Chromium Code Reviews Chromium Code Reviews
Issue 1146753004:
Sanitization should reject elements that we can't examine (e.g. embed/object on FF) (Closed)
Base URL: git@github.com:dart-lang/sdk.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file | 1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file |
| 2 // for details. All rights reserved. Use of this source code is governed by a | 2 // for details. All rights reserved. Use of this source code is governed by a |
| 3 // BSD-style license that can be found in the LICENSE file. | 3 // BSD-style license that can be found in the LICENSE file. |
| 4 | 4 |
| 5 part of dart.dom.html; | 5 part of dart.dom.html; |
| 6 | 6 |
| 7 | 7 |
| 8 /** | 8 /** |
| 9 * Interface used to validate that only accepted elements and attributes are | 9 * Interface used to validate that only accepted elements and attributes are |
| 10 * allowed while parsing HTML strings into DOM nodes. | 10 * allowed while parsing HTML strings into DOM nodes. |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 154 var nextChild = child.previousNode; | 154 var nextChild = child.previousNode; |
| 155 walk(child, node); | 155 walk(child, node); |
| 156 child = nextChild; | 156 child = nextChild; |
| 157 } | 157 } |
| 158 } | 158 } |
| 159 walk(node, null); | 159 walk(node, null); |
| 160 } | 160 } |
| 161 | 161 |
| 162 /// Aggressively try to remove node. | 162 /// Aggressively try to remove node. |
| 163 void _removeNode(Node node, Node parent) { | 163 void _removeNode(Node node, Node parent) { |
| 164 // If we have the parent, it's presumably already passed more sanitization o r | 164 // If we have the parent, it's presumably already passed more sanitization o r |
|
sra1
2015/05/19 23:45:02
line length
Alan Knight
2015/05/21 20:38:41
Done.
| |
| 165 // is the fragment, so ask it to remove the child. And if that fails try to | 165 // is the fragment, so ask it to remove the child. And if that fails try to |
| 166 // set the outer html. | 166 // set the outer html. |
| 167 if (parent == null) { | 167 if (parent == null) { |
| 168 node.remove(); | 168 node.remove(); |
| 169 } else { | 169 } else { |
| 170 parent._removeChild(node); | 170 parent._removeChild(node); |
| 171 } | 171 } |
| 172 } | 172 } |
| 173 | 173 |
| 174 /// Sanitize the element, assuming we can't trust anything about it. | |
| 175 void _sanitizeUntrustedElement(Element element, Node parent) { | |
| 176 // If the _hasCorruptedAttributes does not successfully return false, | |
| 177 // then we consider it corrupted and remove. | |
| 178 // TODO(alanknight): This is a workaround because on Firefox | |
| 179 // embed/object | |
| 180 // tags typeof is "function", not "object". We don't recognize them, and | |
| 181 // can't call methods. This does mean that you can't explicitly allow an | |
| 182 // embed tag. The only thing that will let it through is a null | |
| 183 // sanitizer that doesn't traverse the tree at all. But sanitizing while | |
| 184 // allowing embeds seems quite unlikely. | |
| 185 var corrupted = true; | |
| 186 var attrs; | |
| 187 var isAttr; | |
| 188 try { | |
| 189 // If getting/indexing attributes throws, count that as corrupt. | |
| 190 attrs = element.attributes; | |
| 191 isAttr = attrs['is']; | |
| 192 corrupted = element._hasCorruptedAttributes; | |
| 193 } catch(e) {} | |
| 194 var elementText = 'element unprintable'; | |
| 195 try { | |
| 196 elementText = element.toString(); | |
| 197 } catch(e) {} | |
| 198 var elementTagName = 'element tag unavailable'; | |
| 199 try { | |
| 200 elementTagName = element.tagName; | |
| 201 } catch(e) {} | |
| 202 _sanitizeElement(element, parent, corrupted, elementText, elementTagName, | |
| 203 attrs, isAttr); | |
| 204 } | |
| 205 | |
| 206 /// Having done basic sanity checking on the element, and computed the | |
| 207 /// important attributes we want to check, remove it if it's not valid | |
| 208 /// or not allowed, either as a whole or particular attributes. | |
| 209 void _sanitizeElement(Element element, Node parent, bool corrupted, | |
| 210 String text, String tag, Map attrs, String isAttr) { | |
| 211 if (true == corrupted) { | |
| 212 window.console.warn( | |
| 213 'Removing element due to corrupted attributes on <$text>'); | |
| 214 _removeNode(element, parent); | |
| 215 return; | |
| 216 } | |
| 217 if (!validator.allowsElement(element)) { | |
| 218 window.console.warn( | |
| 219 'Removing disallowed element <$tag>'); | |
| 220 _removeNode(element, parent); | |
| 221 return; | |
| 222 } | |
| 223 | |
| 224 if (isAttr != null) { | |
| 225 if (!validator.allowsAttribute(element, 'is', isAttr)) { | |
| 226 window.console.warn('Removing disallowed type extension ' | |
| 227 '<$tag is="$isAttr">'); | |
| 228 _removeNode(element, parent); | |
| 229 return; | |
| 230 } | |
| 231 } | |
| 232 | |
| 233 // TODO(blois): Need to be able to get all attributes, irrespective of | |
| 234 // XMLNS. | |
| 235 var keys = attrs.keys.toList(); | |
| 236 for (var i = attrs.length - 1; i >= 0; --i) { | |
|
sra1
2015/05/19 23:45:02
Why not keys.length?
Why do we go backwards?
It lo
Alan Knight
2015/05/21 20:38:41
I don't know. But it makes me a little nervous tha
| |
| 237 var name = keys[i]; | |
| 238 if (!validator.allowsAttribute(element, name.toLowerCase(), | |
| 239 attrs[name])) { | |
| 240 window.console.warn('Removing disallowed attribute ' | |
| 241 '<$tag $name="${attrs[name]}">'); | |
| 242 attrs.remove(name); | |
| 243 } | |
| 244 } | |
| 245 | |
| 246 if (element is TemplateElement) { | |
| 247 TemplateElement template = element; | |
| 248 sanitizeTree(template.content); | |
| 249 } | |
| 250 } | |
| 251 | |
| 252 /// Sanitize the node and its children recursively. | |
| 174 void sanitizeNode(Node node, Node parent) { | 253 void sanitizeNode(Node node, Node parent) { |
| 175 switch (node.nodeType) { | 254 switch (node.nodeType) { |
| 176 case Node.ELEMENT_NODE: | 255 case Node.ELEMENT_NODE: |
| 177 Element element = node; | 256 _sanitizeUntrustedElement(node, parent); |
| 178 if (element._hasCorruptedAttributes) { | |
| 179 window.console.warn('Removing element due to corrupted attributes on < ${element}>'); | |
| 180 _removeNode(node, parent); | |
| 181 break; | |
| 182 } | |
| 183 var attrs = element.attributes; | |
| 184 if (!validator.allowsElement(element)) { | |
| 185 window.console.warn( | |
| 186 'Removing disallowed element <${element.tagName}>'); | |
| 187 _removeNode(node, parent); | |
| 188 break; | |
| 189 } | |
| 190 | |
| 191 var isAttr = attrs['is']; | |
| 192 if (isAttr != null) { | |
| 193 if (!validator.allowsAttribute(element, 'is', isAttr)) { | |
| 194 window.console.warn('Removing disallowed type extension ' | |
| 195 '<${element.tagName} is="$isAttr">'); | |
| 196 _removeNode(node, parent); | |
| 197 break; | |
| 198 } | |
| 199 } | |
| 200 | |
| 201 // TODO(blois): Need to be able to get all attributes, irrespective of | |
| 202 // XMLNS. | |
| 203 var keys = attrs.keys.toList(); | |
| 204 for (var i = attrs.length - 1; i >= 0; --i) { | |
| 205 var name = keys[i]; | |
| 206 if (!validator.allowsAttribute(element, name.toLowerCase(), | |
| 207 attrs[name])) { | |
| 208 window.console.warn('Removing disallowed attribute ' | |
| 209 '<${element.tagName} $name="${attrs[name]}">'); | |
| 210 attrs.remove(name); | |
| 211 } | |
| 212 } | |
| 213 | |
| 214 if (element is TemplateElement) { | |
| 215 TemplateElement template = element; | |
| 216 sanitizeTree(template.content); | |
| 217 } | |
| 218 break; | 257 break; |
| 219 case Node.COMMENT_NODE: | 258 case Node.COMMENT_NODE: |
| 220 case Node.DOCUMENT_FRAGMENT_NODE: | 259 case Node.DOCUMENT_FRAGMENT_NODE: |
| 221 case Node.TEXT_NODE: | 260 case Node.TEXT_NODE: |
| 222 case Node.CDATA_SECTION_NODE: | 261 case Node.CDATA_SECTION_NODE: |
| 223 break; | 262 break; |
| 224 default: | 263 default: |
| 225 _removeNode(node, parent); | 264 _removeNode(node, parent); |
| 226 } | 265 } |
| 227 } | 266 } |
| 228 } | 267 } |
| OLD | NEW |
