sdk/lib/html/dartium/html_dartium.dart - Issue 1146753004: Sanitization should reject elements that we can't examine (e.g. embed/object on FF)

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: sdk/lib/html/dartium/html_dartium.dart

Issue 1146753004: Sanitization should reject elements that we can't examine (e.g. embed/object on FF) (Closed) Base URL: git@github.com:dart-lang/sdk.git@master

Patch Set: Created 5 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Download patch

« no previous file with comments | « sdk/lib/html/dart2js/html_dart2js.dart ('k') | tests/html/node_validator_important_if_you_suppress_make_the_bug_critical_test.dart » ('j') | tools/dom/src/Validators.dart » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: sdk/lib/html/dartium/html_dartium.dart

diff --git a/sdk/lib/html/dartium/html_dartium.dart b/sdk/lib/html/dartium/html_dartium.dart

index 25d91f6ec164c1a4b3897437e8bd5367cc704467..a6962e285fe5dbac192778036838dbec86172948 100644

--- a/sdk/lib/html/dartium/html_dartium.dart

+++ b/sdk/lib/html/dartium/html_dartium.dart

@@ -40729,24 +40729,49 @@ class _ValidatingTreeSanitizer implements NodeTreeSanitizer {

switch (node.nodeType) {

case Node.ELEMENT_NODE:

Element element = node;

- if (element._hasCorruptedAttributes) {

- window.console.warn('Removing element due to corrupted attributes on <${element}>');

+ // If the _hasCorruptedAttributes does not successfully return false,

+ // then we consider it corrupted and remove.

+ // TODO(alanknight): This is a workaround because on Firefox

+ // embed/object

+ // tags typeof is "function", not "object". We don't recognize them, and

+ // can't call methods. This does mean that you can't explicitly allow an

+ // embed tag. The only thing that will let it through is a null

+ // sanitizer that doesn't traverse the tree at all. But sanitizing while

+ // allowing embeds seems quite unlikely.

+ var corrupted = true;

+ var attrs;

+ var isAttr;

+ try {

+ // If getting/indexing attributes throws, count that as corrupt.

+ attrs = element.attributes;

+ isAttr = attrs['is'];

+ corrupted = element._hasCorruptedAttributes;

+ } catch(e) {}

+ var elementText = 'element unprintable';

+ try {

+ elementText = element.toString();

+ } catch(e) {}

+ var elementTagName = 'element tag unavailable';

+ try {

+ elementTagName = element.tagName;

+ } catch(e) {}

+ if (corrupted) {

+ window.console.warn(

+ 'Removing element due to corrupted attributes on <$elementText>');

_removeNode(node, parent);

break;

}

- var attrs = element.attributes;

if (!validator.allowsElement(element)) {

window.console.warn(

- 'Removing disallowed element <${element.tagName}>');

+ 'Removing disallowed element <$elementTagName>');

_removeNode(node, parent);

break;

}

- var isAttr = attrs['is'];

if (isAttr != null) {

if (!validator.allowsAttribute(element, 'is', isAttr)) {

window.console.warn('Removing disallowed type extension '

- '<${element.tagName} is="$isAttr">');

+ '<$elementTagName is="$isAttr">');

_removeNode(node, parent);

break;

}