKit/WebCore/dom/XMLTokenizerScope.cpp

+/*
+ * Copyright (C) 2009 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include "config.h"
+#include "XMLTokenizerScope.h"
+
+namespace WebCore {
+
+DocLoader* XMLTokenizerScope::currentDocLoader = 0;
+
+XMLTokenizerScope::XMLTokenizerScope(DocLoader* docLoader)
+    : m_oldDocLoader(currentDocLoader)
+#if ENABLE(XSLT)
+    , m_oldGenericErrorFunc(xmlGenericError)
+    , m_oldStructuredErrorFunc(xmlStructuredError)
+    , m_oldErrorContext(xmlGenericErrorContext)
+#endif
+{
+    currentDocLoader = docLoader;
+}
+
+#if ENABLE(XSLT)
+XMLTokenizerScope::XMLTokenizerScope(DocLoader* docLoader, xmlGenericErrorFunc genericErrorFunc, xmlStructuredErrorFunc structuredErrorFunc, void* errorContext)
+    : m_oldDocLoader(currentDocLoader)
+    , m_oldGenericErrorFunc(xmlGenericError)
+    , m_oldStructuredErrorFunc(xmlStructuredError)
+    , m_oldErrorContext(xmlGenericErrorContext)
+{
+    currentDocLoader = docLoader;
+    if (genericErrorFunc)
+        xmlSetGenericErrorFunc(errorContext, genericErrorFunc);
+    if (structuredErrorFunc)
+        xmlSetStructuredErrorFunc(errorContext, structuredErrorFunc);
+}
+#endif
+
+XMLTokenizerScope::~XMLTokenizerScope()
+{
+    currentDocLoader = m_oldDocLoader;
+#if ENABLE(XSLT)
+    xmlSetGenericErrorFunc(m_oldErrorContext, m_oldGenericErrorFunc);
+    xmlSetStructuredErrorFunc(m_oldErrorContext, m_oldStructuredErrorFunc);
+#endif
+}
+
+}

third_party/WebKit/WebCore/dom/XMLTokenizerScope.h

+/*
+ * Copyright (C) 2009 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#ifndef XMLTokenizerScope_h
+#define XMLTokenizerScope_h
+
+#include <wtf/Noncopyable.h>
+
+#if ENABLE(XSLT)
+#include <libxml/tree.h>
+#endif
+
+namespace WebCore {
+
+    class DocLoader;
+
+    class XMLTokenizerScope : Noncopyable {
+    public:
+        XMLTokenizerScope(DocLoader* docLoader);
+        ~XMLTokenizerScope();
+
+        static DocLoader* currentDocLoader;
+
+#if ENABLE(XSLT)
+        XMLTokenizerScope(DocLoader* docLoader, xmlGenericErrorFunc genericErrorFunc, xmlStructuredErrorFunc structuredErrorFunc = 0, void* errorContext = 0);
+#endif
+
+    private:
+        DocLoader* m_oldDocLoader;
+
+#if ENABLE(XSLT)
+        xmlGenericErrorFunc m_oldGenericErrorFunc;
+        xmlStructuredErrorFunc m_oldStructuredErrorFunc;
+        void* m_oldErrorContext;
+#endif
+    };
+
+} // namespace WebCore
+
+#endif // XMLTokenizerScope_h

third_party/WebKit/WebCore/xml/XSLStyleSheet.cpp

@@ -30,11 +30,12 @@
 #include "DocLoader.h"
 #include "Document.h"
 #include "Frame.h"
-#include "loader.h"
 #include "Node.h"
 #include "XMLTokenizer.h"
+#include "XMLTokenizerScope.h"
 #include "XSLImportRule.h"
 #include "XSLTProcessor.h"
+#include "loader.h"
 
 #include <libxml/uri.h>
 #include <libxslt/xsltutils.h>
@@ -138,7 +139,6 @@ bool XSLStyleSheet::parseString(const String& string, bool)
     // Parse in a single chunk into an xmlDocPtr
     const UChar BOM = 0xFEFF;
     const unsigned char BOMHighByte = *reinterpret_cast<const unsigned char*>(&BOM);
-    setLoaderForLibXMLCallbacks(docLoader());
     if (!m_stylesheetDocTaken)
         xmlFreeDoc(m_stylesheetDoc);
     m_stylesheetDocTaken = false;
@@ -146,8 +146,8 @@ bool XSLStyleSheet::parseString(const String& string, bool)
     Console* console = 0;
     if (Frame* frame = ownerDocument()->frame())
         console = frame->domWindow()->console();
-    xmlSetStructuredErrorFunc(console, XSLTProcessor::parseErrorFunc);
-    xmlSetGenericErrorFunc(console, XSLTProcessor::genericErrorFunc);
+
+    XMLTokenizerScope scope(docLoader(), XSLTProcessor::genericErrorFunc, XSLTProcessor::parseErrorFunc, console);
 
     const char* buffer = reinterpret_cast<const char*>(string.characters());
     int size = string.length() * sizeof(UChar);
@@ -171,13 +171,9 @@ bool XSLStyleSheet::parseString(const String& string, bool)
         BOMHighByte == 0xFF ? "UTF-16LE" : "UTF-16BE", 
         XML_PARSE_NOENT | XML_PARSE_DTDATTR | XML_PARSE_NOWARNING | XML_PARSE_NOCDATA);
     xmlFreeParserCtxt(ctxt);
-    
-    loadChildSheets();
 
-    xmlSetStructuredErrorFunc(0, 0);
-    xmlSetGenericErrorFunc(0, 0);
+    loadChildSheets();
 
-    setLoaderForLibXMLCallbacks(0);
     return m_stylesheetDoc;
 }
 

third_party/WebKit/WebCore/xml/XSLTProcessor.cpp

@@ -55,11 +55,10 @@
 #include <wtf/Assertions.h>
 #include <wtf/Platform.h>
 #include <wtf/Vector.h>
+
 #if PLATFORM(MAC)
 #include "SoftLinking.h"
-#endif
 
-#if PLATFORM(MAC)
 SOFT_LINK_LIBRARY(libxslt);
 SOFT_LINK(libxslt, xsltFreeStylesheet, void, (xsltStylesheetPtr sheet), (sheet))
 SOFT_LINK(libxslt, xsltFreeTransformContext, void, (xsltTransformContextPtr ctxt), (ctxt))