From 7e0d94a048cb7a73af5638f46bdb65794bcc4292 Mon Sep 17 00:00:00 2001
From: "Matt A. Tobin" <email@mattatobin.com>
Date: Wed, 5 Oct 2022 17:42:46 -0500
Subject: [DOM:Base] Use the sanitizer to restrict href in svg:use to
 fragment-only URLs

---
 dom/base/nsTreeSanitizer.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'dom/base/nsTreeSanitizer.h')

diff --git a/dom/base/nsTreeSanitizer.h b/dom/base/nsTreeSanitizer.h
index b4a333f61..fe4917150 100644
--- a/dom/base/nsTreeSanitizer.h
+++ b/dom/base/nsTreeSanitizer.h
@@ -143,11 +143,13 @@ class MOZ_STACK_CLASS nsTreeSanitizer {
      * @param aElement the element whose attribute to possibly modify
      * @param aNamespace the namespace of the URL attribute
      * @param aLocalName the local name of the URL attribute
+     * @param aFragmentOnly allows same-document references only
      * @return true if the attribute was removed and false otherwise
      */
     bool SanitizeURL(mozilla::dom::Element* aElement,
                        int32_t aNamespace,
-                       nsIAtom* aLocalName);
+                       nsIAtom* aLocalName,
+                       bool aFragmentOnly = false);
 
     /**
      * Checks a style rule for the presence of the 'binding' CSS property and
-- 
cgit v1.2.3