Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(715)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: tools/dom/templates/html/impl/impl_Element.darttemplate

Issue 1077813002: Check for DOM clobbering attacks in sanitizing/node validation (Closed) Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart
Patch Set: Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « tools/dom/src/Validators.dart ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012, the Dart project authors. Please see the AUTHORS file 1 // Copyright (c) 2012, the Dart project authors. Please see the AUTHORS file
2 // for details. All rights reserved. Use of this source code is governed by a 2 // for details. All rights reserved. Use of this source code is governed by a
3 // BSD-style license that can be found in the LICENSE file. 3 // BSD-style license that can be found in the LICENSE file.
4 4
5 part of $LIBRARYNAME; 5 part of $LIBRARYNAME;
6 6
7 class _ChildrenElementList extends ListBase<Element> 7 class _ChildrenElementList extends ListBase<Element>
8 implements NodeListWrapper { 8 implements NodeListWrapper {
9 // Raw Element. 9 // Raw Element.
10 final Element _element; 10 final Element _element;
(...skipping 1369 matching lines...) Expand 10 before | Expand all | Expand 10 after
1380 append(createFragment( 1380 append(createFragment(
1381 html, validator: validator, treeSanitizer: treeSanitizer)); 1381 html, validator: validator, treeSanitizer: treeSanitizer));
1382 } 1382 }
1383 String get innerHtml => _innerHtml; 1383 String get innerHtml => _innerHtml;
1384 1384
1385 /** 1385 /**
1386 * This is an ease-of-use accessor for event streams which should only be 1386 * This is an ease-of-use accessor for event streams which should only be
1387 * used when an explicit accessor is not available. 1387 * used when an explicit accessor is not available.
1388 */ 1388 */
1389 ElementEvents get on => new ElementEvents(this); 1389 ElementEvents get on => new ElementEvents(this);
1390
1391 /**
1392 * Verify if any of the attributes that we use in the sanitizer look unexpecte d,
1393 * possibly indicating DOM clobbering attacks.
1394 *
1395 * Those attributes are: attributes, lastChild, children, previousNode and tag Name.
1396 */
1397 $if DART2JS
1398 bool get _hasCorruptedAttributes {
1399 return JS('bool', r'''
1400 (function(element) {
1401 if (!(element.attributes instanceof NamedNodeMap)) {
1402 return true;
1403 }
1404 var childNodes = element.childNodes;
1405 if (element.lastChild &&
1406 element.lastChild !== childNodes[childNodes.length -1]) {
1407 return true;
1408 }
1409 if (element.children) { // On Safari, children can apparently be null.
1410 if (!((element.children instanceof HTMLCollection) ||
1411 (element.children instanceof NodeList))) {
1412 return true;
1413 }
1414 }
1415 return false;
1416 })(#)''', this);
1417 }
1418 $else
1419 // Dartium isn't affected by these attacks, because it goes directly to the C+ + API.
1420 bool get _hasCorruptedAttributes => false;
1421 $endif
1390 1422
1391 $if DART2JS 1423 $if DART2JS
1392 @DomName('Element.offsetHeight') 1424 @DomName('Element.offsetHeight')
1393 @DocsEditable() 1425 @DocsEditable()
1394 int get offsetHeight => JS('num', '#.offsetHeight', this).round(); 1426 int get offsetHeight => JS('num', '#.offsetHeight', this).round();
1395 1427
1396 @DomName('Element.offsetLeft') 1428 @DomName('Element.offsetLeft')
1397 @DocsEditable() 1429 @DocsEditable()
1398 int get offsetLeft => JS('num', '#.offsetLeft', this).round(); 1430 int get offsetLeft => JS('num', '#.offsetLeft', this).round();
1399 1431
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after
1545 const ScrollAlignment._internal(this._value); 1577 const ScrollAlignment._internal(this._value);
1546 toString() => 'ScrollAlignment.$_value'; 1578 toString() => 'ScrollAlignment.$_value';
1547 1579
1548 /// Attempt to align the element to the top of the scrollable area. 1580 /// Attempt to align the element to the top of the scrollable area.
1549 static const TOP = const ScrollAlignment._internal('TOP'); 1581 static const TOP = const ScrollAlignment._internal('TOP');
1550 /// Attempt to center the element in the scrollable area. 1582 /// Attempt to center the element in the scrollable area.
1551 static const CENTER = const ScrollAlignment._internal('CENTER'); 1583 static const CENTER = const ScrollAlignment._internal('CENTER');
1552 /// Attempt to align the element to the bottom of the scrollable area. 1584 /// Attempt to align the element to the bottom of the scrollable area.
1553 static const BOTTOM = const ScrollAlignment._internal('BOTTOM'); 1585 static const BOTTOM = const ScrollAlignment._internal('BOTTOM');
1554 } 1586 }
OLDNEW
« no previous file with comments | « tools/dom/src/Validators.dart ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698