diff options
Diffstat (limited to 'dom/base/nsTreeSanitizer.h')
-rw-r--r-- | dom/base/nsTreeSanitizer.h | 227 |
1 files changed, 227 insertions, 0 deletions
diff --git a/dom/base/nsTreeSanitizer.h b/dom/base/nsTreeSanitizer.h new file mode 100644 index 0000000000..b8700d775f --- /dev/null +++ b/dom/base/nsTreeSanitizer.h @@ -0,0 +1,227 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsTreeSanitizer_h_ +#define nsTreeSanitizer_h_ + +#include "mozilla/css/StyleRule.h" +#include "nsIPrincipal.h" +#include "mozilla/dom/Element.h" + +class nsIContent; + +/** + * See the documentation of nsIParserUtils::sanitize for documentation + * about the default behavior and the configuration options of this sanitizer. + */ +class MOZ_STACK_CLASS nsTreeSanitizer { + + public: + + /** + * The constructor. + * + * @param aFlags Flags from nsIParserUtils + */ + explicit nsTreeSanitizer(uint32_t aFlags = 0); + + static void InitializeStatics(); + static void ReleaseStatics(); + + /** + * Sanitizes a disconnected DOM fragment freshly obtained from a parser. + * The argument must be of type nsINode::eDOCUMENT_FRAGMENT and, + * consequently, must not be in the document. Furthermore, the fragment + * must have just come from a parser so that it can't have mutation + * event listeners set on it. + */ + void Sanitize(nsIContent* aFragment); + + /** + * Sanitizes a disconnected (not in a docshell) document freshly obtained + * from a parser. The document must not be embedded in a docshell and must + * not have had a chance to get mutation event listeners attached to it. + * The root element must be <html>. + */ + void Sanitize(nsIDocument* aDocument); + + private: + + /** + * Whether <style> and style="" are allowed. + */ + bool mAllowStyles; + + /** + * Whether comment nodes are allowed. + */ + bool mAllowComments; + + /** + * Whether HTML <font>, <center>, bgcolor="", etc., are dropped. + */ + bool mDropNonCSSPresentation; + + /** + * Whether to remove forms and form controls (excluding fieldset/legend). + */ + bool mDropForms; + + /** + * Whether only cid: embeds are allowed. + */ + bool mCidEmbedsOnly; + + /** + * Whether to drop <img>, <video>, <audio> and <svg>. + */ + bool mDropMedia; + + /** + * Whether we are sanitizing a full document (as opposed to a fragment). + */ + bool mFullDocument; + + void SanitizeChildren(nsINode* aRoot); + + /** + * Queries if an element must be replaced with its children. + * @param aNamespace the namespace of the element the question is about + * @param aLocal the local name of the element the question is about + * @return true if the element must be replaced with its children and + * false if the element is to be kept + */ + bool MustFlatten(int32_t aNamespace, nsIAtom* aLocal); + + /** + * Queries if an element including its children must be removed. + * @param aNamespace the namespace of the element the question is about + * @param aLocal the local name of the element the question is about + * @param aElement the element node itself for inspecting attributes + * @return true if the element and its children must be removed and + * false if the element is to be kept + */ + bool MustPrune(int32_t aNamespace, + nsIAtom* aLocal, + mozilla::dom::Element* aElement); + + /** + * Checks if a given local name (for an attribute) is on the given list + * of URL attribute names. + * @param aURLs the list of URL attribute names + * @param aLocalName the name to search on the list + * @return true if aLocalName is on the aURLs list and false otherwise + */ + bool IsURL(nsIAtom*** aURLs, nsIAtom* aLocalName); + + /** + * Removes dangerous attributes from the element. If the style attribute + * is allowed, its value is sanitized. The values of URL attributes are + * sanitized, except src isn't sanitized when it is allowed to remain + * potentially dangerous. + * + * @param aElement the element whose attributes should be sanitized + * @param aAllowed the whitelist of permitted local names to use + * @param aURLs the local names of URL-valued attributes + * @param aAllowXLink whether XLink attributes are allowed + * @param aAllowStyle whether the style attribute is allowed + * @param aAllowDangerousSrc whether to leave the value of the src + * attribute unsanitized + */ + void SanitizeAttributes(mozilla::dom::Element* aElement, + nsTHashtable<nsISupportsHashKey>* aAllowed, + nsIAtom*** aURLs, + bool aAllowXLink, + bool aAllowStyle, + bool aAllowDangerousSrc); + + /** + * Remove the named URL attribute from the element if the URL fails a + * security check. + * + * @param aElement the element whose attribute to possibly modify + * @param aNamespace the namespace of the URL attribute + * @param aLocalName the local name of the URL attribute + * @return true if the attribute was removed and false otherwise + */ + bool SanitizeURL(mozilla::dom::Element* aElement, + int32_t aNamespace, + nsIAtom* aLocalName); + + /** + * Checks a style rule for the presence of the 'binding' CSS property and + * removes that property from the rule and reserializes in case the + * property was found. + * + * @param aDeclaration The style declaration to check + * @param aRuleText the serialized mutated rule if the method returns true + * @return true if the rule was modified and false otherwise + */ + bool SanitizeStyleDeclaration(mozilla::css::Declaration* aDeclaration, + nsAutoString& aRuleText); + + /** + * Parses a style sheet and reserializes it with the 'binding' property + * removed if it was present. + * + * @param aOrigin the original style sheet source + * @param aSanitized the reserialization without 'binding'; only valid if + * this method return true + * @param aDocument the document the style sheet belongs to + * @param aBaseURI the base URI to use + * @return true if the 'binding' property was encountered and false + * otherwise + */ + bool SanitizeStyleSheet(const nsAString& aOriginal, + nsAString& aSanitized, + nsIDocument* aDocument, + nsIURI* aBaseURI); + + /** + * Removes all attributes from an element node. + */ + void RemoveAllAttributes(nsIContent* aElement); + + /** + * The whitelist of HTML elements. + */ + static nsTHashtable<nsISupportsHashKey>* sElementsHTML; + + /** + * The whitelist of non-presentational HTML attributes. + */ + static nsTHashtable<nsISupportsHashKey>* sAttributesHTML; + + /** + * The whitelist of presentational HTML attributes. + */ + static nsTHashtable<nsISupportsHashKey>* sPresAttributesHTML; + + /** + * The whitelist of SVG elements. + */ + static nsTHashtable<nsISupportsHashKey>* sElementsSVG; + + /** + * The whitelist of SVG attributes. + */ + static nsTHashtable<nsISupportsHashKey>* sAttributesSVG; + + /** + * The whitelist of SVG elements. + */ + static nsTHashtable<nsISupportsHashKey>* sElementsMathML; + + /** + * The whitelist of MathML attributes. + */ + static nsTHashtable<nsISupportsHashKey>* sAttributesMathML; + + /** + * Reusable null principal for URL checks. + */ + static nsIPrincipal* sNullPrincipal; +}; + +#endif // nsTreeSanitizer_h_ |