| Index: sdk/lib/html/dart2js/html_dart2js.dart
|
| diff --git a/sdk/lib/html/dart2js/html_dart2js.dart b/sdk/lib/html/dart2js/html_dart2js.dart
|
| index c96ee3c7f5ac75b1253aa6c901c549400b458323..7ddffc2b715e924f8c2222764771464ee3cb126d 100644
|
| --- a/sdk/lib/html/dart2js/html_dart2js.dart
|
| +++ b/sdk/lib/html/dart2js/html_dart2js.dart
|
| @@ -40794,51 +40794,90 @@ class _ValidatingTreeSanitizer implements NodeTreeSanitizer {
|
| parent._removeChild(node);
|
| }
|
| }
|
| -
|
| - void sanitizeNode(Node node, Node parent) {
|
| - switch (node.nodeType) {
|
| - case Node.ELEMENT_NODE:
|
| - Element element = node;
|
| - if (element._hasCorruptedAttributes) {
|
| - window.console.warn('Removing element due to corrupted attributes on <${element}>');
|
| - _removeNode(node, parent);
|
| - break;
|
| - }
|
| - var attrs = element.attributes;
|
| - if (!validator.allowsElement(element)) {
|
| - window.console.warn(
|
| - 'Removing disallowed element <${element.tagName}>');
|
| - _removeNode(node, parent);
|
| - break;
|
| - }
|
|
|
| - var isAttr = attrs['is'];
|
| - if (isAttr != null) {
|
| - if (!validator.allowsAttribute(element, 'is', isAttr)) {
|
| - window.console.warn('Removing disallowed type extension '
|
| - '<${element.tagName} is="$isAttr">');
|
| - _removeNode(node, parent);
|
| - break;
|
| - }
|
| - }
|
| + /// Sanitize the element, assuming we can't trust anything about it.
|
| + void _sanitizeUntrustedElement(Element element, Node parent) {
|
| + // If the _hasCorruptedAttributes does not successfully return false,
|
| + // then we consider it corrupted and remove.
|
| + // TODO(alanknight): This is a workaround because on Firefox
|
| + // embed/object
|
| + // tags typeof is "function", not "object". We don't recognize them, and
|
| + // can't call methods. This does mean that you can't explicitly allow an
|
| + // embed tag. The only thing that will let it through is a null
|
| + // sanitizer that doesn't traverse the tree at all. But sanitizing while
|
| + // allowing embeds seems quite unlikely.
|
| + var corrupted = true;
|
| + var attrs;
|
| + var isAttr;
|
| + try {
|
| + // If getting/indexing attributes throws, count that as corrupt.
|
| + attrs = element.attributes;
|
| + isAttr = attrs['is'];
|
| + corrupted = element._hasCorruptedAttributes;
|
| + } catch(e) {}
|
| + var elementText = 'element unprintable';
|
| + try {
|
| + elementText = element.toString();
|
| + } catch(e) {}
|
| + var elementTagName = 'element tag unavailable';
|
| + try {
|
| + elementTagName = element.tagName;
|
| + } catch(e) {}
|
| + _sanitizeElement(element, parent, corrupted, elementText, elementTagName,
|
| + attrs, isAttr);
|
| + }
|
|
|
| - // TODO(blois): Need to be able to get all attributes, irrespective of
|
| - // XMLNS.
|
| - var keys = attrs.keys.toList();
|
| - for (var i = attrs.length - 1; i >= 0; --i) {
|
| - var name = keys[i];
|
| - if (!validator.allowsAttribute(element, name.toLowerCase(),
|
| - attrs[name])) {
|
| - window.console.warn('Removing disallowed attribute '
|
| - '<${element.tagName} $name="${attrs[name]}">');
|
| - attrs.remove(name);
|
| - }
|
| - }
|
| + /// Having done basic sanity checking on the element, and computed the
|
| + /// important attributes we want to check, remove it if it's not valid
|
| + /// or not allowed, either as a whole or particular attributes.
|
| + void _sanitizeElement(Element element, Node parent, bool corrupted,
|
| + String text, String tag, Map attrs, String isAttr) {
|
| + if (true == corrupted) {
|
| + window.console.warn(
|
| + 'Removing element due to corrupted attributes on <$text>');
|
| + _removeNode(element, parent);
|
| + return;
|
| + }
|
| + if (!validator.allowsElement(element)) {
|
| + window.console.warn(
|
| + 'Removing disallowed element <$tag>');
|
| + _removeNode(element, parent);
|
| + return;
|
| + }
|
|
|
| - if (element is TemplateElement) {
|
| - TemplateElement template = element;
|
| - sanitizeTree(template.content);
|
| - }
|
| + if (isAttr != null) {
|
| + if (!validator.allowsAttribute(element, 'is', isAttr)) {
|
| + window.console.warn('Removing disallowed type extension '
|
| + '<$tag is="$isAttr">');
|
| + _removeNode(element, parent);
|
| + return;
|
| + }
|
| + }
|
| +
|
| + // TODO(blois): Need to be able to get all attributes, irrespective of
|
| + // XMLNS.
|
| + var keys = attrs.keys.toList();
|
| + for (var i = attrs.length - 1; i >= 0; --i) {
|
| + var name = keys[i];
|
| + if (!validator.allowsAttribute(element, name.toLowerCase(),
|
| + attrs[name])) {
|
| + window.console.warn('Removing disallowed attribute '
|
| + '<$tag $name="${attrs[name]}">');
|
| + attrs.remove(name);
|
| + }
|
| + }
|
| +
|
| + if (element is TemplateElement) {
|
| + TemplateElement template = element;
|
| + sanitizeTree(template.content);
|
| + }
|
| + }
|
| +
|
| + /// Sanitize the node and its children recursively.
|
| + void sanitizeNode(Node node, Node parent) {
|
| + switch (node.nodeType) {
|
| + case Node.ELEMENT_NODE:
|
| + _sanitizeUntrustedElement(node, parent);
|
| break;
|
| case Node.COMMENT_NODE:
|
| case Node.DOCUMENT_FRAGMENT_NODE:
|
|
|
Chromium Code Reviews
Issue 1146753004:
Sanitization should reject elements that we can't examine (e.g. embed/object on FF) (Closed)
Base URL: git@github.com:dart-lang/sdk.git@master