| Index: sdk/lib/html/dart2js/html_dart2js.dart
|
| diff --git a/sdk/lib/html/dart2js/html_dart2js.dart b/sdk/lib/html/dart2js/html_dart2js.dart
|
| index c96ee3c7f5ac75b1253aa6c901c549400b458323..c1381617830a05ab5e2857e87b7961ace59de527 100644
|
| --- a/sdk/lib/html/dart2js/html_dart2js.dart
|
| +++ b/sdk/lib/html/dart2js/html_dart2js.dart
|
| @@ -13264,7 +13264,7 @@ abstract class Element extends Node implements GlobalEventHandlers, ParentNode,
|
| *
|
| * Those attributes are: attributes, lastChild, children, previousNode and tagName.
|
| */
|
| - bool get _hasCorruptedAttributes {
|
| + static bool _hasCorruptedAttributes(Element element) {
|
| return JS('bool', r'''
|
| (function(element) {
|
| if (!(element.attributes instanceof NamedNodeMap)) {
|
| @@ -13282,7 +13282,7 @@ abstract class Element extends Node implements GlobalEventHandlers, ParentNode,
|
| }
|
| }
|
| return false;
|
| - })(#)''', this);
|
| + })(#)''', element);
|
| }
|
|
|
| @DomName('Element.offsetHeight')
|
| @@ -40785,60 +40785,99 @@ class _ValidatingTreeSanitizer implements NodeTreeSanitizer {
|
|
|
| /// Aggressively try to remove node.
|
| void _removeNode(Node node, Node parent) {
|
| - // If we have the parent, it's presumably already passed more sanitization or
|
| - // is the fragment, so ask it to remove the child. And if that fails try to
|
| - // set the outer html.
|
| + // If we have the parent, it's presumably already passed more sanitization
|
| + // or is the fragment, so ask it to remove the child. And if that fails
|
| + // try to set the outer html.
|
| if (parent == null) {
|
| node.remove();
|
| } else {
|
| parent._removeChild(node);
|
| }
|
| }
|
| -
|
| - void sanitizeNode(Node node, Node parent) {
|
| - switch (node.nodeType) {
|
| - case Node.ELEMENT_NODE:
|
| - Element element = node;
|
| - if (element._hasCorruptedAttributes) {
|
| - window.console.warn('Removing element due to corrupted attributes on <${element}>');
|
| - _removeNode(node, parent);
|
| - break;
|
| - }
|
| - var attrs = element.attributes;
|
| - if (!validator.allowsElement(element)) {
|
| - window.console.warn(
|
| - 'Removing disallowed element <${element.tagName}>');
|
| - _removeNode(node, parent);
|
| - break;
|
| - }
|
|
|
| - var isAttr = attrs['is'];
|
| - if (isAttr != null) {
|
| - if (!validator.allowsAttribute(element, 'is', isAttr)) {
|
| - window.console.warn('Removing disallowed type extension '
|
| - '<${element.tagName} is="$isAttr">');
|
| - _removeNode(node, parent);
|
| - break;
|
| - }
|
| - }
|
| + /// Sanitize the element, assuming we can't trust anything about it.
|
| + void _sanitizeUntrustedElement(Element element, Node parent) {
|
| + // If the _hasCorruptedAttributes does not successfully return false,
|
| + // then we consider it corrupted and remove.
|
| + // TODO(alanknight): This is a workaround because on Firefox
|
| + // embed/object
|
| + // tags typeof is "function", not "object". We don't recognize them, and
|
| + // can't call methods. This does mean that you can't explicitly allow an
|
| + // embed tag. The only thing that will let it through is a null
|
| + // sanitizer that doesn't traverse the tree at all. But sanitizing while
|
| + // allowing embeds seems quite unlikely.
|
| + var corrupted = true;
|
| + var attrs;
|
| + var isAttr;
|
| + try {
|
| + // If getting/indexing attributes throws, count that as corrupt.
|
| + attrs = element.attributes;
|
| + isAttr = attrs['is'];
|
| + corrupted = Element.hasCorruptedAttributes(element);
|
| + } catch(e) {}
|
| + var elementText = 'element unprintable';
|
| + try {
|
| + elementText = element.toString();
|
| + } catch(e) {}
|
| + var elementTagName = 'element tag unavailable';
|
| + try {
|
| + elementTagName = element.tagName;
|
| + } catch(e) {}
|
| + _sanitizeElement(element, parent, corrupted, elementText, elementTagName,
|
| + attrs, isAttr);
|
| + }
|
|
|
| - // TODO(blois): Need to be able to get all attributes, irrespective of
|
| - // XMLNS.
|
| - var keys = attrs.keys.toList();
|
| - for (var i = attrs.length - 1; i >= 0; --i) {
|
| - var name = keys[i];
|
| - if (!validator.allowsAttribute(element, name.toLowerCase(),
|
| - attrs[name])) {
|
| - window.console.warn('Removing disallowed attribute '
|
| - '<${element.tagName} $name="${attrs[name]}">');
|
| - attrs.remove(name);
|
| - }
|
| - }
|
| + /// Having done basic sanity checking on the element, and computed the
|
| + /// important attributes we want to check, remove it if it's not valid
|
| + /// or not allowed, either as a whole or particular attributes.
|
| + void _sanitizeElement(Element element, Node parent, bool corrupted,
|
| + String text, String tag, Map attrs, String isAttr) {
|
| + if (false != corrupted) {
|
| + window.console.warn(
|
| + 'Removing element due to corrupted attributes on <$text>');
|
| + _removeNode(element, parent);
|
| + return;
|
| + }
|
| + if (!validator.allowsElement(element)) {
|
| + window.console.warn(
|
| + 'Removing disallowed element <$tag>');
|
| + _removeNode(element, parent);
|
| + return;
|
| + }
|
|
|
| - if (element is TemplateElement) {
|
| - TemplateElement template = element;
|
| - sanitizeTree(template.content);
|
| - }
|
| + if (isAttr != null) {
|
| + if (!validator.allowsAttribute(element, 'is', isAttr)) {
|
| + window.console.warn('Removing disallowed type extension '
|
| + '<$tag is="$isAttr">');
|
| + _removeNode(element, parent);
|
| + return;
|
| + }
|
| + }
|
| +
|
| + // TODO(blois): Need to be able to get all attributes, irrespective of
|
| + // XMLNS.
|
| + var keys = attrs.keys.toList();
|
| + for (var i = attrs.length - 1; i >= 0; --i) {
|
| + var name = keys[i];
|
| + if (!validator.allowsAttribute(element, name.toLowerCase(),
|
| + attrs[name])) {
|
| + window.console.warn('Removing disallowed attribute '
|
| + '<$tag $name="${attrs[name]}">');
|
| + attrs.remove(name);
|
| + }
|
| + }
|
| +
|
| + if (element is TemplateElement) {
|
| + TemplateElement template = element;
|
| + sanitizeTree(template.content);
|
| + }
|
| + }
|
| +
|
| + /// Sanitize the node and its children recursively.
|
| + void sanitizeNode(Node node, Node parent) {
|
| + switch (node.nodeType) {
|
| + case Node.ELEMENT_NODE:
|
| + _sanitizeUntrustedElement(node, parent);
|
| break;
|
| case Node.COMMENT_NODE:
|
| case Node.DOCUMENT_FRAGMENT_NODE:
|
|
|
Chromium Code Reviews
Issue 1146753004:
Sanitization should reject elements that we can't examine (e.g. embed/object on FF) (Closed)
Base URL: git@github.com:dart-lang/sdk.git@master