diff options
author | Matt A. Tobin <email@mattatobin.com> | 2022-10-06 12:07:40 -0500 |
---|---|---|
committer | Matt A. Tobin <email@mattatobin.com> | 2022-10-06 12:07:40 -0500 |
commit | 6cdd0210fb14e8a1ed256e934f05f758afc4a6ab (patch) | |
tree | ae810fb774a340b2a3d4a0f8b6b9a68e6423e596 /dom/base/nsTreeSanitizer.cpp | |
parent | e4ed223f80260aa735a77bc4cfff25b76f3e7a94 (diff) | |
parent | 14f8e3e2e95e86a995627add57bf71de7c7edcaa (diff) | |
download | aura-central-6cdd0210fb14e8a1ed256e934f05f758afc4a6ab.tar.gz |
Diffstat (limited to 'dom/base/nsTreeSanitizer.cpp')
-rw-r--r-- | dom/base/nsTreeSanitizer.cpp | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/dom/base/nsTreeSanitizer.cpp b/dom/base/nsTreeSanitizer.cpp index 39c2408b7..970e4386b 100644 --- a/dom/base/nsTreeSanitizer.cpp +++ b/dom/base/nsTreeSanitizer.cpp @@ -1185,7 +1185,8 @@ nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement, continue; } if (IsURL(aURLs, attrLocal)) { - if (SanitizeURL(aElement, attrNs, attrLocal)) { + bool fragmentOnly = aElement->IsSVGElement(nsGkAtoms::use); + if (SanitizeURL(aElement, attrNs, attrLocal, fragmentOnly)) { // in case the attribute removal shuffled the attribute order, start // the loop again. --ac; @@ -1239,7 +1240,8 @@ nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement, // else not allowed } else if (aAllowXLink && kNameSpaceID_XLink == attrNs) { if (nsGkAtoms::href == attrLocal) { - if (SanitizeURL(aElement, attrNs, attrLocal)) { + bool fragmentOnly = aElement->IsSVGElement(nsGkAtoms::use); + if (SanitizeURL(aElement, attrNs, attrLocal, fragmentOnly)) { // in case the attribute removal shuffled the attribute order, start // the loop again. --ac; @@ -1273,7 +1275,8 @@ nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement, bool nsTreeSanitizer::SanitizeURL(mozilla::dom::Element* aElement, int32_t aNamespace, - nsIAtom* aLocalName) + nsIAtom* aLocalName, + bool aFragmentOnly) { nsAutoString value; aElement->GetAttr(aNamespace, aLocalName, value); @@ -1282,6 +1285,15 @@ nsTreeSanitizer::SanitizeURL(mozilla::dom::Element* aElement, static const char* kWhitespace = "\n\r\t\b"; const nsAString& v = nsContentUtils::TrimCharsInSet(kWhitespace, value); + // Fragment-only url cannot be harmful. + if (!v.IsEmpty() && v.First() == u'#') { + return false; + } + // if we allow only same-document fragment URLs, stop and remove here + if (aFragmentOnly) { + aElement->UnsetAttr(aNamespace, aLocalName, false); + return true; + } nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager(); uint32_t flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL; |