mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1690984 - Allow data, dialog, main, picture, and template in nsTreeSanitizer r=hsivonen 

Differential Revision: https://phabricator.services.mozilla.com/D104153
This commit is contained in:
Frederik Braun 2021-02-05 12:34:58 +00:00
Родитель 7315eeca9f
Коммит 66b19c3368
2 изменённых файлов: 42 добавлений и 5 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

18
dom/base/nsTreeSanitizer.cpp
Просмотреть файл

@ -14,6 +14,7 @@
#include "mozilla/css/Rule.h"
#include "mozilla/dom/CSSRuleList.h"
#include "mozilla/dom/DocumentFragment.h"
#include "mozilla/dom/HTMLTemplateElement.h"
#include "mozilla/dom/SRIMetadata.h"
#include "mozilla/NullPrincipal.h"
#include "nsCSSPropertyID.h"
@ -61,11 +62,13 @@ const nsStaticAtom* const kElementsHTML[] = {
nsGkAtoms::code,
nsGkAtoms::col,
nsGkAtoms::colgroup,
nsGkAtoms::data,
nsGkAtoms::datalist,
nsGkAtoms::dd,
nsGkAtoms::del,
nsGkAtoms::details,
nsGkAtoms::dfn,
nsGkAtoms::dialog,
nsGkAtoms::dir,
nsGkAtoms::div,
nsGkAtoms::dl,
@ -99,6 +102,7 @@ const nsStaticAtom* const kElementsHTML[] = {
nsGkAtoms::li,
nsGkAtoms::link,
nsGkAtoms::listing,
nsGkAtoms::main,
nsGkAtoms::map,
nsGkAtoms::mark,
nsGkAtoms::menu,
@ -112,6 +116,7 @@ const nsStaticAtom* const kElementsHTML[] = {
nsGkAtoms::option,
nsGkAtoms::output,
nsGkAtoms::p,
nsGkAtoms::picture,
nsGkAtoms::pre,
nsGkAtoms::progress,
nsGkAtoms::q,
@ -136,6 +141,7 @@ const nsStaticAtom* const kElementsHTML[] = {
nsGkAtoms::table,
nsGkAtoms::tbody,
nsGkAtoms::td,
// template checked and traversed specially
nsGkAtoms::textarea,
nsGkAtoms::tfoot,
nsGkAtoms::th,
@ -1009,6 +1015,9 @@ bool nsTreeSanitizer::MustFlatten(int32_t aNamespace, nsAtom* aLocal) {
nsGkAtoms::head == aLocal || nsGkAtoms::body == aLocal)) {
return false;
}
if (nsGkAtoms::_template == aLocal) {
return false;
}
return !sElementsHTML->Contains(aLocal);
}
if (aNamespace == kNameSpaceID_SVG) {
@ -1340,6 +1349,15 @@ void nsTreeSanitizer::SanitizeChildren(nsINode* aRoot) {
node = next;
continue;
}
if (nsGkAtoms::_template == localName) {
// traverse into the DocFragment content attribute of template elements
bool wasFullDocument = mFullDocument;
mFullDocument = false;
RefPtr<DocumentFragment> frag =
static_cast<HTMLTemplateElement*>(elt)->Content();
SanitizeChildren(frag);
mFullDocument = wasFullDocument;
}
if (nsGkAtoms::style == localName) {
// If !mOnlyConditionalCSS check the following condition:
// If styles aren't allowed, style elements got pruned above. Even

29
parser/xml/test/unit/results.js
Просмотреть файл

@ -660,11 +660,6 @@ var vectors = [
sanitized:
'<html><head></head><body>\n&lt;%\n\n<img alt="%&gt;&lt;/xmp&gt;&lt;img src=xx:x onerror=alert(1)//">\n\n %&gt;/\nalert(2)\n\n\nXXX\n\n--&gt;{}\n*{color:red}</body></html>',
},
{
data:
'<?xml-stylesheet type="text/xsl" href="#" ?>\r\n<stylesheet xmlns="http://www.w3.org/TR/WD-xsl">\r\n<template match="/">\r\n<eval>new ActiveXObject(&apos;htmlfile&apos;).parentWindow.alert(1)</eval>\r\n<if expr="new ActiveXObject(\'htmlfile\').parentWindow.alert(2)"></if>\r\n</template>\r\n</stylesheet>',
sanitized: "<html><head></head><body>\n\n</body></html>",
},
{
data:
'<form action="" method="post">\r\n<input name="username" value="admin" />\r\n<input name="password" type="password" value="secret" />\r\n<input name="injected" value="injected" dirname="password" />\r\n<input type="submit">\r\n</form>',
@ -985,4 +980,28 @@ var vectors = [
data: "",
sanitized: "<html><head></head><body></body></html>",
},
{
data: "<dialog>allowed</dialog>",
sanitized:
"<html><head></head><body><dialog>allowed</dialog></body></html>",
},
{
data: "<main>allowed</main>",
sanitized: "<html><head></head><body><main>allowed</main></body></html>",
},
{
data: "<picture>allowed</picture>",
sanitized:
"<html><head></head><body><picture>allowed</picture></body></html>",
},
{
data: "<template>allowed</template>",
sanitized:
"<html><head><template>allowed</template></head><body></body></html>",
},
{
data: '<template><img src="x" onerror="alert(1)"></template>',
sanitized:
"<html><head><template><img></template></head><body></body></html>",
},
];