mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1779184 - Re-Implement attribute sanitization. r=emilio 

Differential Revision: https://phabricator.services.mozilla.com/D153362
This commit is contained in:
Tom Schuster 2022-08-12 10:33:26 +00:00
Родитель d37dd913aa
Коммит 1173a0bda6
6 изменённых файлов: 605 добавлений и 240 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

573
dom/base/nsTreeSanitizer.cpp
Просмотреть файл

@ -970,6 +970,225 @@ const nsStaticAtom* const kURLAttributesMathML[] = {
// clang-format on
};
// https://wicg.github.io/sanitizer-api/#baseline-attribute-allow-list
constexpr const nsStaticAtom* const kBaselineAttributeAllowlist[] = {
// clang-format off
nsGkAtoms::abbr,
nsGkAtoms::accept,
nsGkAtoms::acceptcharset,
nsGkAtoms::charset,
nsGkAtoms::accesskey,
nsGkAtoms::action,
nsGkAtoms::align,
nsGkAtoms::alink,
nsGkAtoms::allow,
nsGkAtoms::allowfullscreen,
// nsGkAtoms::allowpaymentrequest,
nsGkAtoms::alt,
nsGkAtoms::anchor,
nsGkAtoms::archive,
nsGkAtoms::as,
nsGkAtoms::async,
nsGkAtoms::autocapitalize,
nsGkAtoms::autocomplete,
// nsGkAtoms::autocorrect,
nsGkAtoms::autofocus,
// nsGkAtoms::autopictureinpicture,
nsGkAtoms::autoplay,
nsGkAtoms::axis,
nsGkAtoms::background,
nsGkAtoms::behavior,
nsGkAtoms::bgcolor,
nsGkAtoms::border,
nsGkAtoms::bordercolor,
nsGkAtoms::capture,
nsGkAtoms::cellpadding,
nsGkAtoms::cellspacing,
// nsGkAtoms::challenge,
nsGkAtoms::_char,
nsGkAtoms::charoff,
nsGkAtoms::charset,
nsGkAtoms::checked,
nsGkAtoms::cite,
nsGkAtoms::_class,
nsGkAtoms::classid,
nsGkAtoms::clear,
nsGkAtoms::code,
nsGkAtoms::codebase,
nsGkAtoms::codetype,
nsGkAtoms::color,
nsGkAtoms::cols,
nsGkAtoms::colspan,
nsGkAtoms::compact,
nsGkAtoms::content,
nsGkAtoms::contenteditable,
nsGkAtoms::controls,
// nsGkAtoms::controlslist,
// nsGkAtoms::conversiondestination,
nsGkAtoms::coords,
nsGkAtoms::crossorigin,
nsGkAtoms::csp,
nsGkAtoms::data,
nsGkAtoms::datetime,
nsGkAtoms::declare,
nsGkAtoms::decoding,
nsGkAtoms::_default,
nsGkAtoms::defer,
nsGkAtoms::dir,
nsGkAtoms::direction,
// nsGkAtoms::dirname,
nsGkAtoms::disabled,
// nsGkAtoms::disablepictureinpicture,
// nsGkAtoms::disableremoteplayback,
// nsGkAtoms::disallowdocumentaccess,
nsGkAtoms::download,
nsGkAtoms::draggable,
// nsGkAtoms::elementtiming,
nsGkAtoms::enctype,
nsGkAtoms::end,
nsGkAtoms::enterkeyhint,
nsGkAtoms::event,
nsGkAtoms::exportparts,
nsGkAtoms::face,
nsGkAtoms::_for,
nsGkAtoms::form,
nsGkAtoms::formaction,
nsGkAtoms::formenctype,
nsGkAtoms::formmethod,
nsGkAtoms::formnovalidate,
nsGkAtoms::formtarget,
nsGkAtoms::frame,
nsGkAtoms::frameborder,
nsGkAtoms::headers,
nsGkAtoms::height,
nsGkAtoms::hidden,
nsGkAtoms::high,
nsGkAtoms::href,
nsGkAtoms::hreflang,
// nsGkAtoms::hreftranslate,
nsGkAtoms::hspace,
nsGkAtoms::http,
// nsGkAtoms::equiv,
nsGkAtoms::id,
nsGkAtoms::imagesizes,
nsGkAtoms::imagesrcset,
// nsGkAtoms::importance,
// nsGkAtoms::impressiondata,
// nsGkAtoms::impressionexpiry,
// nsGkAtoms::incremental,
nsGkAtoms::inert,
nsGkAtoms::inputmode,
nsGkAtoms::integrity,
// nsGkAtoms::invisible,
nsGkAtoms::is,
nsGkAtoms::ismap,
// nsGkAtoms::keytype,
nsGkAtoms::kind,
nsGkAtoms::label,
nsGkAtoms::lang,
nsGkAtoms::language,
// nsGkAtoms::latencyhint,
nsGkAtoms::leftmargin,
nsGkAtoms::link,
// nsGkAtoms::list,
nsGkAtoms::loading,
nsGkAtoms::longdesc,
nsGkAtoms::loop,
nsGkAtoms::low,
nsGkAtoms::lowsrc,
nsGkAtoms::manifest,
nsGkAtoms::marginheight,
nsGkAtoms::marginwidth,
nsGkAtoms::max,
nsGkAtoms::maxlength,
// nsGkAtoms::mayscript,
nsGkAtoms::media,
nsGkAtoms::method,
nsGkAtoms::min,
nsGkAtoms::minlength,
nsGkAtoms::multiple,
nsGkAtoms::muted,
nsGkAtoms::name,
nsGkAtoms::nohref,
nsGkAtoms::nomodule,
nsGkAtoms::nonce,
nsGkAtoms::noresize,
nsGkAtoms::noshade,
nsGkAtoms::novalidate,
nsGkAtoms::nowrap,
nsGkAtoms::object,
nsGkAtoms::open,
nsGkAtoms::optimum,
nsGkAtoms::part,
nsGkAtoms::pattern,
nsGkAtoms::ping,
nsGkAtoms::placeholder,
// nsGkAtoms::playsinline,
// nsGkAtoms::policy,
nsGkAtoms::poster,
nsGkAtoms::preload,
// nsGkAtoms::pseudo,
nsGkAtoms::readonly,
nsGkAtoms::referrerpolicy,
nsGkAtoms::rel,
// nsGkAtoms::reportingorigin,
nsGkAtoms::required,
nsGkAtoms::resources,
nsGkAtoms::rev,
nsGkAtoms::reversed,
nsGkAtoms::role,
nsGkAtoms::rows,
nsGkAtoms::rowspan,
nsGkAtoms::rules,
nsGkAtoms::sandbox,
nsGkAtoms::scheme,
nsGkAtoms::scope,
// nsGkAtoms::scopes,
nsGkAtoms::scrollamount,
nsGkAtoms::scrolldelay,
nsGkAtoms::scrolling,
nsGkAtoms::select,
nsGkAtoms::selected,
// nsGkAtoms::shadowroot,
// nsGkAtoms::shadowrootdelegatesfocus,
nsGkAtoms::shape,
nsGkAtoms::size,
nsGkAtoms::sizes,
nsGkAtoms::slot,
nsGkAtoms::span,
nsGkAtoms::spellcheck,
nsGkAtoms::src,
nsGkAtoms::srcdoc,
nsGkAtoms::srclang,
nsGkAtoms::srcset,
nsGkAtoms::standby,
nsGkAtoms::start,
nsGkAtoms::step,
nsGkAtoms::style,
nsGkAtoms::summary,
nsGkAtoms::tabindex,
nsGkAtoms::target,
nsGkAtoms::text,
nsGkAtoms::title,
nsGkAtoms::topmargin,
nsGkAtoms::translate,
nsGkAtoms::truespeed,
// nsGkAtoms::trusttoken,
nsGkAtoms::type,
nsGkAtoms::usemap,
nsGkAtoms::valign,
nsGkAtoms::value,
nsGkAtoms::valuetype,
nsGkAtoms::version,
// nsGkAtoms::virtualkeyboardpolicy,
nsGkAtoms::vlink,
nsGkAtoms::vspace,
nsGkAtoms::webkitdirectory,
nsGkAtoms::width,
nsGkAtoms::wrap,
// clang-format on
};
// https://wicg.github.io/sanitizer-api/#baseline-elements
constexpr const nsStaticAtom* const kBaselineElementAllowlist[] = {
nsGkAtoms::a, nsGkAtoms::abbr, nsGkAtoms::acronym,
@ -1017,6 +1236,228 @@ constexpr const nsStaticAtom* const kBaselineElementAllowlist[] = {
nsGkAtoms::wbr, nsGkAtoms::xmp,
};
// https://wicg.github.io/sanitizer-api/#default-configuration
// default configuration's attribute allow list.
// Note: Currently all listed attributes are allowed for every element
// (e.g. they use "*").
// Compared to kBaselineAttributeAllowlist only deprecated allowpaymentrequest
// attribute is missing.
constexpr const nsStaticAtom* const kDefaultConfigurationAttributeAllowlist[] =
{
nsGkAtoms::abbr,
nsGkAtoms::accept,
nsGkAtoms::acceptcharset,
nsGkAtoms::charset,
nsGkAtoms::accesskey,
nsGkAtoms::action,
nsGkAtoms::align,
nsGkAtoms::alink,
nsGkAtoms::allow,
nsGkAtoms::allowfullscreen,
nsGkAtoms::alt,
nsGkAtoms::anchor,
nsGkAtoms::archive,
nsGkAtoms::as,
nsGkAtoms::async,
nsGkAtoms::autocapitalize,
nsGkAtoms::autocomplete,
// nsGkAtoms::autocorrect,
nsGkAtoms::autofocus,
// nsGkAtoms::autopictureinpicture,
nsGkAtoms::autoplay,
nsGkAtoms::axis,
nsGkAtoms::background,
nsGkAtoms::behavior,
nsGkAtoms::bgcolor,
nsGkAtoms::border,
nsGkAtoms::bordercolor,
nsGkAtoms::capture,
nsGkAtoms::cellpadding,
nsGkAtoms::cellspacing,
// nsGkAtoms::challenge,
nsGkAtoms::_char,
nsGkAtoms::charoff,
nsGkAtoms::charset,
nsGkAtoms::checked,
nsGkAtoms::cite,
nsGkAtoms::_class,
nsGkAtoms::classid,
nsGkAtoms::clear,
nsGkAtoms::code,
nsGkAtoms::codebase,
nsGkAtoms::codetype,
nsGkAtoms::color,
nsGkAtoms::cols,
nsGkAtoms::colspan,
nsGkAtoms::compact,
nsGkAtoms::content,
nsGkAtoms::contenteditable,
nsGkAtoms::controls,
// nsGkAtoms::controlslist,
// nsGkAtoms::conversiondestination,
nsGkAtoms::coords,
nsGkAtoms::crossorigin,
nsGkAtoms::csp,
nsGkAtoms::data,
nsGkAtoms::datetime,
nsGkAtoms::declare,
nsGkAtoms::decoding,
nsGkAtoms::_default,
nsGkAtoms::defer,
nsGkAtoms::dir,
nsGkAtoms::direction,
// nsGkAtoms::dirname,
nsGkAtoms::disabled,
// nsGkAtoms::disablepictureinpicture,
// nsGkAtoms::disableremoteplayback,
// nsGkAtoms::disallowdocumentaccess,
nsGkAtoms::download,
nsGkAtoms::draggable,
// nsGkAtoms::elementtiming,
nsGkAtoms::enctype,
nsGkAtoms::end,
nsGkAtoms::enterkeyhint,
nsGkAtoms::event,
nsGkAtoms::exportparts,
nsGkAtoms::face,
nsGkAtoms::_for,
nsGkAtoms::form,
nsGkAtoms::formaction,
nsGkAtoms::formenctype,
nsGkAtoms::formmethod,
nsGkAtoms::formnovalidate,
nsGkAtoms::formtarget,
nsGkAtoms::frame,
nsGkAtoms::frameborder,
nsGkAtoms::headers,
nsGkAtoms::height,
nsGkAtoms::hidden,
nsGkAtoms::high,
nsGkAtoms::href,
nsGkAtoms::hreflang,
// nsGkAtoms::hreftranslate,
nsGkAtoms::hspace,
nsGkAtoms::http,
// nsGkAtoms::equiv,
nsGkAtoms::id,
nsGkAtoms::imagesizes,
nsGkAtoms::imagesrcset,
// nsGkAtoms::importance,
// nsGkAtoms::impressiondata,
// nsGkAtoms::impressionexpiry,
// nsGkAtoms::incremental,
nsGkAtoms::inert,
nsGkAtoms::inputmode,
nsGkAtoms::integrity,
// nsGkAtoms::invisible,
nsGkAtoms::is,
nsGkAtoms::ismap,
// nsGkAtoms::keytype,
nsGkAtoms::kind,
nsGkAtoms::label,
nsGkAtoms::lang,
nsGkAtoms::language,
// nsGkAtoms::latencyhint,
nsGkAtoms::leftmargin,
nsGkAtoms::link,
// nsGkAtoms::list,
nsGkAtoms::loading,
nsGkAtoms::longdesc,
nsGkAtoms::loop,
nsGkAtoms::low,
nsGkAtoms::lowsrc,
nsGkAtoms::manifest,
nsGkAtoms::marginheight,
nsGkAtoms::marginwidth,
nsGkAtoms::max,
nsGkAtoms::maxlength,
// nsGkAtoms::mayscript,
nsGkAtoms::media,
nsGkAtoms::method,
nsGkAtoms::min,
nsGkAtoms::minlength,
nsGkAtoms::multiple,
nsGkAtoms::muted,
nsGkAtoms::name,
nsGkAtoms::nohref,
nsGkAtoms::nomodule,
nsGkAtoms::nonce,
nsGkAtoms::noresize,
nsGkAtoms::noshade,
nsGkAtoms::novalidate,
nsGkAtoms::nowrap,
nsGkAtoms::object,
nsGkAtoms::open,
nsGkAtoms::optimum,
nsGkAtoms::part,
nsGkAtoms::pattern,
nsGkAtoms::ping,
nsGkAtoms::placeholder,
// nsGkAtoms::playsinline,
// nsGkAtoms::policy,
nsGkAtoms::poster,
nsGkAtoms::preload,
// nsGkAtoms::pseudo,
nsGkAtoms::readonly,
nsGkAtoms::referrerpolicy,
nsGkAtoms::rel,
// nsGkAtoms::reportingorigin,
nsGkAtoms::required,
nsGkAtoms::resources,
nsGkAtoms::rev,
nsGkAtoms::reversed,
nsGkAtoms::role,
nsGkAtoms::rows,
nsGkAtoms::rowspan,
nsGkAtoms::rules,
nsGkAtoms::sandbox,
nsGkAtoms::scheme,
nsGkAtoms::scope,
// nsGkAtoms::scopes,
nsGkAtoms::scrollamount,
nsGkAtoms::scrolldelay,
nsGkAtoms::scrolling,
nsGkAtoms::select,
nsGkAtoms::selected,
// nsGkAtoms::shadowroot,
// nsGkAtoms::shadowrootdelegatesfocus,
nsGkAtoms::shape,
nsGkAtoms::size,
nsGkAtoms::sizes,
nsGkAtoms::slot,
nsGkAtoms::span,
nsGkAtoms::spellcheck,
nsGkAtoms::src,
nsGkAtoms::srcdoc,
nsGkAtoms::srclang,
nsGkAtoms::srcset,
nsGkAtoms::standby,
nsGkAtoms::start,
nsGkAtoms::step,
nsGkAtoms::style,
nsGkAtoms::summary,
nsGkAtoms::tabindex,
nsGkAtoms::target,
nsGkAtoms::text,
nsGkAtoms::title,
nsGkAtoms::topmargin,
nsGkAtoms::translate,
nsGkAtoms::truespeed,
// nsGkAtoms::trusttoken,
nsGkAtoms::type,
nsGkAtoms::usemap,
nsGkAtoms::valign,
nsGkAtoms::value,
nsGkAtoms::valuetype,
nsGkAtoms::version,
// nsGkAtoms::virtualkeyboardpolicy,
nsGkAtoms::vlink,
nsGkAtoms::vspace,
nsGkAtoms::webkitdirectory,
nsGkAtoms::width,
nsGkAtoms::wrap,
};
// https://wicg.github.io/sanitizer-api/#default-configuration
// default configuration's element allow list.
constexpr const nsStaticAtom* const kDefaultConfigurationElementAllowlist[] = {
@ -1068,8 +1509,12 @@ nsTreeSanitizer::AtomsTable* nsTreeSanitizer::sElementsSVG = nullptr;
nsTreeSanitizer::AtomsTable* nsTreeSanitizer::sAttributesSVG = nullptr;
nsTreeSanitizer::AtomsTable* nsTreeSanitizer::sElementsMathML = nullptr;
nsTreeSanitizer::AtomsTable* nsTreeSanitizer::sAttributesMathML = nullptr;
nsTreeSanitizer::AtomsTable* nsTreeSanitizer::sBaselineAttributeAllowlist =
nullptr;
nsTreeSanitizer::AtomsTable* nsTreeSanitizer::sBaselineElementAllowlist =
nullptr;
nsTreeSanitizer::AtomsTable*
nsTreeSanitizer::sDefaultConfigurationAttributeAllowlist = nullptr;
nsTreeSanitizer::AtomsTable*
nsTreeSanitizer::sDefaultConfigurationElementAllowlist = nullptr;
nsIPrincipal* nsTreeSanitizer::sNullPrincipal = nullptr;
@ -1413,31 +1858,7 @@ void nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement,
RefPtr<nsAtom> attrLocal = attrName->LocalName();
if (mIsForSanitizerAPI) {
bool shouldRemove = true;
RefPtr<nsAtom> elemName = aElement->NodeInfo()->NameAtom();
// check allow list
if (mAllowedAttributes) {
auto allowedElements = mAllowedAttributes->Lookup(attrLocal);
if (allowedElements) {
if (allowedElements.Data()->Contains(elemName) ||
allowedElements.Data()->Contains(nsGkAtoms::_asterisk)) {
shouldRemove = false;
}
}
}
// checking drop list last
// i.e., if listed as both allowed and dropped, it will still be dropped
if (mDroppedAttributes) {
auto dropElements = mDroppedAttributes->Lookup(attrLocal);
if (dropElements) {
if (dropElements.Data()->Contains(elemName) ||
dropElements.Data()->Contains(nsGkAtoms::_asterisk)) {
shouldRemove = true;
}
}
}
if (shouldRemove) {
if (MustDropAttribute(aElement, attrNs, attrLocal)) {
aElement->UnsetAttr(kNameSpaceID_None, attrLocal, false);
if (mLogRemovals) {
LogMessage("Removed unsafe attribute.", aElement->OwnerDoc(),
@ -1540,6 +1961,90 @@ void nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement,
}
}
// https://wicg.github.io/sanitizer-api/#attribute-match-list
bool nsTreeSanitizer::MatchesAttributeMatchList(
ElementToAttributeSetTable& aMatchList, Element& aElement,
int32_t aAttrNamespace, nsAtom* aAttrLocalName) {
// Step 1. If attributes local name does not match the attribute match list
// lists key and if the key is not "*": Return false.
DynamicAtomsTable* elements;
if (auto lookup = aMatchList.Lookup(aAttrLocalName)) {
elements = lookup->get();
} else if (auto lookup = aMatchList.Lookup(nsGkAtoms::_asterisk)) {
elements = lookup->get();
} else {
return false;
}
// Step 2. Let element be the attributes Element.
// Step 3. Let element name be elements local name.
nsAtom* elemName = aElement.NodeInfo()->NameAtom();
// Step 4. If element is a in either the SVG or MathML namespaces (i.e., its
// a foreign element), then prefix element name with the appropriate namespace
// designator plus a whitespace character.
// TODO(bug 1784040) Namespace handling.
// Step 5. If lists value does not contain element name and value is not
// ["*"]: Return false.
if (!elements->Contains(elemName) &&
!elements->Contains(nsGkAtoms::_asterisk)) {
return false;
}
// Step 6. Return true.
return true;
}
// https://wicg.github.io/sanitizer-api/#sanitize-action-for-an-attribute
bool nsTreeSanitizer::MustDropAttribute(Element* aElement,
int32_t aAttrNamespace,
nsAtom* aAttrLocalName) {
// Step 1. Let kind be attributes attribute kind.
// Step 2. If kind is unknown and if config["allowUnknownMarkup"] does not
// exist or it config["allowUnknownMarkup"] is false: Return drop.
//
// TODO: Not clear how to determine if something is an "unknown" attribute.
// https://github.com/WICG/sanitizer-api/issues/147 should probably define
// an explicit list.
// Step 3. If kind is regular and attributes local name does not match any
// name in the baseline attribute allow list: Return drop.
if (!sBaselineAttributeAllowlist->Contains(aAttrLocalName)) {
return true;
}
// Step 4. If attribute matches any attribute match list in configs attribute
// drop list: Return drop.
if (mDroppedAttributes &&
MatchesAttributeMatchList(*mDroppedAttributes, *aElement, aAttrNamespace,
aAttrLocalName)) {
return true;
}
// Step 5. If attribute allow list exists in config:
if (mAllowedAttributes) {
// Step 5.1. Then let allow list be |config|["allowAttributes"].
// Step 6. If attribute does not match any attribute match list in allow
// list: Return drop.
if (!MatchesAttributeMatchList(*mAllowedAttributes, *aElement,
aAttrNamespace, aAttrLocalName)) {
return true;
}
} else {
// Step 5.2. Otherwise: Let allow list be the default configuration's
// attribute allow list.
// Step 6. If attribute does not match any attribute
// match list in allow list: Return drop.
if (!sDefaultConfigurationAttributeAllowlist->Contains(aAttrLocalName)) {
return true;
}
}
// Step 7. Return keep.
return false;
}
bool nsTreeSanitizer::SanitizeURL(mozilla::dom::Element* aElement,
int32_t aNamespace, nsAtom* aLocalName,
bool aFragmentsOnly) {
@ -1824,12 +2329,24 @@ void nsTreeSanitizer::InitializeStatics() {
sAttributesMathML->Insert(kAttributesMathML[i]);
}
sBaselineAttributeAllowlist =
new AtomsTable(ArrayLength(kBaselineAttributeAllowlist));
for (const auto* atom : kBaselineAttributeAllowlist) {
sBaselineAttributeAllowlist->Insert(atom);
}
sBaselineElementAllowlist =
new AtomsTable(ArrayLength(kBaselineElementAllowlist));
for (const auto* atom : kBaselineElementAllowlist) {
sBaselineElementAllowlist->Insert(atom);
}
sDefaultConfigurationAttributeAllowlist =
new AtomsTable(ArrayLength(kDefaultConfigurationAttributeAllowlist));
for (const auto* atom : kDefaultConfigurationAttributeAllowlist) {
sDefaultConfigurationAttributeAllowlist->Insert(atom);
}
sDefaultConfigurationElementAllowlist =
new AtomsTable(ArrayLength(kDefaultConfigurationElementAllowlist));
for (const auto* atom : kDefaultConfigurationElementAllowlist) {
@ -1863,9 +2380,15 @@ void nsTreeSanitizer::ReleaseStatics() {
delete sAttributesMathML;
sAttributesMathML = nullptr;
delete sBaselineAttributeAllowlist;
sBaselineAttributeAllowlist = nullptr;
delete sBaselineElementAllowlist;
sBaselineElementAllowlist = nullptr;
delete sDefaultConfigurationAttributeAllowlist;
sDefaultConfigurationAttributeAllowlist = nullptr;
delete sDefaultConfigurationElementAllowlist;
sDefaultConfigurationElementAllowlist = nullptr;

24
dom/base/nsTreeSanitizer.h
Просмотреть файл

@ -138,6 +138,9 @@ class nsTreeSanitizer {
bool Contains(nsAtom* aAtom) { return GetEntry(aAtom); }
};
using ElementToAttributeSetTable =
nsTHashMap<RefPtr<nsAtom>, mozilla::UniquePtr<DynamicAtomsTable>>;
void SanitizeChildren(nsINode* aRoot);
/**
@ -199,6 +202,9 @@ class nsTreeSanitizer {
*/
void SanitizeAttributes(mozilla::dom::Element* aElement,
AllowedAttributes aAllowed);
// Currently only used for the Sanitizer API.
bool MustDropAttribute(mozilla::dom::Element* aElement,
int32_t aAttrNamespace, nsAtom* aAttrLocalName);
/**
* Remove the named URL attribute from the element if the URL fails a
@ -241,6 +247,11 @@ class nsTreeSanitizer {
*/
static void RemoveAllAttributesFromDescendants(mozilla::dom::Element*);
static bool MatchesAttributeMatchList(ElementToAttributeSetTable& aMatchList,
mozilla::dom::Element& aElement,
int32_t aAttrNamespace,
nsAtom* aAttrLocalName);
/**
* Log a Console Service message to indicate we removed something.
* If you pass an element and/or attribute, their information will
@ -291,11 +302,21 @@ class nsTreeSanitizer {
*/
static AtomsTable* sAttributesMathML;
/**
* The built-in baseline attribute allow list used by the Sanitizer API.
*/
static AtomsTable* sBaselineAttributeAllowlist;
/**
* The built-in baseline element allow list used by the Sanitizer API.
*/
static AtomsTable* sBaselineElementAllowlist;
/**
* The default configuration's attribute allow list used by the Sanitizer API.
*/
static AtomsTable* sDefaultConfigurationAttributeAllowlist;
/**
* The default configuration's element allow list used by the Sanitizer API.
*/
@ -323,9 +344,6 @@ class nsTreeSanitizer {
// A deny-list of elements to drop. (aka prune)
mozilla::UniquePtr<DynamicAtomsTable> mDropElements;
using ElementToAttributeSetTable =
nsTHashMap<RefPtr<nsAtom>, mozilla::UniquePtr<DynamicAtomsTable>>;
// An allow-list of attributes to keep.
mozilla::UniquePtr<ElementToAttributeSetTable> mAllowedAttributes;

26
dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html
Просмотреть файл

@ -64,12 +64,13 @@ SimpleTest.waitForExplicitFinish();
testExpected: "<p>hello folks</p>",
sanitizerOptions: { blockElements: ["i"] },
},
{
// test for the allowAttributes option
testString: `<p haha="lol">hello</p>`,
testExpected: `<p haha="lol">hello</p>`,
sanitizerOptions: { allowAttributes: { 'haha': ['p'] } },
},
// TODO: Unknown attributes aren't supported yet.
// {
// // test for the allowAttributes option
// testString: `<p haha="lol">hello</p>`,
// testExpected: `<p haha="lol">hello</p>`,
// sanitizerOptions: { allowUnknownMarkup: true, allowAttributes: { 'haha': ['p'] } },
// },
{
// confirming the inverse
testString: `<p haha="lol">hello</p>`,
@ -82,13 +83,12 @@ SimpleTest.waitForExplicitFinish();
testExpected: `<p>hello</p>`,
sanitizerOptions: { dropAttributes: { 'title': ['p'] } },
},
// TODO: default configuration allowAttributes not yet (re-)implemented
// {
// // confirming the inverse
// testString: `<p title="dontdropme">hello</p>`,
// testExpected: `<p title="dontdropme">hello</p>`,
// sanitizerOptions: {},
// },
{
// confirming the inverse
testString: `<p title="dontdropme">hello</p>`,
testExpected: `<p title="dontdropme">hello</p>`,
sanitizerOptions: {},
},
{
// if an attribute is allowed and dropped, the drop will take preference
testString: `<p title="lol">hello</p>`,

12
testing/web-platform/meta/sanitizer-api/sanitizer-config.https.html.ini
Просмотреть файл

@ -1,12 +0,0 @@
[sanitizer-config.https.html]
[SanitizerAPI: allowElements stays is okay.]
expected: FAIL
[SanitizerAPI: blockElements stays is okay.]
expected: FAIL
[SanitizerAPI: dropAttributes stays is okay.]
expected: FAIL
[SanitizerAPI: dropElements stays is okay.]
expected: FAIL

208
testing/web-platform/meta/sanitizer-api/sanitizer-sanitize.https.tentative.html.ini
Просмотреть файл

@ -1,200 +1,36 @@
[sanitizer-sanitize.https.tentative.html]
max-asserts: 120
[SanitizerAPI with config: plaintext, sanitize from document function for plaintext]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"style": ["p"\]} with style attribute, sanitize from document function for dropAttributes list {"style": ["p"\]} with style attribute]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"*": ["a"\]} with style attribute, sanitize from document function for dropAttributes list {"*": ["a"\]} with style attribute]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"data-attribute-with-dashes": ["*"\]} with dom dataset js access, sanitize from document function for dropAttributes list {"data-attribute-with-dashes": ["*"\]} with dom dataset js access]
expected: FAIL
[SanitizerAPI with config: allowAttributes list {"*": ["a"\]} with style attribute, sanitize from document function for allowAttributes list {"*": ["a"\]} with style attribute]
expected: FAIL
[SanitizerAPI with config: plaintext, sanitize from document fragment function for plaintext]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"style": ["p"\]} with style attribute, sanitize from document fragment function for dropAttributes list {"style": ["p"\]} with style attribute]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"*": ["a"\]} with style attribute, sanitize from document fragment function for dropAttributes list {"*": ["a"\]} with style attribute]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"data-attribute-with-dashes": ["*"\]} with dom dataset js access, sanitize from document fragment function for dropAttributes list {"data-attribute-with-dashes": ["*"\]} with dom dataset js access]
expected: FAIL
[SanitizerAPI with config: allowAttributes list {"*": ["a"\]} with style attribute, sanitize from document fragment function for allowAttributes list {"*": ["a"\]} with style attribute]
expected: FAIL
[SanitizerAPI with config: empty dropAttributes list with id attribute, sanitize from document function for empty dropAttributes list with id attribute]
expected: FAIL
[SanitizerAPI with config: empty dropAttributes list with id attribute, sanitize from document fragment function for empty dropAttributes list with id attribute]
expected: FAIL
[SanitizerAPI with config: HTMLInputElement, sanitize from document function for HTMLInputElement]
expected: FAIL
[SanitizerAPI with config: HTMLButtonElement, sanitize from document function for HTMLButtonElement]
expected: FAIL
[SanitizerAPI with config: HTMLInputElement, sanitize from document fragment function for HTMLInputElement]
expected: FAIL
[SanitizerAPI with config: HTMLButtonElement, sanitize from document fragment function for HTMLButtonElement]
expected: FAIL
[SanitizerAPI with config: malformed HTML, sanitize from document fragment function for malformed HTML]
expected:
if (os == "mac") and not debug: [PASS, FAIL]
[SanitizerAPI with config: HTML with comments; comments not allowed, sanitize from document fragment function for HTML with comments; comments not allowed]
expected:
if (os == "mac") and not debug: [PASS, FAIL]
[SanitizerAPI with config: HTML with comments; !allowComments, sanitize from document function for HTML with comments; !allowComments]
expected:
if (os == "mac") and not debug: [PASS, FAIL]
[Sanitizer.sanitize(null).]
expected:
if (os == "mac") and not debug: [PASS, FAIL]
[SanitizerAPI with config: HTML with comments deeper in the tree, !allowComments, sanitize from document function for HTML with comments deeper in the tree, !allowComments]
expected:
if (os == "mac") and not debug: [PASS, FAIL]
[SanitizerAPI with config: HTML with comments deeper in the tree, sanitize from document fragment function for HTML with comments deeper in the tree]
expected:
if (os == "mac") and not debug: [PASS, FAIL]
[SanitizerAPI with config: HTML with comments deeper in the tree, !allowComments, sanitize from document fragment function for HTML with comments deeper in the tree, !allowComments]
expected:
if (os == "mac") and not debug: [PASS, FAIL]
[SanitizerAPI with config: malformed HTML, sanitize from document function for malformed HTML]
expected:
if (os == "mac") and not debug: [PASS, FAIL]
[SanitizerAPI with config: HTML with comments; !allowComments, sanitize from document fragment function for HTML with comments; !allowComments]
expected:
if (os == "mac") and not debug: [PASS, FAIL]
[SanitizerAPI with config: HTML with comments deeper in the tree, sanitize from document function for HTML with comments deeper in the tree]
expected:
if (os == "mac") and not debug: [PASS, FAIL]
[SanitizerAPI with config: HTML with comments; comments not allowed, sanitize from document function for HTML with comments; comments not allowed]
expected:
if (os == "mac") and not debug: [PASS, FAIL]
[SanitizerAPI with config: dropAttributes list {"ID": ["*"\]} with id attribute, sanitize from document function for dropAttributes list {"ID": ["*"\]} with id attribute]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"ID": ["*"\]} with ID attribute, sanitize from document function for dropAttributes list {"ID": ["*"\]} with ID attribute]
expected: FAIL
[SanitizerAPI with config: blockElements with unknown elements and with allowUnknownMarkup, sanitize from document function for blockElements with unknown elements and with allowUnknownMarkup]
expected: FAIL
[SanitizerAPI with config: allowAttributes unknown attributes and without allowUnknownMarkup, sanitize from document function for allowAttributes unknown attributes and without allowUnknownMarkup]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"ID": ["*"\]} with id attribute, sanitize from document fragment function for dropAttributes list {"ID": ["*"\]} with id attribute]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"ID": ["*"\]} with ID attribute, sanitize from document fragment function for dropAttributes list {"ID": ["*"\]} with ID attribute]
expected: FAIL
[SanitizerAPI with config: blockElements with unknown elements and with allowUnknownMarkup, sanitize from document fragment function for blockElements with unknown elements and with allowUnknownMarkup]
expected: FAIL
[SanitizerAPI with config: allowAttributes unknown attributes and without allowUnknownMarkup, sanitize from document fragment function for allowAttributes unknown attributes and without allowUnknownMarkup]
expected: FAIL
[Sanitizer.sanitze(DocumentFragment)]
expected: FAIL
[Sanitizer.sanitze(Document)]
expected: FAIL
[SanitizerAPI with config: allow custom elements, sanitize from document function for allow custom elements]
expected: FAIL
[SanitizerAPI with config: allow custom elements with allow elements, sanitize from document function for allow custom elements with allow elements]
expected: FAIL
[SanitizerAPI with config: HTMLAnchorElement, sanitize from document function for HTMLAnchorElement]
expected: FAIL
[SanitizerAPI with config: HTMLAreaElement, sanitize from document function for HTMLAreaElement]
expected: FAIL
[SanitizerAPI with config: HTMLFormElement, sanitize from document function for HTMLFormElement]
expected: FAIL
[SanitizerAPI with config: dropElements list ["I", "DL"\]}, sanitize from document function for dropElements list ["I", "DL"\]}]
expected: FAIL
[SanitizerAPI with config: allowElements with unknown elements and with allowUnknownMarkup, sanitize from document function for allowElements with unknown elements and with allowUnknownMarkup]
expected: FAIL
[SanitizerAPI with config: allow custom elements, sanitize from document fragment function for allow custom elements]
expected: FAIL
[SanitizerAPI with config: allow custom elements with allow elements, sanitize from document fragment function for allow custom elements with allow elements]
expected: FAIL
[SanitizerAPI with config: HTMLAnchorElement, sanitize from document fragment function for HTMLAnchorElement]
expected: FAIL
[SanitizerAPI with config: HTMLAreaElement, sanitize from document fragment function for HTMLAreaElement]
expected: FAIL
[SanitizerAPI with config: HTMLFormElement, sanitize from document fragment function for HTMLFormElement]
expected: FAIL
[SanitizerAPI with config: dropElements list ["I", "DL"\]}, sanitize from document fragment function for dropElements list ["I", "DL"\]}]
expected: FAIL
[SanitizerAPI with config: allowElements with unknown elements and with allowUnknownMarkup, sanitize from document fragment function for allowElements with unknown elements and with allowUnknownMarkup]
expected: FAIL
[SanitizerAPI with config: plaintext, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"style": ["p"\]} with style attribute, sanitize from document function for <body>]
[SanitizerAPI with config: HTMLAnchorElement with javascript protocal, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"*": ["a"\]} with style attribute, sanitize from document function for <body>]
[SanitizerAPI with config: HTMLAnchorElement with javascript protocal start with space, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: empty dropAttributes list with id attribute, sanitize from document function for <body>]
[SanitizerAPI with config: HTMLAreaElement with javascript protocal, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"data-attribute-with-dashes": ["*"\]} with dom dataset js access, sanitize from document function for <body>]
[SanitizerAPI with config: HTMLAreaElement with javascript protocal start with space, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: allowAttributes list {"*": ["a"\]} with style attribute, sanitize from document function for <body>]
[SanitizerAPI with config: HTMLFormElement with javascript action, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: HTMLAnchorElement, sanitize from document function for <body>]
[SanitizerAPI with config: HTMLFormElement with javascript action start with space, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: HTMLAreaElement, sanitize from document function for <body>]
[SanitizerAPI with config: HTMLInputElement with javascript formaction, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: HTMLFormElement, sanitize from document function for <body>]
[SanitizerAPI with config: HTMLInputElement with javascript formaction start with space, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: HTMLInputElement, sanitize from document function for <body>]
[SanitizerAPI with config: HTMLButtonElement with javascript formaction, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: HTMLButtonElement, sanitize from document function for <body>]
[SanitizerAPI with config: HTMLButtonElement with javascript formaction start with space, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: dropElements list ["I", "DL"\]}, sanitize from document function for <body>]
@ -206,40 +42,40 @@
[SanitizerAPI with config: dropAttributes list {"ID": ["*"\]} with ID attribute, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: allowAttributes unknown attributes and without allowUnknownMarkup, sanitize from document function for <body>]
[SanitizerAPI with config: allowAttributes unknown attributes and with allowUnknownMarkup, sanitize from document function for <body>]
expected: FAIL
[SanitizerAPI with config: plaintext, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"style": ["p"\]} with style attribute, sanitize from document fragment function for <template>]
[SanitizerAPI with config: HTMLAnchorElement with javascript protocal, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"*": ["a"\]} with style attribute, sanitize from document fragment function for <template>]
[SanitizerAPI with config: HTMLAnchorElement with javascript protocal start with space, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: empty dropAttributes list with id attribute, sanitize from document fragment function for <template>]
[SanitizerAPI with config: HTMLAreaElement with javascript protocal, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: dropAttributes list {"data-attribute-with-dashes": ["*"\]} with dom dataset js access, sanitize from document fragment function for <template>]
[SanitizerAPI with config: HTMLAreaElement with javascript protocal start with space, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: allowAttributes list {"*": ["a"\]} with style attribute, sanitize from document fragment function for <template>]
[SanitizerAPI with config: HTMLFormElement with javascript action, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: HTMLAnchorElement, sanitize from document fragment function for <template>]
[SanitizerAPI with config: HTMLFormElement with javascript action start with space, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: HTMLAreaElement, sanitize from document fragment function for <template>]
[SanitizerAPI with config: HTMLInputElement with javascript formaction, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: HTMLFormElement, sanitize from document fragment function for <template>]
[SanitizerAPI with config: HTMLInputElement with javascript formaction start with space, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: HTMLInputElement, sanitize from document fragment function for <template>]
[SanitizerAPI with config: HTMLButtonElement with javascript formaction, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: HTMLButtonElement, sanitize from document fragment function for <template>]
[SanitizerAPI with config: HTMLButtonElement with javascript formaction start with space, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: dropElements list ["I", "DL"\]}, sanitize from document fragment function for <template>]
@ -251,5 +87,5 @@
[SanitizerAPI with config: dropAttributes list {"ID": ["*"\]} with ID attribute, sanitize from document fragment function for <template>]
expected: FAIL
[SanitizerAPI with config: allowAttributes unknown attributes and without allowUnknownMarkup, sanitize from document fragment function for <template>]
[SanitizerAPI with config: allowAttributes unknown attributes and with allowUnknownMarkup, sanitize from document fragment function for <template>]
expected: FAIL

2
testing/web-platform/meta/sanitizer-api/sanitizer-unknown.https.html.ini
Просмотреть файл

@ -1,3 +1,3 @@
[sanitizer-unknown.https.html]
[Unknown attributes names get blocked without allowUnknownMarkup.]
[Unknown attribute names pass with allowUnknownMarkup.]
expected: FAIL