From 1ea2467a7a9746863dd3bac80ed3bc74d067b638 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Mon, 7 Feb 2022 01:43:01 +0100
Subject: [PATCH] LibWeb: Improve step 3 of "focus chain" from the HTML spec

This function was unnecessarily nested, which created a scenario where
we could get stuck in an infinite loop without advancing the
current_object pointer up the browsing context container chain.
---
 Userland/Libraries/LibWeb/HTML/HTMLElement.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Userland/Libraries/LibWeb/HTML/HTMLElement.cpp b/Userland/Libraries/LibWeb/HTML/HTMLElement.cpp
index fa0a1efed9..351828ef4c 100644
--- a/Userland/Libraries/LibWeb/HTML/HTMLElement.cpp
+++ b/Userland/Libraries/LibWeb/HTML/HTMLElement.cpp
@@ -302,12 +302,12 @@ static Vector<DOM::Node&> focus_chain(DOM::Node* subject)
         if (!is<DOM::Document>(*current_object)) {
             // 3. If currentObject is a focusable area, then set currentObject to currentObject's DOM anchor's node document.
             current_object = &current_object->document();
-        } else if (is<DOM::Document>(*current_object)) {
+        } else if (is<DOM::Document>(*current_object)
+            && static_cast<DOM::Document&>(*current_object).browsing_context()
+            && !static_cast<DOM::Document&>(*current_object).browsing_context()->is_top_level()) {
             // Otherwise, if currentObject is a Document whose browsing context is a child browsing context,
             // then set currentObject to currentObject's browsing context's container.
-            auto& document = static_cast<DOM::Document&>(*current_object);
-            if (document.browsing_context() && !document.browsing_context()->is_top_level())
-                current_object = document.browsing_context()->container();
+            current_object = static_cast<DOM::Document&>(*current_object).browsing_context()->container();
         } else {
             break;
         }