Bug 854849 - Sanitize displayable fields in manifests r=vingtetun

dom/apps/src/AppsUtils.jsm

@@ -205,6 +205,54 @@ this.AppsUtils = {
              "isCoreApp": isCoreApp };
   },
 
+  /**
+    * Remove potential HTML tags from displayable fields in the manifest.
+    * We check name, description, developer name, and permission description
+    */
+  sanitizeManifest: function(aManifest) {
+    let sanitizer = Cc["@mozilla.org/parserutils;1"]
+                      .getService(Ci.nsIParserUtils);
+    if (!sanitizer) {
+      return;
+    }
+
+    function sanitize(aStr) {
+      return sanitizer.convertToPlainText(aStr,
+               Ci.nsIDocumentEncoder.OutputSelectionOnly |
+               Ci.nsIDocumentEncoder.OutputAbsoluteLinks, 0);
+    }
+
+    function sanitizeEntryPoint(aRoot) {
+      aRoot.name = sanitize(aRoot.name);
+
+      if (aRoot.description) {
+        aRoot.description = sanitize(aRoot.description);
+      }
+
+      if (aRoot.developer && aRoot.developer.name) {
+        aRoot.developer.name = sanitize(aRoot.developer.name);
+      }
+
+      if (aRoot.permissions) {
+        for (let permission in aRoot.permissions) {
+          if (aRoot.permissions[permission].description) {
+            aRoot.permissions[permission].description =
+             sanitize(aRoot.permissions[permission].description);
+          }
+        }
+      }
+    }
+
+    // First process the main section, then the entry points.
+    sanitizeEntryPoint(aManifest);
+
+    if (aManifest.entry_points) {
+      for (let entry in aManifest.entry_points) {
+        sanitizeEntryPoint(aManifest.entry_points[entry]);
+      }
+    }
+  },
+
   /**
    * From https://developer.mozilla.org/en/OpenWebApps/The_Manifest
    * Only the name property is mandatory.
@@ -213,6 +261,8 @@ this.AppsUtils = {
     if (aManifest.name == undefined)
       return false;
 
+    this.sanitizeManifest(aManifest);
+
     // launch_path, entry_points launch paths, message hrefs, and activity hrefs can't be absolute
     if (aManifest.launch_path && isAbsoluteURI(aManifest.launch_path))
       return false;

dom/apps/tests/Makefile.in

@@ -24,4 +24,6 @@ MOCHITEST_CHROME_FILES = \
   test_apps_service.xul \
   $(NULL)
 
+XPCSHELL_TESTS = unit
+
 include $(topsrcdir)/config/rules.mk

dom/apps/tests/file_hosted_app.template.webapp

@@ -1,5 +1,5 @@
 {
   "name": "Really Rapid Release (hosted)",
-  "description": "Updated even faster than Firefox, just to annoy slashdotters.",
+  "description": "Updated even faster than <a href='http://mozilla.org'>Firefox</a>, just to annoy slashdotters.",
   "launch_path": "/tests/dom/apps/tests/file_app.sjs?apptype=hosted"
 }

dom/apps/tests/test_app_update.html

@@ -69,6 +69,8 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=826058
     yield;
     var app = request.result;
     ok(app, "App is non-null");
+    ok(app.manifest.description == "Updated even faster than Firefox, just to annoy slashdotters.",
+       "Manifest is HTML-sanitized");
 
     // Check the app a few times.
     checkAppState(app, true, 2, continueTest);

dom/apps/tests/unit/test_manifestSanitizer.js

@@ -0,0 +1,63 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+function testEntryPoint(aRoot) {
+  do_check_true(aRoot.name == "hello world");
+  do_check_true(aRoot.description == "A bold name");
+  do_check_true(aRoot.developer.name == "Blink Inc.");
+
+  let permissions = aRoot.permissions;
+  do_check_true(permissions.contacts.description == "Required for autocompletion in the share screen");
+  do_check_true(permissions.alarms.description == "Required to schedule notifications");
+}
+
+function run_test() {
+  Components.utils.import("resource:///modules/AppsUtils.jsm");
+
+  do_check_true(!!AppsUtils);
+
+  // Test manifest, with one entry point.
+  let manifest = {
+    name: "hello <b>world</b>",
+    description: "A bold name",
+    developer: {
+      name: "<blink>Blink</blink> Inc.",
+      url: "http://blink.org"
+    },
+    permissions : {
+      "contacts": {
+        "description": "Required for autocompletion in the <a href='http://shareme.com'>share</a> screen",
+        "access": "readcreate"
+        },
+      "alarms": {
+        "description": "Required to schedule notifications"
+      }
+    },
+
+    entry_points: {
+      "subapp": {
+        name: "hello <b>world</b>",
+        description: "A bold name",
+        developer: {
+          name: "<blink>Blink</blink> Inc.",
+          url: "http://blink.org"
+        },
+        permissions : {
+          "contacts": {
+            "description": "Required for autocompletion in the <a href='http://shareme.com'>share</a> screen",
+            "access": "readcreate"
+            },
+          "alarms": {
+            "description": "Required to schedule notifications"
+          }
+        }
+      }
+    }
+  }
+
+  AppsUtils.sanitizeManifest(manifest);
+
+  // Check the main section and the subapp entry point.
+  testEntryPoint(manifest);
+  testEntryPoint(manifest.entry_points.subapp);
+}

dom/apps/tests/unit/xpcshell.ini

@@ -0,0 +1,5 @@
+[DEFAULT]
+head =
+tail =
+
+[test_manifestSanitizer.js]

testing/xpcshell/xpcshell.ini

@@ -10,6 +10,7 @@
 [include:parser/xml/test/unit/xpcshell.ini]
 [include:image/test/unit/xpcshell.ini]
 [include:dom/activities/tests/unit/xpcshell.ini]
+[include:dom/apps/tests/unit/xpcshell.ini]
 [include:dom/encoding/test/unit/xpcshell.ini]
 [include:dom/plugins/test/unit/xpcshell.ini]
 [include:dom/mobilemessage/tests/xpcshell.ini]