Issue 1146753004: Sanitization should reject elements that we can't examine (e.g. embed/object on FF)

Issue 1146753004: Sanitization should reject elements that we can't examine (e.g. embed/object on FF) (Closed)

Created:
5 years, 7 months ago by Alan Knight

Modified:
5 years, 7 months ago

Reviewers:
sra1

CC:
reviews_dartlang.org, ricow1

Base URL:
git@github.com:dart-lang/sdk.git@master

Target Ref:
refs/heads/master

Visibility:
Public.

More Reviews

Description

Sanitization should reject elements that we can't examine (e.g. embed/object on FF) BUG= R=sra@google.com Committed: https://github.com/dart-lang/sdk/commit/efb738f6335c89f91b796c80c53c19371b8b6e3b

Patch Set 3 : Review fixes #

Total comments: 1

Created: 5 years, 7 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+264 lines, -142 lines)			Patch
M	sdk/lib/html/dart2js/html_dart2js.dart	View	1 2	3 chunks	+86 lines, -47 lines	0 comments	Download
M	sdk/lib/html/dartium/html_dartium.dart	View	1 2	2 chunks	+85 lines, -46 lines	0 comments	Download
M	tests/html/node_validator_important_if_you_suppress_make_the_bug_critical_test.dart	View	1 2	1 chunk	+6 lines, -1 line	0 comments	Download
M	tools/dom/src/Validators.dart	View	1 2	1 chunk	+84 lines, -45 lines	0 comments	Download
M	tools/dom/templates/html/impl/impl_Element.darttemplate	View	1 2	2 chunks	+3 lines, -3 lines	1 comment	Download

Messages

Total messages: 8 (1 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

sra1

lgtm, esp if you can make the 'ok' path faster by moving all try-catch out ...

5 years, 7 months ago (2015-05-19 19:54:38 UTC) #3

Alan Knight

https://codereview.chromium.org/1146753004/diff/1/tools/dom/src/Validators.dart File tools/dom/src/Validators.dart (right): https://codereview.chromium.org/1146753004/diff/1/tools/dom/src/Validators.dart#newcode194 tools/dom/src/Validators.dart:194: corrupted = element._hasCorruptedAttributes; On 2015/05/19 19:54:38, sra1 wrote: > ...

5 years, 7 months ago (2015-05-19 21:54:55 UTC) #4

Alan Knight

PTAL https://codereview.chromium.org/1146753004/diff/1/tools/dom/src/Validators.dart File tools/dom/src/Validators.dart (right): https://codereview.chromium.org/1146753004/diff/1/tools/dom/src/Validators.dart#newcode190 tools/dom/src/Validators.dart:190: try { On 2015/05/19 19:54:38, sra1 wrote: > ...

5 years, 7 months ago (2015-05-19 23:12:12 UTC) #5

sra1

lgtm. Other questions about the loop are puzzles with the existing code so I'm not ...

5 years, 7 months ago (2015-05-19 23:45:02 UTC) #6

lgtm.

Other questions about the loop are puzzles with the existing code so I'm not too
worried about them.

https://codereview.chromium.org/1146753004/diff/1/tools/dom/src/Validators.dart
File tools/dom/src/Validators.dart (right):

https://codereview.chromium.org/1146753004/diff/1/tools/dom/src/Validators.da...
tools/dom/src/Validators.dart:194: corrupted = element._hasCorruptedAttributes;
On 2015/05/19 21:54:55, Alan Knight wrote:
> On 2015/05/19 19:54:38, sra1 wrote:
> > It seems dangerous to store this information of element.
> > Can it be stored elsewhere?
> 
> We're not storing it, it's a temp, and it's only used in the if statement
below.
> What do you mean?

Sorry, I thought that _hasCorruptedAttributes was a field.
I see it is a getter.

https://codereview.chromium.org/1146753004/diff/1/tools/dom/src/Validators.da...
tools/dom/src/Validators.dart:204: if (corrupted) {
On 2015/05/19 23:12:12, Alan Knight wrote:
> On 2015/05/19 19:54:38, sra1 wrote:
> > corrupted could be anything from the assignment at 194.
> > Test
> >   if (false != corrupted) ..
> 
> Done. But did it as (true = corrupted). I assume that's ok.
> 
> But how can it be anything if it's the result of calling a method with one
> implementation which is return JS('bool', ...  ? We don't use the JS return
> type?

Sorry, this again came from the misunderstanding that _hasCorruptedAttributes
was a field which could have any value.

It might be an idea to make _hasCorruptedAttributes be a static method to avoid
the need to dispatch (getInterceptor) to get to the code.

https://codereview.chromium.org/1146753004/diff/20001/tools/dom/src/Validator...
File tools/dom/src/Validators.dart (right):

https://codereview.chromium.org/1146753004/diff/20001/tools/dom/src/Validator...
tools/dom/src/Validators.dart:164: // If we have the parent, it's presumably
already passed more sanitization or
line length

https://codereview.chromium.org/1146753004/diff/20001/tools/dom/src/Validator...
tools/dom/src/Validators.dart:236: for (var i = attrs.length - 1; i >= 0; --i) {
Why not keys.length?
Why do we go backwards?
It looks to me like one could just write:

for (var name in attrs.keys.toList()) {
  ...
}

Alan Knight

https://codereview.chromium.org/1146753004/diff/20001/tools/dom/src/Validators.dart File tools/dom/src/Validators.dart (right): https://codereview.chromium.org/1146753004/diff/20001/tools/dom/src/Validators.dart#newcode164 tools/dom/src/Validators.dart:164: // If we have the parent, it's presumably already ...

5 years, 7 months ago (2015-05-21 20:38:41 UTC) #7

Alan Knight

5 years, 7 months ago (2015-05-21 20:54:55 UTC) #8

Message was sent while issue was closed.

Committed patchset #3 (id:40001) manually as
efb738f6335c89f91b796c80c53c19371b8b6e3b (presubmit successful).

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages