diff options
| author | Moonchild <moonchild@palemoon.org> | 2022-07-03 13:03:18 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2022-07-03 15:37:58 +0000 |
| commit | 2485e982f3743822dd249d8f36e3591d8c7d517b (patch) | |
| tree | ba3f5bca1e2875328d3266b5c1d116fe82860a74 | |
| parent | ae9de9b8911551fe38e377b3797cd309050fe62f (diff) | |
| download | uxp-2485e982f3743822dd249d8f36e3591d8c7d517b.tar.gz | |
[DOM] use the sanitizer to restrict href in svg:use to fragment-only URLs
| -rw-r--r-- | dom/base/nsTreeSanitizer.cpp | 18 | ||||
| -rw-r--r-- | dom/base/nsTreeSanitizer.h | 4 |
2 files changed, 18 insertions, 4 deletions
diff --git a/dom/base/nsTreeSanitizer.cpp b/dom/base/nsTreeSanitizer.cpp index 39c2408b7c..970e4386b9 100644 --- a/dom/base/nsTreeSanitizer.cpp +++ b/dom/base/nsTreeSanitizer.cpp @@ -1185,7 +1185,8 @@ nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement, continue; } if (IsURL(aURLs, attrLocal)) { - if (SanitizeURL(aElement, attrNs, attrLocal)) { + bool fragmentOnly = aElement->IsSVGElement(nsGkAtoms::use); + if (SanitizeURL(aElement, attrNs, attrLocal, fragmentOnly)) { // in case the attribute removal shuffled the attribute order, start // the loop again. --ac; @@ -1239,7 +1240,8 @@ nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement, // else not allowed } else if (aAllowXLink && kNameSpaceID_XLink == attrNs) { if (nsGkAtoms::href == attrLocal) { - if (SanitizeURL(aElement, attrNs, attrLocal)) { + bool fragmentOnly = aElement->IsSVGElement(nsGkAtoms::use); + if (SanitizeURL(aElement, attrNs, attrLocal, fragmentOnly)) { // in case the attribute removal shuffled the attribute order, start // the loop again. --ac; @@ -1273,7 +1275,8 @@ nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement, bool nsTreeSanitizer::SanitizeURL(mozilla::dom::Element* aElement, int32_t aNamespace, - nsIAtom* aLocalName) + nsIAtom* aLocalName, + bool aFragmentOnly) { nsAutoString value; aElement->GetAttr(aNamespace, aLocalName, value); @@ -1282,6 +1285,15 @@ nsTreeSanitizer::SanitizeURL(mozilla::dom::Element* aElement, static const char* kWhitespace = "\n\r\t\b"; const nsAString& v = nsContentUtils::TrimCharsInSet(kWhitespace, value); + // Fragment-only url cannot be harmful. + if (!v.IsEmpty() && v.First() == u'#') { + return false; + } + // if we allow only same-document fragment URLs, stop and remove here + if (aFragmentOnly) { + aElement->UnsetAttr(aNamespace, aLocalName, false); + return true; + } nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager(); uint32_t flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL; diff --git a/dom/base/nsTreeSanitizer.h b/dom/base/nsTreeSanitizer.h index b4a333f619..fe4917150f 100644 --- a/dom/base/nsTreeSanitizer.h +++ b/dom/base/nsTreeSanitizer.h @@ -143,11 +143,13 @@ class MOZ_STACK_CLASS nsTreeSanitizer { * @param aElement the element whose attribute to possibly modify * @param aNamespace the namespace of the URL attribute * @param aLocalName the local name of the URL attribute + * @param aFragmentOnly allows same-document references only * @return true if the attribute was removed and false otherwise */ bool SanitizeURL(mozilla::dom::Element* aElement, int32_t aNamespace, - nsIAtom* aLocalName); + nsIAtom* aLocalName, + bool aFragmentOnly = false); /** * Checks a style rule for the presence of the 'binding' CSS property and |