59189 - Make sure that SanitizeKey() is accessed only by the attribute token.

r=jar
sr=scc


git-svn-id: svn://10.0.0.236/trunk@82333 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/htmlparser/src/CNavDTD.cpp

@@ -2268,6 +2268,14 @@ nsresult CNavDTD::CollectAttributes(nsCParserNode& aNode,eHTMLTags aTag,PRInt32
         theToken=(CToken*)mSkippedContent.PopFront();
       else theToken=mTokenizer->PopToken();
       if(theToken)  {
+        eHTMLTokenTypes theType=eHTMLTokenTypes(theToken->GetTokenType());
+        if(theType!=eToken_attribute) {
+          // If you're here then it means that the token does not
+          // belong to this node. Put the token back into the tokenizer
+          // and let it go thro' the regular path. Bug: 59189.
+          mTokenizer->PushTokenFront(theToken);
+          break;
+        }
         // Sanitize the key for it might contain some non-alpha-non-digit characters
         // at its end.  Ex. <OPTION SELECTED/> - This will be tokenized as "<" "OPTION",
         // "SELECTED/", and ">". In this case the "SELECTED/" key will be sanitized to

mozilla/parser/htmlparser/src/CNavDTD.cpp

@@ -2268,6 +2268,14 @@ nsresult CNavDTD::CollectAttributes(nsCParserNode& aNode,eHTMLTags aTag,PRInt32
         theToken=(CToken*)mSkippedContent.PopFront();
       else theToken=mTokenizer->PopToken();
       if(theToken)  {
+        eHTMLTokenTypes theType=eHTMLTokenTypes(theToken->GetTokenType());
+        if(theType!=eToken_attribute) {
+          // If you're here then it means that the token does not
+          // belong to this node. Put the token back into the tokenizer
+          // and let it go thro' the regular path. Bug: 59189.
+          mTokenizer->PushTokenFront(theToken);
+          break;
+        }
         // Sanitize the key for it might contain some non-alpha-non-digit characters
         // at its end.  Ex. <OPTION SELECTED/> - This will be tokenized as "<" "OPTION",
         // "SELECTED/", and ">". In this case the "SELECTED/" key will be sanitized to