Check for DOM clobbering attacks in sanitizing/node validation

tools/dom/src/Validators.dart

 // Copyright (c) 2013, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 part of dart.dom.html;
 
 
 /**
  * Interface used to validate that only accepted elements and attributes are
  * allowed while parsing HTML strings into DOM nodes.
@@ skipping 127 matching lines @@
 
 /**
  * Standard tree sanitizer which validates a node tree against the provided
  * validator and removes any nodes or attributes which are not allowed.
  */
 class _ValidatingTreeSanitizer implements NodeTreeSanitizer {
   NodeValidator validator;
   _ValidatingTreeSanitizer(this.validator) {}
 
   void sanitizeTree(Node node) {
-    void walk(Node node) {
-      sanitizeNode(node);
+    void walk(Node node, Node parent) {
+      sanitizeNode(node, parent);
 
       var child = node.lastChild;
       while (child != null) {
         // Child may be removed during the walk.
         var nextChild = child.previousNode;
-        walk(child);
+        walk(child, node);
         child = nextChild;
       }
     }
-    walk(node);
+    walk(node, null);
   }
 
-  void sanitizeNode(Node node) {
+  /// Aggressively try to remove node.
+  void _removeNode(Node node, Node parent) {
+    // If we have the parent, it's presumably already passed more sanitization or
+    // is the fragment, so ask it to remove the child. And if that fails try to
+    // set the outer html.
+    if (parent == null) {
+      node.remove();
+    } else {
+      try {
+        parent._removeChild(node);
+      } catch (e) {
+        node.outerHtml = '';
+      }
+    }
+  }
+  
+  void sanitizeNode(Node node, Node parent) {
     switch (node.nodeType) {
       case Node.ELEMENT_NODE:
         Element element = node;
+        if (element._hasCorruptedAttributes) {
+          window.console.warn('Removing element due to corrupted attributes on <${element}>');
+          _removeNode(node, parent);
+          break;
+        }
         var attrs = element.attributes;
         if (!validator.allowsElement(element)) {
           window.console.warn(
               'Removing disallowed element <${element.tagName}>');
-          element.remove();
+          _removeNode(node, parent);
           break;
         }
 
         var isAttr = attrs['is'];
         if (isAttr != null) {
           if (!validator.allowsAttribute(element, 'is', isAttr)) {
             window.console.warn('Removing disallowed type extension '
                 '<${element.tagName} is="$isAttr">');
-            element.remove();
+            _removeNode(node, parent);
             break;
           }
         }
 
         // TODO(blois): Need to be able to get all attributes, irrespective of
         // XMLNS.
         var keys = attrs.keys.toList();
         for (var i = attrs.length - 1; i >= 0; --i) {
           var name = keys[i];
           if (!validator.allowsAttribute(element, name.toLowerCase(),
               attrs[name])) {
             window.console.warn('Removing disallowed attribute '
                 '<${element.tagName} $name="${attrs[name]}">');
             attrs.remove(name);
           }
         }
 
         if (element is TemplateElement) {
           TemplateElement template = element;
           sanitizeTree(template.content);
         }
         break;
       case Node.COMMENT_NODE:
       case Node.DOCUMENT_FRAGMENT_NODE:
       case Node.TEXT_NODE:
       case Node.CDATA_SECTION_NODE:
         break;
       default:
-        node.remove();
+        _removeNode(node, parent);
     }
   }
 }