Index: tools/dom/templates/html/impl/impl_Element.darttemplate |
diff --git a/tools/dom/templates/html/impl/impl_Element.darttemplate b/tools/dom/templates/html/impl/impl_Element.darttemplate |
index a41c6a6831db92c61746f14cf2f01f926dc5e362..14d6abf14b74cd7e7c5b17797fa6e72143953bf9 100644 |
--- a/tools/dom/templates/html/impl/impl_Element.darttemplate |
+++ b/tools/dom/templates/html/impl/impl_Element.darttemplate |
@@ -1387,6 +1387,38 @@ $endif |
* used when an explicit accessor is not available. |
*/ |
ElementEvents get on => new ElementEvents(this); |
+ |
+ /** |
+ * Verify if any of the attributes that we use in the sanitizer look unexpected, |
+ * possibly indicating DOM clobbering attacks. |
+ * |
+ * Those attributes are: attributes, lastChild, children, previousNode and tagName. |
+ */ |
+$if DART2JS |
+ bool get _hasCorruptedAttributes { |
+ return JS('bool', r''' |
+ (function(element) { |
+ if (!(element.attributes instanceof NamedNodeMap)) { |
+ return true; |
+ } |
+ var childNodes = element.childNodes; |
+ if (element.lastChild && |
+ element.lastChild !== childNodes[childNodes.length -1]) { |
+ return true; |
+ } |
+ if (element.children) { // On Safari, children can apparently be null. |
+ if (!((element.children instanceof HTMLCollection) || |
+ (element.children instanceof NodeList))) { |
+ return true; |
+ } |
+ } |
+ return false; |
+ })(#)''', this); |
+ } |
+$else |
+ // Dartium isn't affected by these attacks, because it goes directly to the C++ API. |
+ bool get _hasCorruptedAttributes => false; |
+$endif |
$if DART2JS |
@DomName('Element.offsetHeight') |