From 5744e98bb793ecb2945b80bfd8fb385309f6c335 Mon Sep 17 00:00:00 2001
From: Xidorn Quan <me@upsuper.org>
Date: Mon, 27 Feb 2017 12:06:05 +1100
Subject: [PATCH] Bug 1342348 part 1 - Don't check fragment url in tree
 sanitizer. r=hsivonen

MozReview-Commit-ID: 8tIiMtexHxd

--HG--
extra : rebase_source : e23191b1396a4eb73510456de97197a34d20f723
---
 dom/base/nsTreeSanitizer.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/dom/base/nsTreeSanitizer.cpp b/dom/base/nsTreeSanitizer.cpp
index 7219336db0d6..c275ece3ae74 100644
--- a/dom/base/nsTreeSanitizer.cpp
+++ b/dom/base/nsTreeSanitizer.cpp
@@ -1281,6 +1281,10 @@ nsTreeSanitizer::SanitizeURL(mozilla::dom::Element* aElement,
   static const char* kWhitespace = "\n\r\t\b";
   const nsAString& v =
     nsContentUtils::TrimCharsInSet(kWhitespace, value);
+  // Fragment-only url cannot be harmful.
+  if (v.First() == u'#') {
+    return false;
+  }
 
   nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
   uint32_t flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL;