Bug 1408311 - Part 4: Fix bug when serializing sanitized style rules. r=xidorn

MozReview-Commit-ID: LBfmRsYSJND --HG-- extra : rebase_source : 07dbbf8254c7b7217f7dd794d64168f7ecaae57a
2017-10-19 16:30:35 +08:00 · 2017-10-19 16:30:35 +08:00 · c57d1b16bf
--- a/dom/base/nsTreeSanitizer.cpp
+++ b/dom/base/nsTreeSanitizer.cpp
@ -1067,13 +1067,9 @@ nsTreeSanitizer::MustPrune(int32_t aNamespace,
 }

 bool
-nsTreeSanitizer::SanitizeStyleDeclaration(DeclarationBlock* aDeclaration,
-                                          nsAutoString& aRuleText)
+nsTreeSanitizer::SanitizeStyleDeclaration(DeclarationBlock* aDeclaration)
 {
-  bool didSanitize =
-    aDeclaration->RemovePropertyByID(eCSSProperty__moz_binding);
-  aDeclaration->ToString(aRuleText);
-  return didSanitize;
+  return aDeclaration->RemovePropertyByID(eCSSProperty__moz_binding);
 }

 bool
@ -1152,12 +1148,11 @@ nsTreeSanitizer::SanitizeStyleSheet(const nsAString& aOriginal,
        auto styleRule = static_cast<BindingStyleRule*>(rule);
        DeclarationBlock* styleDecl = styleRule->GetDeclarationBlock();
        MOZ_ASSERT(styleDecl);
-        nsAutoString decl;
-        bool sanitized = SanitizeStyleDeclaration(styleDecl, decl);
-        didSanitize = sanitized || didSanitize;
-        if (!sanitized) {
-          styleRule->GetCssText(decl);
+        if (SanitizeStyleDeclaration(styleDecl)) {
+          didSanitize = true;
        }
+        nsAutoString decl;
+        styleRule->GetCssText(decl);
        aSanitized.Append(decl);
      }
    }
@ -1201,8 +1196,9 @@ nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement,
                                            document->NodePrincipal());
        }
        if (decl) {
-          nsAutoString cleanValue;
-          if (SanitizeStyleDeclaration(decl, cleanValue)) {
+          if (SanitizeStyleDeclaration(decl)) {
+            nsAutoString cleanValue;
+            decl->ToString(cleanValue);
            aElement->SetAttr(kNameSpaceID_None,
                              nsGkAtoms::style,
                              cleanValue,
--- a/dom/base/nsTreeSanitizer.h
+++ b/dom/base/nsTreeSanitizer.h
@ -151,15 +151,12 @@ class MOZ_STACK_CLASS nsTreeSanitizer {

    /**
     * Checks a style rule for the presence of the 'binding' CSS property and
-     * removes that property from the rule and reserializes in case the
-     * property was found.
+     * removes that property from the rule.
     *
     * @param aDeclaration The style declaration to check
-     * @param aRuleText the serialized mutated rule if the method returns true
     * @return true if the rule was modified and false otherwise
     */
-    bool SanitizeStyleDeclaration(mozilla::DeclarationBlock* aDeclaration,
-                                  nsAutoString& aRuleText);
+    bool SanitizeStyleDeclaration(mozilla::DeclarationBlock* aDeclaration);

    /**
     * Parses a style sheet and reserializes it with the 'binding' property
--- a/dom/base/test/test_bug650776.html
+++ b/dom/base/test/test_bug650776.html
@ -29,8 +29,8 @@ is(s.sanitize("<a onclick='boom()'></a>", 0), "<html><head></head><body><a></a><
 is(s.sanitize("<style>p { color: red; }</style><p style='background-color: blue;'></p>", 0), "<html><head></head><body><p></p></body></html>", "Wrong sanitizer result 4");
 // Can allow styles
 is(s.sanitize("<style>p { color: red; }</style><p style='background-color: blue;'></p>", u.SanitizerAllowStyle), '<html><head><style>p { color: red; }</style></head><body><p style="background-color: blue;"></p></body></html>', "Wrong sanitizer result 5");
-// -moz-binding gets dropped when styles allowed; however, reconstructing the p { ... } part seems broken!
-todo_is(s.sanitize("<style>p { color: red; -moz-binding: url(foo); }</style><p style='background-color: blue; -moz-binding: url(foo);'></p>", u.SanitizerAllowStyle), '<html><head><style>p { color: red; }</style></head><body><p style="background-color: blue;"></p></body></html>', "Wrong sanitizer result 6");
+// -moz-binding gets dropped when styles allowed
+is(s.sanitize("<style>p { color: red; -moz-binding: url(foo); }</style><p style='background-color: blue; -moz-binding: url(foo);'></p>", u.SanitizerAllowStyle), '<html><head><style>p { color: red; }</style></head><body><p style="background-color: blue;"></p></body></html>', "Wrong sanitizer result 6");
 // Various cid: embeds only cases
 is(s.sanitize("<img src='foo.html'>", u.SanitizerCidEmbedsOnly), '<html><head></head><body><img></body></html>', "Wrong sanitizer result 7");
 is(s.sanitize("<img src='cid:foo'>", u.SanitizerCidEmbedsOnly), '<html><head></head><body><img src="cid:foo"></body></html>', "Wrong sanitizer result 8");