summaryrefslogtreecommitdiff
path: root/dom/base/nsTreeSanitizer.cpp
diff options
context:
space:
mode:
authorPale Moon <git-repo@palemoon.org>2016-09-01 13:39:08 +0200
committerPale Moon <git-repo@palemoon.org>2016-09-01 13:39:08 +0200
commit3d8ce1a11a7347cc94a937719c4bc8df46fb8d14 (patch)
tree8c26ca375a6312751c00a27e1653fb6f189f0463 /dom/base/nsTreeSanitizer.cpp
parente449bdb1ec3a82f204bffdd9c3c54069d086eee3 (diff)
downloadpalemoon-gre-3d8ce1a11a7347cc94a937719c4bc8df46fb8d14.tar.gz
Base import of Tycho code (warning: huge commit)
Diffstat (limited to 'dom/base/nsTreeSanitizer.cpp')
-rw-r--r--dom/base/nsTreeSanitizer.cpp1564
1 files changed, 1564 insertions, 0 deletions
diff --git a/dom/base/nsTreeSanitizer.cpp b/dom/base/nsTreeSanitizer.cpp
new file mode 100644
index 000000000..737bc46ff
--- /dev/null
+++ b/dom/base/nsTreeSanitizer.cpp
@@ -0,0 +1,1564 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set sw=2 ts=2 et tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsTreeSanitizer.h"
+
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/CSSStyleSheet.h"
+#include "mozilla/css/Declaration.h"
+#include "mozilla/css/StyleRule.h"
+#include "mozilla/css/Rule.h"
+#include "nsCSSParser.h"
+#include "nsCSSProperty.h"
+#include "nsUnicharInputStream.h"
+#include "nsIDOMCSSRule.h"
+#include "nsAttrName.h"
+#include "nsIScriptSecurityManager.h"
+#include "nsNetUtil.h"
+#include "nsComponentManagerUtils.h"
+#include "nsNullPrincipal.h"
+#include "nsContentUtils.h"
+#include "nsIParserUtils.h"
+#include "nsIDocument.h"
+
+using namespace mozilla;
+
+//
+// Thanks to Mark Pilgrim and Sam Ruby for the initial whitelist
+//
+nsIAtom** const kElementsHTML[] = {
+ &nsGkAtoms::a,
+ &nsGkAtoms::abbr,
+ &nsGkAtoms::acronym,
+ &nsGkAtoms::address,
+ &nsGkAtoms::area,
+ &nsGkAtoms::article,
+ &nsGkAtoms::aside,
+ &nsGkAtoms::audio,
+ &nsGkAtoms::b,
+ &nsGkAtoms::bdi,
+ &nsGkAtoms::bdo,
+ &nsGkAtoms::big,
+ &nsGkAtoms::blockquote,
+ // body checked specially
+ &nsGkAtoms::br,
+ &nsGkAtoms::button,
+ &nsGkAtoms::canvas,
+ &nsGkAtoms::caption,
+ &nsGkAtoms::center,
+ &nsGkAtoms::cite,
+ &nsGkAtoms::code,
+ &nsGkAtoms::col,
+ &nsGkAtoms::colgroup,
+ &nsGkAtoms::datalist,
+ &nsGkAtoms::dd,
+ &nsGkAtoms::del,
+ &nsGkAtoms::details,
+ &nsGkAtoms::dfn,
+ &nsGkAtoms::dir,
+ &nsGkAtoms::div,
+ &nsGkAtoms::dl,
+ &nsGkAtoms::dt,
+ &nsGkAtoms::em,
+ &nsGkAtoms::fieldset,
+ &nsGkAtoms::figcaption,
+ &nsGkAtoms::figure,
+ &nsGkAtoms::font,
+ &nsGkAtoms::footer,
+ &nsGkAtoms::form,
+ &nsGkAtoms::h1,
+ &nsGkAtoms::h2,
+ &nsGkAtoms::h3,
+ &nsGkAtoms::h4,
+ &nsGkAtoms::h5,
+ &nsGkAtoms::h6,
+ // head checked specially
+ &nsGkAtoms::header,
+ &nsGkAtoms::hgroup,
+ &nsGkAtoms::hr,
+ // html checked specially
+ &nsGkAtoms::i,
+ &nsGkAtoms::img,
+ &nsGkAtoms::input,
+ &nsGkAtoms::ins,
+ &nsGkAtoms::kbd,
+ &nsGkAtoms::label,
+ &nsGkAtoms::legend,
+ &nsGkAtoms::li,
+ &nsGkAtoms::link,
+ &nsGkAtoms::listing,
+ &nsGkAtoms::map,
+ &nsGkAtoms::mark,
+ &nsGkAtoms::menu,
+ &nsGkAtoms::meta,
+ &nsGkAtoms::meter,
+ &nsGkAtoms::nav,
+ &nsGkAtoms::nobr,
+ &nsGkAtoms::noscript,
+ &nsGkAtoms::ol,
+ &nsGkAtoms::optgroup,
+ &nsGkAtoms::option,
+ &nsGkAtoms::output,
+ &nsGkAtoms::p,
+ &nsGkAtoms::pre,
+ &nsGkAtoms::progress,
+ &nsGkAtoms::q,
+ &nsGkAtoms::rp,
+ &nsGkAtoms::rt,
+ &nsGkAtoms::ruby,
+ &nsGkAtoms::s,
+ &nsGkAtoms::samp,
+ &nsGkAtoms::section,
+ &nsGkAtoms::select,
+ &nsGkAtoms::small,
+ &nsGkAtoms::source,
+ &nsGkAtoms::span,
+ &nsGkAtoms::strike,
+ &nsGkAtoms::strong,
+ &nsGkAtoms::sub,
+ &nsGkAtoms::summary,
+ &nsGkAtoms::sup,
+ // style checked specially
+ &nsGkAtoms::table,
+ &nsGkAtoms::tbody,
+ &nsGkAtoms::td,
+ &nsGkAtoms::textarea,
+ &nsGkAtoms::tfoot,
+ &nsGkAtoms::th,
+ &nsGkAtoms::thead,
+ &nsGkAtoms::time,
+ // title checked specially
+ &nsGkAtoms::tr,
+ &nsGkAtoms::track,
+ &nsGkAtoms::tt,
+ &nsGkAtoms::u,
+ &nsGkAtoms::ul,
+ &nsGkAtoms::var,
+ &nsGkAtoms::video,
+ &nsGkAtoms::wbr,
+ nullptr
+};
+
+nsIAtom** const kAttributesHTML[] = {
+ &nsGkAtoms::abbr,
+ &nsGkAtoms::accept,
+ &nsGkAtoms::acceptcharset,
+ &nsGkAtoms::accesskey,
+ &nsGkAtoms::action,
+ &nsGkAtoms::alt,
+ &nsGkAtoms::autocomplete,
+ &nsGkAtoms::autofocus,
+ &nsGkAtoms::autoplay,
+ &nsGkAtoms::axis,
+ &nsGkAtoms::_char,
+ &nsGkAtoms::charoff,
+ &nsGkAtoms::charset,
+ &nsGkAtoms::checked,
+ &nsGkAtoms::cite,
+ &nsGkAtoms::_class,
+ &nsGkAtoms::cols,
+ &nsGkAtoms::colspan,
+ &nsGkAtoms::content,
+ &nsGkAtoms::contenteditable,
+ &nsGkAtoms::contextmenu,
+ &nsGkAtoms::controls,
+ &nsGkAtoms::coords,
+ &nsGkAtoms::datetime,
+ &nsGkAtoms::dir,
+ &nsGkAtoms::disabled,
+ &nsGkAtoms::draggable,
+ &nsGkAtoms::enctype,
+ &nsGkAtoms::face,
+ &nsGkAtoms::_for,
+ &nsGkAtoms::frame,
+ &nsGkAtoms::headers,
+ &nsGkAtoms::height,
+ &nsGkAtoms::hidden,
+ &nsGkAtoms::high,
+ &nsGkAtoms::href,
+ &nsGkAtoms::hreflang,
+ &nsGkAtoms::icon,
+ &nsGkAtoms::id,
+ &nsGkAtoms::ismap,
+ &nsGkAtoms::itemid,
+ &nsGkAtoms::itemprop,
+ &nsGkAtoms::itemref,
+ &nsGkAtoms::itemscope,
+ &nsGkAtoms::itemtype,
+ &nsGkAtoms::kind,
+ &nsGkAtoms::label,
+ &nsGkAtoms::lang,
+ &nsGkAtoms::list,
+ &nsGkAtoms::longdesc,
+ &nsGkAtoms::loop,
+ &nsGkAtoms::low,
+ &nsGkAtoms::max,
+ &nsGkAtoms::maxlength,
+ &nsGkAtoms::media,
+ &nsGkAtoms::method,
+ &nsGkAtoms::min,
+ &nsGkAtoms::mozdonotsend,
+ &nsGkAtoms::multiple,
+ &nsGkAtoms::muted,
+ &nsGkAtoms::name,
+ &nsGkAtoms::nohref,
+ &nsGkAtoms::novalidate,
+ &nsGkAtoms::nowrap,
+ &nsGkAtoms::open,
+ &nsGkAtoms::optimum,
+ &nsGkAtoms::pattern,
+ &nsGkAtoms::placeholder,
+ &nsGkAtoms::playbackrate,
+ &nsGkAtoms::poster,
+ &nsGkAtoms::preload,
+ &nsGkAtoms::prompt,
+ &nsGkAtoms::pubdate,
+ &nsGkAtoms::radiogroup,
+ &nsGkAtoms::readonly,
+ &nsGkAtoms::rel,
+ &nsGkAtoms::required,
+ &nsGkAtoms::rev,
+ &nsGkAtoms::reversed,
+ &nsGkAtoms::role,
+ &nsGkAtoms::rows,
+ &nsGkAtoms::rowspan,
+ &nsGkAtoms::rules,
+ &nsGkAtoms::scoped,
+ &nsGkAtoms::scope,
+ &nsGkAtoms::selected,
+ &nsGkAtoms::shape,
+ &nsGkAtoms::span,
+ &nsGkAtoms::spellcheck,
+ &nsGkAtoms::src,
+ &nsGkAtoms::srclang,
+ &nsGkAtoms::start,
+ &nsGkAtoms::summary,
+ &nsGkAtoms::tabindex,
+ &nsGkAtoms::target,
+ &nsGkAtoms::title,
+ &nsGkAtoms::type,
+ &nsGkAtoms::usemap,
+ &nsGkAtoms::value,
+ &nsGkAtoms::width,
+ &nsGkAtoms::wrap,
+ nullptr
+};
+
+nsIAtom** const kPresAttributesHTML[] = {
+ &nsGkAtoms::align,
+ &nsGkAtoms::background,
+ &nsGkAtoms::bgcolor,
+ &nsGkAtoms::border,
+ &nsGkAtoms::cellpadding,
+ &nsGkAtoms::cellspacing,
+ &nsGkAtoms::color,
+ &nsGkAtoms::compact,
+ &nsGkAtoms::clear,
+ &nsGkAtoms::hspace,
+ &nsGkAtoms::noshade,
+ &nsGkAtoms::pointSize,
+ &nsGkAtoms::size,
+ &nsGkAtoms::valign,
+ &nsGkAtoms::vspace,
+ nullptr
+};
+
+nsIAtom** const kURLAttributesHTML[] = {
+ &nsGkAtoms::action,
+ &nsGkAtoms::href,
+ &nsGkAtoms::src,
+ &nsGkAtoms::longdesc,
+ &nsGkAtoms::cite,
+ &nsGkAtoms::background,
+ nullptr
+};
+
+nsIAtom** const kElementsSVG[] = {
+ &nsGkAtoms::a, // a
+ &nsGkAtoms::altGlyph, // altGlyph
+ &nsGkAtoms::altGlyphDef, // altGlyphDef
+ &nsGkAtoms::altGlyphItem, // altGlyphItem
+ &nsGkAtoms::animate, // animate
+ &nsGkAtoms::animateColor, // animateColor
+ &nsGkAtoms::animateMotion, // animateMotion
+ &nsGkAtoms::animateTransform, // animateTransform
+ &nsGkAtoms::circle, // circle
+ &nsGkAtoms::clipPath, // clipPath
+ &nsGkAtoms::colorProfile, // color-profile
+ &nsGkAtoms::cursor, // cursor
+ &nsGkAtoms::defs, // defs
+ &nsGkAtoms::desc, // desc
+ &nsGkAtoms::ellipse, // ellipse
+ &nsGkAtoms::elevation, // elevation
+ &nsGkAtoms::erode, // erode
+ &nsGkAtoms::ex, // ex
+ &nsGkAtoms::exact, // exact
+ &nsGkAtoms::exponent, // exponent
+ &nsGkAtoms::feBlend, // feBlend
+ &nsGkAtoms::feColorMatrix, // feColorMatrix
+ &nsGkAtoms::feComponentTransfer, // feComponentTransfer
+ &nsGkAtoms::feComposite, // feComposite
+ &nsGkAtoms::feConvolveMatrix, // feConvolveMatrix
+ &nsGkAtoms::feDiffuseLighting, // feDiffuseLighting
+ &nsGkAtoms::feDisplacementMap, // feDisplacementMap
+ &nsGkAtoms::feDistantLight, // feDistantLight
+ &nsGkAtoms::feDropShadow, // feDropShadow
+ &nsGkAtoms::feFlood, // feFlood
+ &nsGkAtoms::feFuncA, // feFuncA
+ &nsGkAtoms::feFuncB, // feFuncB
+ &nsGkAtoms::feFuncG, // feFuncG
+ &nsGkAtoms::feFuncR, // feFuncR
+ &nsGkAtoms::feGaussianBlur, // feGaussianBlur
+ &nsGkAtoms::feImage, // feImage
+ &nsGkAtoms::feMerge, // feMerge
+ &nsGkAtoms::feMergeNode, // feMergeNode
+ &nsGkAtoms::feMorphology, // feMorphology
+ &nsGkAtoms::feOffset, // feOffset
+ &nsGkAtoms::fePointLight, // fePointLight
+ &nsGkAtoms::feSpecularLighting, // feSpecularLighting
+ &nsGkAtoms::feSpotLight, // feSpotLight
+ &nsGkAtoms::feTile, // feTile
+ &nsGkAtoms::feTurbulence, // feTurbulence
+ &nsGkAtoms::filter, // filter
+ &nsGkAtoms::font, // font
+ &nsGkAtoms::font_face, // font-face
+ &nsGkAtoms::font_face_format, // font-face-format
+ &nsGkAtoms::font_face_name, // font-face-name
+ &nsGkAtoms::font_face_src, // font-face-src
+ &nsGkAtoms::font_face_uri, // font-face-uri
+ &nsGkAtoms::foreignObject, // foreignObject
+ &nsGkAtoms::g, // g
+ &nsGkAtoms::glyph, // glyph
+ &nsGkAtoms::glyphRef, // glyphRef
+ &nsGkAtoms::hkern, // hkern
+ &nsGkAtoms::image, // image
+ &nsGkAtoms::line, // line
+ &nsGkAtoms::linearGradient, // linearGradient
+ &nsGkAtoms::marker, // marker
+ &nsGkAtoms::mask, // mask
+ &nsGkAtoms::metadata, // metadata
+ &nsGkAtoms::missingGlyph, // missingGlyph
+ &nsGkAtoms::mpath, // mpath
+ &nsGkAtoms::path, // path
+ &nsGkAtoms::pattern, // pattern
+ &nsGkAtoms::polygon, // polygon
+ &nsGkAtoms::polyline, // polyline
+ &nsGkAtoms::radialGradient, // radialGradient
+ &nsGkAtoms::rect, // rect
+ &nsGkAtoms::set, // set
+ &nsGkAtoms::stop, // stop
+ &nsGkAtoms::svg, // svg
+ &nsGkAtoms::svgSwitch, // switch
+ &nsGkAtoms::symbol, // symbol
+ &nsGkAtoms::text, // text
+ &nsGkAtoms::textPath, // textPath
+ &nsGkAtoms::title, // title
+ &nsGkAtoms::tref, // tref
+ &nsGkAtoms::tspan, // tspan
+ &nsGkAtoms::use, // use
+ &nsGkAtoms::view, // view
+ &nsGkAtoms::vkern, // vkern
+ nullptr
+};
+
+nsIAtom** const kAttributesSVG[] = {
+ // accent-height
+ &nsGkAtoms::accumulate, // accumulate
+ &nsGkAtoms::additive, // additive
+ &nsGkAtoms::alignment_baseline, // alignment-baseline
+ // alphabetic
+ &nsGkAtoms::amplitude, // amplitude
+ // arabic-form
+ // ascent
+ &nsGkAtoms::attributeName, // attributeName
+ &nsGkAtoms::attributeType, // attributeType
+ &nsGkAtoms::azimuth, // azimuth
+ &nsGkAtoms::baseFrequency, // baseFrequency
+ &nsGkAtoms::baseline_shift, // baseline-shift
+ // baseProfile
+ // bbox
+ &nsGkAtoms::begin, // begin
+ &nsGkAtoms::bias, // bias
+ &nsGkAtoms::by, // by
+ &nsGkAtoms::calcMode, // calcMode
+ // cap-height
+ &nsGkAtoms::_class, // class
+ &nsGkAtoms::clip_path, // clip-path
+ &nsGkAtoms::clip_rule, // clip-rule
+ &nsGkAtoms::clipPathUnits, // clipPathUnits
+ &nsGkAtoms::color, // color
+ &nsGkAtoms::colorInterpolation, // color-interpolation
+ &nsGkAtoms::colorInterpolationFilters, // color-interpolation-filters
+ &nsGkAtoms::cursor, // cursor
+ &nsGkAtoms::cx, // cx
+ &nsGkAtoms::cy, // cy
+ &nsGkAtoms::d, // d
+ // descent
+ &nsGkAtoms::diffuseConstant, // diffuseConstant
+ &nsGkAtoms::direction, // direction
+ &nsGkAtoms::display, // display
+ &nsGkAtoms::divisor, // divisor
+ &nsGkAtoms::dominant_baseline, // dominant-baseline
+ &nsGkAtoms::dur, // dur
+ &nsGkAtoms::dx, // dx
+ &nsGkAtoms::dy, // dy
+ &nsGkAtoms::edgeMode, // edgeMode
+ &nsGkAtoms::elevation, // elevation
+ // enable-background
+ &nsGkAtoms::end, // end
+ &nsGkAtoms::fill, // fill
+ &nsGkAtoms::fill_opacity, // fill-opacity
+ &nsGkAtoms::fill_rule, // fill-rule
+ &nsGkAtoms::filter, // filter
+ &nsGkAtoms::filterUnits, // filterUnits
+ &nsGkAtoms::flood_color, // flood-color
+ &nsGkAtoms::flood_opacity, // flood-opacity
+ // XXX focusable
+ &nsGkAtoms::font, // font
+ &nsGkAtoms::font_family, // font-family
+ &nsGkAtoms::font_size, // font-size
+ &nsGkAtoms::font_size_adjust, // font-size-adjust
+ &nsGkAtoms::font_stretch, // font-stretch
+ &nsGkAtoms::font_style, // font-style
+ &nsGkAtoms::font_variant, // font-variant
+ &nsGkAtoms::fontWeight, // font-weight
+ &nsGkAtoms::format, // format
+ &nsGkAtoms::from, // from
+ &nsGkAtoms::fx, // fx
+ &nsGkAtoms::fy, // fy
+ // g1
+ // g2
+ // glyph-name
+ // glyphRef
+ &nsGkAtoms::glyph_orientation_horizontal, // glyph-orientation-horizontal
+ &nsGkAtoms::glyph_orientation_vertical, // glyph-orientation-vertical
+ &nsGkAtoms::gradientTransform, // gradientTransform
+ &nsGkAtoms::gradientUnits, // gradientUnits
+ &nsGkAtoms::height, // height
+ // horiz-adv-x
+ // horiz-origin-x
+ // horiz-origin-y
+ &nsGkAtoms::id, // id
+ // ideographic
+ &nsGkAtoms::image_rendering, // image-rendering
+ &nsGkAtoms::in, // in
+ &nsGkAtoms::in2, // in2
+ &nsGkAtoms::intercept, // intercept
+ // k
+ &nsGkAtoms::k1, // k1
+ &nsGkAtoms::k2, // k2
+ &nsGkAtoms::k3, // k3
+ &nsGkAtoms::k4, // k4
+ &nsGkAtoms::kerning, // kerning
+ &nsGkAtoms::kernelMatrix, // kernelMatrix
+ &nsGkAtoms::kernelUnitLength, // kernelUnitLength
+ &nsGkAtoms::keyPoints, // keyPoints
+ &nsGkAtoms::keySplines, // keySplines
+ &nsGkAtoms::keyTimes, // keyTimes
+ &nsGkAtoms::lang, // lang
+ // lengthAdjust
+ &nsGkAtoms::letter_spacing, // letter-spacing
+ &nsGkAtoms::lighting_color, // lighting-color
+ &nsGkAtoms::limitingConeAngle, // limitingConeAngle
+ // local
+ &nsGkAtoms::marker, // marker
+ &nsGkAtoms::marker_end, // marker-end
+ &nsGkAtoms::marker_mid, // marker-mid
+ &nsGkAtoms::marker_start, // marker-start
+ &nsGkAtoms::markerHeight, // markerHeight
+ &nsGkAtoms::markerUnits, // markerUnits
+ &nsGkAtoms::markerWidth, // markerWidth
+ &nsGkAtoms::mask, // mask
+ &nsGkAtoms::maskContentUnits, // maskContentUnits
+ &nsGkAtoms::maskUnits, // maskUnits
+ // mathematical
+ &nsGkAtoms::max, // max
+ &nsGkAtoms::media, // media
+ &nsGkAtoms::method, // method
+ &nsGkAtoms::min, // min
+ &nsGkAtoms::mode, // mode
+ &nsGkAtoms::name, // name
+ &nsGkAtoms::numOctaves, // numOctaves
+ &nsGkAtoms::offset, // offset
+ &nsGkAtoms::opacity, // opacity
+ &nsGkAtoms::_operator, // operator
+ &nsGkAtoms::order, // order
+ &nsGkAtoms::orient, // orient
+ &nsGkAtoms::orientation, // orientation
+ // origin
+ // overline-position
+ // overline-thickness
+ &nsGkAtoms::overflow, // overflow
+ // panose-1
+ &nsGkAtoms::path, // path
+ &nsGkAtoms::pathLength, // pathLength
+ &nsGkAtoms::patternContentUnits, // patternContentUnits
+ &nsGkAtoms::patternTransform, // patternTransform
+ &nsGkAtoms::patternUnits, // patternUnits
+ &nsGkAtoms::pointer_events, // pointer-events XXX is this safe?
+ &nsGkAtoms::points, // points
+ &nsGkAtoms::pointsAtX, // pointsAtX
+ &nsGkAtoms::pointsAtY, // pointsAtY
+ &nsGkAtoms::pointsAtZ, // pointsAtZ
+ &nsGkAtoms::preserveAlpha, // preserveAlpha
+ &nsGkAtoms::preserveAspectRatio, // preserveAspectRatio
+ &nsGkAtoms::primitiveUnits, // primitiveUnits
+ &nsGkAtoms::r, // r
+ &nsGkAtoms::radius, // radius
+ &nsGkAtoms::refX, // refX
+ &nsGkAtoms::refY, // refY
+ &nsGkAtoms::repeatCount, // repeatCount
+ &nsGkAtoms::repeatDur, // repeatDur
+ &nsGkAtoms::requiredExtensions, // requiredExtensions
+ &nsGkAtoms::requiredFeatures, // requiredFeatures
+ &nsGkAtoms::restart, // restart
+ &nsGkAtoms::result, // result
+ &nsGkAtoms::rotate, // rotate
+ &nsGkAtoms::rx, // rx
+ &nsGkAtoms::ry, // ry
+ &nsGkAtoms::scale, // scale
+ &nsGkAtoms::seed, // seed
+ &nsGkAtoms::shape_rendering, // shape-rendering
+ &nsGkAtoms::slope, // slope
+ &nsGkAtoms::spacing, // spacing
+ &nsGkAtoms::specularConstant, // specularConstant
+ &nsGkAtoms::specularExponent, // specularExponent
+ &nsGkAtoms::spreadMethod, // spreadMethod
+ &nsGkAtoms::startOffset, // startOffset
+ &nsGkAtoms::stdDeviation, // stdDeviation
+ // stemh
+ // stemv
+ &nsGkAtoms::stitchTiles, // stitchTiles
+ &nsGkAtoms::stop_color, // stop-color
+ &nsGkAtoms::stop_opacity, // stop-opacity
+ // strikethrough-position
+ // strikethrough-thickness
+ &nsGkAtoms::string, // string
+ &nsGkAtoms::stroke, // stroke
+ &nsGkAtoms::stroke_dasharray, // stroke-dasharray
+ &nsGkAtoms::stroke_dashoffset, // stroke-dashoffset
+ &nsGkAtoms::stroke_linecap, // stroke-linecap
+ &nsGkAtoms::stroke_linejoin, // stroke-linejoin
+ &nsGkAtoms::stroke_miterlimit, // stroke-miterlimit
+ &nsGkAtoms::stroke_opacity, // stroke-opacity
+ &nsGkAtoms::stroke_width, // stroke-width
+ &nsGkAtoms::surfaceScale, // surfaceScale
+ &nsGkAtoms::systemLanguage, // systemLanguage
+ &nsGkAtoms::tableValues, // tableValues
+ &nsGkAtoms::target, // target
+ &nsGkAtoms::targetX, // targetX
+ &nsGkAtoms::targetY, // targetY
+ &nsGkAtoms::text_anchor, // text-anchor
+ &nsGkAtoms::text_decoration, // text-decoration
+ // textLength
+ &nsGkAtoms::text_rendering, // text-rendering
+ &nsGkAtoms::title, // title
+ &nsGkAtoms::to, // to
+ &nsGkAtoms::transform, // transform
+ &nsGkAtoms::type, // type
+ // u1
+ // u2
+ // underline-position
+ // underline-thickness
+ // unicode
+ &nsGkAtoms::unicode_bidi, // unicode-bidi
+ // unicode-range
+ // units-per-em
+ // v-alphabetic
+ // v-hanging
+ // v-ideographic
+ // v-mathematical
+ &nsGkAtoms::values, // values
+ &nsGkAtoms::vector_effect, // vector-effect
+ // vert-adv-y
+ // vert-origin-x
+ // vert-origin-y
+ &nsGkAtoms::viewBox, // viewBox
+ &nsGkAtoms::viewTarget, // viewTarget
+ &nsGkAtoms::visibility, // visibility
+ &nsGkAtoms::width, // width
+ // widths
+ &nsGkAtoms::word_spacing, // word-spacing
+ // writing-mode
+ &nsGkAtoms::x, // x
+ // x-height
+ &nsGkAtoms::x1, // x1
+ &nsGkAtoms::x2, // x2
+ &nsGkAtoms::xChannelSelector, // xChannelSelector
+ &nsGkAtoms::y, // y
+ &nsGkAtoms::y1, // y1
+ &nsGkAtoms::y2, // y2
+ &nsGkAtoms::yChannelSelector, // yChannelSelector
+ &nsGkAtoms::z, // z
+ &nsGkAtoms::zoomAndPan, // zoomAndPan
+ nullptr
+};
+
+nsIAtom** const kURLAttributesSVG[] = {
+ nullptr
+};
+
+nsIAtom** const kElementsMathML[] = {
+ &nsGkAtoms::abs_, // abs
+ &nsGkAtoms::_and, // and
+ &nsGkAtoms::annotation_, // annotation
+ &nsGkAtoms::annotation_xml_, // annotation-xml
+ &nsGkAtoms::apply_, // apply
+ &nsGkAtoms::approx_, // approx
+ &nsGkAtoms::arccos_, // arccos
+ &nsGkAtoms::arccosh_, // arccosh
+ &nsGkAtoms::arccot_, // arccot
+ &nsGkAtoms::arccoth_, // arccoth
+ &nsGkAtoms::arccsc_, // arccsc
+ &nsGkAtoms::arccsch_, // arccsch
+ &nsGkAtoms::arcsec_, // arcsec
+ &nsGkAtoms::arcsech_, // arcsech
+ &nsGkAtoms::arcsin_, // arcsin
+ &nsGkAtoms::arcsinh_, // arcsinh
+ &nsGkAtoms::arctan_, // arctan
+ &nsGkAtoms::arctanh_, // arctanh
+ &nsGkAtoms::arg_, // arg
+ &nsGkAtoms::bind_, // bind
+ &nsGkAtoms::bvar_, // bvar
+ &nsGkAtoms::card_, // card
+ &nsGkAtoms::cartesianproduct_, // cartesianproduct
+ &nsGkAtoms::cbytes_, // cbytes
+ &nsGkAtoms::ceiling, // ceiling
+ &nsGkAtoms::cerror_, // cerror
+ &nsGkAtoms::ci_, // ci
+ &nsGkAtoms::cn_, // cn
+ &nsGkAtoms::codomain_, // codomain
+ &nsGkAtoms::complexes_, // complexes
+ &nsGkAtoms::compose_, // compose
+ &nsGkAtoms::condition_, // condition
+ &nsGkAtoms::conjugate_, // conjugate
+ &nsGkAtoms::cos_, // cos
+ &nsGkAtoms::cosh_, // cosh
+ &nsGkAtoms::cot_, // cot
+ &nsGkAtoms::coth_, // coth
+ &nsGkAtoms::cs_, // cs
+ &nsGkAtoms::csc_, // csc
+ &nsGkAtoms::csch_, // csch
+ &nsGkAtoms::csymbol_, // csymbol
+ &nsGkAtoms::curl_, // curl
+ &nsGkAtoms::declare, // declare
+ &nsGkAtoms::degree_, // degree
+ &nsGkAtoms::determinant_, // determinant
+ &nsGkAtoms::diff_, // diff
+ &nsGkAtoms::divergence_, // divergence
+ &nsGkAtoms::divide_, // divide
+ &nsGkAtoms::domain_, // domain
+ &nsGkAtoms::domainofapplication_, // domainofapplication
+ &nsGkAtoms::el_, // el
+ &nsGkAtoms::emptyset_, // emptyset
+ &nsGkAtoms::eq_, // eq
+ &nsGkAtoms::equivalent_, // equivalent
+ &nsGkAtoms::eulergamma_, // eulergamma
+ &nsGkAtoms::exists_, // exists
+ &nsGkAtoms::exp_, // exp
+ &nsGkAtoms::exponentiale_, // exponentiale
+ &nsGkAtoms::factorial_, // factorial
+ &nsGkAtoms::factorof_, // factorof
+ &nsGkAtoms::_false, // false
+ &nsGkAtoms::floor, // floor
+ &nsGkAtoms::fn_, // fn
+ &nsGkAtoms::forall_, // forall
+ &nsGkAtoms::gcd_, // gcd
+ &nsGkAtoms::geq_, // geq
+ &nsGkAtoms::grad, // grad
+ &nsGkAtoms::gt_, // gt
+ &nsGkAtoms::ident_, // ident
+ &nsGkAtoms::image, // image
+ &nsGkAtoms::imaginary_, // imaginary
+ &nsGkAtoms::imaginaryi_, // imaginaryi
+ &nsGkAtoms::implies_, // implies
+ &nsGkAtoms::in, // in
+ &nsGkAtoms::infinity, // infinity
+ &nsGkAtoms::int_, // int
+ &nsGkAtoms::integers_, // integers
+ &nsGkAtoms::intersect_, // intersect
+ &nsGkAtoms::interval_, // interval
+ &nsGkAtoms::inverse_, // inverse
+ &nsGkAtoms::lambda_, // lambda
+ &nsGkAtoms::laplacian_, // laplacian
+ &nsGkAtoms::lcm_, // lcm
+ &nsGkAtoms::leq_, // leq
+ &nsGkAtoms::limit_, // limit
+ &nsGkAtoms::list_, // list
+ &nsGkAtoms::ln_, // ln
+ &nsGkAtoms::log_, // log
+ &nsGkAtoms::logbase_, // logbase
+ &nsGkAtoms::lowlimit_, // lowlimit
+ &nsGkAtoms::lt_, // lt
+ &nsGkAtoms::maction_, // maction
+ &nsGkAtoms::maligngroup_, // maligngroup
+ &nsGkAtoms::malignmark_, // malignmark
+ &nsGkAtoms::math, // math
+ &nsGkAtoms::matrix, // matrix
+ &nsGkAtoms::matrixrow_, // matrixrow
+ &nsGkAtoms::max, // max
+ &nsGkAtoms::mean_, // mean
+ &nsGkAtoms::median_, // median
+ &nsGkAtoms::menclose_, // menclose
+ &nsGkAtoms::merror_, // merror
+ &nsGkAtoms::mfenced_, // mfenced
+ &nsGkAtoms::mfrac_, // mfrac
+ &nsGkAtoms::mglyph_, // mglyph
+ &nsGkAtoms::mi_, // mi
+ &nsGkAtoms::min, // min
+ &nsGkAtoms::minus_, // minus
+ &nsGkAtoms::mlabeledtr_, // mlabeledtr
+ &nsGkAtoms::mlongdiv_, // mlongdiv
+ &nsGkAtoms::mmultiscripts_, // mmultiscripts
+ &nsGkAtoms::mn_, // mn
+ &nsGkAtoms::mo_, // mo
+ &nsGkAtoms::mode, // mode
+ &nsGkAtoms::moment_, // moment
+ &nsGkAtoms::momentabout_, // momentabout
+ &nsGkAtoms::mover_, // mover
+ &nsGkAtoms::mpadded_, // mpadded
+ &nsGkAtoms::mphantom_, // mphantom
+ &nsGkAtoms::mprescripts_, // mprescripts
+ &nsGkAtoms::mroot_, // mroot
+ &nsGkAtoms::mrow_, // mrow
+ &nsGkAtoms::ms_, // ms
+ &nsGkAtoms::mscarries_, // mscarries
+ &nsGkAtoms::mscarry_, // mscarry
+ &nsGkAtoms::msgroup_, // msgroup
+ &nsGkAtoms::msline_, // msline
+ &nsGkAtoms::mspace_, // mspace
+ &nsGkAtoms::msqrt_, // msqrt
+ &nsGkAtoms::msrow_, // msrow
+ &nsGkAtoms::mstack_, // mstack
+ &nsGkAtoms::mstyle_, // mstyle
+ &nsGkAtoms::msub_, // msub
+ &nsGkAtoms::msubsup_, // msubsup
+ &nsGkAtoms::msup_, // msup
+ &nsGkAtoms::mtable_, // mtable
+ &nsGkAtoms::mtd_, // mtd
+ &nsGkAtoms::mtext_, // mtext
+ &nsGkAtoms::mtr_, // mtr
+ &nsGkAtoms::munder_, // munder
+ &nsGkAtoms::munderover_, // munderover
+ &nsGkAtoms::naturalnumbers_, // naturalnumbers
+ &nsGkAtoms::neq_, // neq
+ &nsGkAtoms::none, // none
+ &nsGkAtoms::_not, // not
+ &nsGkAtoms::notanumber_, // notanumber
+ &nsGkAtoms::note_, // note
+ &nsGkAtoms::notin_, // notin
+ &nsGkAtoms::notprsubset_, // notprsubset
+ &nsGkAtoms::notsubset_, // notsubset
+ &nsGkAtoms::_or, // or
+ &nsGkAtoms::otherwise, // otherwise
+ &nsGkAtoms::outerproduct_, // outerproduct
+ &nsGkAtoms::partialdiff_, // partialdiff
+ &nsGkAtoms::pi_, // pi
+ &nsGkAtoms::piece_, // piece
+ &nsGkAtoms::piecewise_, // piecewise
+ &nsGkAtoms::plus_, // plus
+ &nsGkAtoms::power_, // power
+ &nsGkAtoms::primes_, // primes
+ &nsGkAtoms::product_, // product
+ &nsGkAtoms::prsubset_, // prsubset
+ &nsGkAtoms::quotient_, // quotient
+ &nsGkAtoms::rationals_, // rationals
+ &nsGkAtoms::real_, // real
+ &nsGkAtoms::reals_, // reals
+ &nsGkAtoms::reln_, // reln
+ &nsGkAtoms::rem, // rem
+ &nsGkAtoms::root_, // root
+ &nsGkAtoms::scalarproduct_, // scalarproduct
+ &nsGkAtoms::sdev_, // sdev
+ &nsGkAtoms::sec_, // sec
+ &nsGkAtoms::sech_, // sech
+ &nsGkAtoms::selector_, // selector
+ &nsGkAtoms::semantics_, // semantics
+ &nsGkAtoms::sep_, // sep
+ &nsGkAtoms::set_, // set
+ &nsGkAtoms::setdiff_, // setdiff
+ &nsGkAtoms::share_, // share
+ &nsGkAtoms::sin_, // sin
+ &nsGkAtoms::sinh_, // sinh
+ &nsGkAtoms::subset_, // subset
+ &nsGkAtoms::sum, // sum
+ &nsGkAtoms::tan_, // tan
+ &nsGkAtoms::tanh_, // tanh
+ &nsGkAtoms::tendsto_, // tendsto
+ &nsGkAtoms::times_, // times
+ &nsGkAtoms::transpose_, // transpose
+ &nsGkAtoms::_true, // true
+ &nsGkAtoms::union_, // union
+ &nsGkAtoms::uplimit_, // uplimit
+ &nsGkAtoms::variance_, // variance
+ &nsGkAtoms::vector_, // vector
+ &nsGkAtoms::vectorproduct_, // vectorproduct
+ &nsGkAtoms::xor_, // xor
+ nullptr
+};
+
+nsIAtom** const kAttributesMathML[] = {
+ &nsGkAtoms::accent_, // accent
+ &nsGkAtoms::accentunder_, // accentunder
+ &nsGkAtoms::actiontype_, // actiontype
+ &nsGkAtoms::align, // align
+ &nsGkAtoms::alignmentscope_, // alignmentscope
+ &nsGkAtoms::alt, // alt
+ &nsGkAtoms::altimg_, // altimg
+ &nsGkAtoms::altimg_height_, // altimg-height
+ &nsGkAtoms::altimg_valign_, // altimg-valign
+ &nsGkAtoms::altimg_width_, // altimg-width
+ &nsGkAtoms::background, // background
+ &nsGkAtoms::base, // base
+ &nsGkAtoms::bevelled_, // bevelled
+ &nsGkAtoms::cd_, // cd
+ &nsGkAtoms::cdgroup_, // cdgroup
+ &nsGkAtoms::charalign_, // charalign
+ &nsGkAtoms::close, // close
+ &nsGkAtoms::closure_, // closure
+ &nsGkAtoms::color, // color
+ &nsGkAtoms::columnalign_, // columnalign
+ &nsGkAtoms::columnalignment_, // columnalignment
+ &nsGkAtoms::columnlines_, // columnlines
+ &nsGkAtoms::columnspacing_, // columnspacing
+ &nsGkAtoms::columnspan_, // columnspan
+ &nsGkAtoms::columnwidth_, // columnwidth
+ &nsGkAtoms::crossout_, // crossout
+ &nsGkAtoms::decimalpoint_, // decimalpoint
+ &nsGkAtoms::definitionURL_, // definitionURL
+ &nsGkAtoms::denomalign_, // denomalign
+ &nsGkAtoms::depth_, // depth
+ &nsGkAtoms::dir, // dir
+ &nsGkAtoms::display, // display
+ &nsGkAtoms::displaystyle_, // displaystyle
+ &nsGkAtoms::edge_, // edge
+ &nsGkAtoms::encoding, // encoding
+ &nsGkAtoms::equalcolumns_, // equalcolumns
+ &nsGkAtoms::equalrows_, // equalrows
+ &nsGkAtoms::fence_, // fence
+ &nsGkAtoms::fontfamily_, // fontfamily
+ &nsGkAtoms::fontsize_, // fontsize
+ &nsGkAtoms::fontstyle_, // fontstyle
+ &nsGkAtoms::fontweight_, // fontweight
+ &nsGkAtoms::form, // form
+ &nsGkAtoms::frame, // frame
+ &nsGkAtoms::framespacing_, // framespacing
+ &nsGkAtoms::groupalign_, // groupalign
+ &nsGkAtoms::height, // height
+ &nsGkAtoms::href, // href
+ &nsGkAtoms::id, // id
+ &nsGkAtoms::indentalign_, // indentalign
+ &nsGkAtoms::indentalignfirst_, // indentalignfirst
+ &nsGkAtoms::indentalignlast_, // indentalignlast
+ &nsGkAtoms::indentshift_, // indentshift
+ &nsGkAtoms::indentshiftfirst_, // indentshiftfirst
+ &nsGkAtoms::indenttarget_, // indenttarget
+ &nsGkAtoms::index, // index
+ &nsGkAtoms::integer, // integer
+ &nsGkAtoms::largeop_, // largeop
+ &nsGkAtoms::length, // length
+ &nsGkAtoms::linebreak_, // linebreak
+ &nsGkAtoms::linebreakmultchar_, // linebreakmultchar
+ &nsGkAtoms::linebreakstyle_, // linebreakstyle
+ &nsGkAtoms::linethickness_, // linethickness
+ &nsGkAtoms::location_, // location
+ &nsGkAtoms::longdivstyle_, // longdivstyle
+ &nsGkAtoms::lquote_, // lquote
+ &nsGkAtoms::lspace_, // lspace
+ &nsGkAtoms::ltr, // ltr
+ &nsGkAtoms::mathbackground_, // mathbackground
+ &nsGkAtoms::mathcolor_, // mathcolor
+ &nsGkAtoms::mathsize_, // mathsize
+ &nsGkAtoms::mathvariant_, // mathvariant
+ &nsGkAtoms::maxsize_, // maxsize
+ &nsGkAtoms::minlabelspacing_, // minlabelspacing
+ &nsGkAtoms::minsize_, // minsize
+ &nsGkAtoms::movablelimits_, // movablelimits
+ &nsGkAtoms::msgroup_, // msgroup
+ &nsGkAtoms::name, // name
+ &nsGkAtoms::newline, // newline
+ &nsGkAtoms::notation_, // notation
+ &nsGkAtoms::numalign_, // numalign
+ &nsGkAtoms::number, // number
+ &nsGkAtoms::open, // open
+ &nsGkAtoms::order, // order
+ &nsGkAtoms::other_, // other
+ &nsGkAtoms::overflow, // overflow
+ &nsGkAtoms::position, // position
+ &nsGkAtoms::role, // role
+ &nsGkAtoms::rowalign_, // rowalign
+ &nsGkAtoms::rowlines_, // rowlines
+ &nsGkAtoms::rowspacing_, // rowspacing
+ &nsGkAtoms::rowspan, // rowspan
+ &nsGkAtoms::rquote_, // rquote
+ &nsGkAtoms::rspace_, // rspace
+ &nsGkAtoms::schemaLocation_, // schemaLocation
+ &nsGkAtoms::scriptlevel_, // scriptlevel
+ &nsGkAtoms::scriptminsize_, // scriptminsize
+ &nsGkAtoms::scriptsize_, // scriptsize
+ &nsGkAtoms::scriptsizemultiplier_, // scriptsizemultiplier
+ &nsGkAtoms::selection_, // selection
+ &nsGkAtoms::separator_, // separator
+ &nsGkAtoms::separators_, // separators
+ &nsGkAtoms::shift_, // shift
+ &nsGkAtoms::side_, // side
+ &nsGkAtoms::src, // src
+ &nsGkAtoms::stackalign_, // stackalign
+ &nsGkAtoms::stretchy_, // stretchy
+ &nsGkAtoms::subscriptshift_, // subscriptshift
+ &nsGkAtoms::superscriptshift_, // superscriptshift
+ &nsGkAtoms::symmetric_, // symmetric
+ &nsGkAtoms::type, // type
+ &nsGkAtoms::voffset_, // voffset
+ &nsGkAtoms::width, // width
+ &nsGkAtoms::xref_, // xref
+ nullptr
+};
+
+nsIAtom** const kURLAttributesMathML[] = {
+ &nsGkAtoms::href,
+ &nsGkAtoms::src,
+ &nsGkAtoms::cdgroup_,
+ &nsGkAtoms::altimg_,
+ &nsGkAtoms::definitionURL_,
+ nullptr
+};
+
+nsTHashtable<nsISupportsHashKey>* nsTreeSanitizer::sElementsHTML = nullptr;
+nsTHashtable<nsISupportsHashKey>* nsTreeSanitizer::sAttributesHTML = nullptr;
+nsTHashtable<nsISupportsHashKey>* nsTreeSanitizer::sPresAttributesHTML = nullptr;
+nsTHashtable<nsISupportsHashKey>* nsTreeSanitizer::sElementsSVG = nullptr;
+nsTHashtable<nsISupportsHashKey>* nsTreeSanitizer::sAttributesSVG = nullptr;
+nsTHashtable<nsISupportsHashKey>* nsTreeSanitizer::sElementsMathML = nullptr;
+nsTHashtable<nsISupportsHashKey>* nsTreeSanitizer::sAttributesMathML = nullptr;
+nsIPrincipal* nsTreeSanitizer::sNullPrincipal = nullptr;
+
+nsTreeSanitizer::nsTreeSanitizer(uint32_t aFlags)
+ : mAllowStyles(aFlags & nsIParserUtils::SanitizerAllowStyle)
+ , mAllowComments(aFlags & nsIParserUtils::SanitizerAllowComments)
+ , mDropNonCSSPresentation(aFlags &
+ nsIParserUtils::SanitizerDropNonCSSPresentation)
+ , mDropForms(aFlags & nsIParserUtils::SanitizerDropForms)
+ , mCidEmbedsOnly(aFlags &
+ nsIParserUtils::SanitizerCidEmbedsOnly)
+ , mDropMedia(aFlags & nsIParserUtils::SanitizerDropMedia)
+ , mFullDocument(false)
+{
+ if (mCidEmbedsOnly) {
+ // Sanitizing styles for external references is not supported.
+ mAllowStyles = false;
+ }
+ if (!sElementsHTML) {
+ // Initialize lazily to avoid having to initialize at all if the user
+ // doesn't paste HTML or load feeds.
+ InitializeStatics();
+ }
+}
+
+bool
+nsTreeSanitizer::MustFlatten(int32_t aNamespace, nsIAtom* aLocal)
+{
+ if (aNamespace == kNameSpaceID_XHTML) {
+ if (mDropNonCSSPresentation && (nsGkAtoms::font == aLocal ||
+ nsGkAtoms::center == aLocal)) {
+ return true;
+ }
+ if (mDropForms && (nsGkAtoms::form == aLocal ||
+ nsGkAtoms::input == aLocal ||
+ nsGkAtoms::keygen == aLocal ||
+ nsGkAtoms::option == aLocal ||
+ nsGkAtoms::optgroup == aLocal)) {
+ return true;
+ }
+ if (mFullDocument && (nsGkAtoms::title == aLocal ||
+ nsGkAtoms::html == aLocal ||
+ nsGkAtoms::head == aLocal ||
+ nsGkAtoms::body == aLocal)) {
+ return false;
+ }
+ return !sElementsHTML->GetEntry(aLocal);
+ }
+ if (aNamespace == kNameSpaceID_SVG) {
+ if (mCidEmbedsOnly || mDropMedia) {
+ // Sanitizing CSS-based URL references inside SVG presentational
+ // attributes is not supported, so flattening for cid: embed case.
+ return true;
+ }
+ return !sElementsSVG->GetEntry(aLocal);
+ }
+ if (aNamespace == kNameSpaceID_MathML) {
+ return !sElementsMathML->GetEntry(aLocal);
+ }
+ return true;
+}
+
+bool
+nsTreeSanitizer::IsURL(nsIAtom*** aURLs, nsIAtom* aLocalName)
+{
+ nsIAtom** atomPtrPtr;
+ while ((atomPtrPtr = *aURLs)) {
+ if (*atomPtrPtr == aLocalName) {
+ return true;
+ }
+ ++aURLs;
+ }
+ return false;
+}
+
+bool
+nsTreeSanitizer::MustPrune(int32_t aNamespace,
+ nsIAtom* aLocal,
+ mozilla::dom::Element* aElement)
+{
+ // To avoid attacks where a MathML script becomes something that gets
+ // serialized in a way that it parses back as an HTML script, let's just
+ // drop elements with the local name 'script' regardless of namespace.
+ if (nsGkAtoms::script == aLocal) {
+ return true;
+ }
+ if (aNamespace == kNameSpaceID_XHTML) {
+ if (nsGkAtoms::title == aLocal && !mFullDocument) {
+ // emulate the quirks of the old parser
+ return true;
+ }
+ if (mDropForms && (nsGkAtoms::select == aLocal ||
+ nsGkAtoms::button == aLocal ||
+ nsGkAtoms::datalist == aLocal)) {
+ return true;
+ }
+ if (mDropMedia && (nsGkAtoms::img == aLocal ||
+ nsGkAtoms::video == aLocal ||
+ nsGkAtoms::audio == aLocal ||
+ nsGkAtoms::source == aLocal)) {
+ return true;
+ }
+ if (nsGkAtoms::meta == aLocal &&
+ (aElement->HasAttr(kNameSpaceID_None, nsGkAtoms::charset) ||
+ aElement->HasAttr(kNameSpaceID_None, nsGkAtoms::httpEquiv))) {
+ // Throw away charset declarations even if they also have microdata
+ // which they can't validly have.
+ return true;
+ }
+ if (((!mFullDocument && nsGkAtoms::meta == aLocal) ||
+ nsGkAtoms::link == aLocal) &&
+ !(aElement->HasAttr(kNameSpaceID_None, nsGkAtoms::itemprop) ||
+ aElement->HasAttr(kNameSpaceID_None, nsGkAtoms::itemscope))) {
+ // emulate old behavior for non-Microdata <meta> and <link> presumably
+ // in <head>. <meta> and <link> are whitelisted in order to avoid
+ // corrupting Microdata when they appear in <body>. Note that
+ // SanitizeAttributes() will remove the rel attribute from <link> and
+ // the name attribute from <meta>.
+ return true;
+ }
+ }
+ if (mAllowStyles) {
+ if (nsGkAtoms::style == aLocal && !(aNamespace == kNameSpaceID_XHTML
+ || aNamespace == kNameSpaceID_SVG)) {
+ return true;
+ }
+ return false;
+ }
+ if (nsGkAtoms::style == aLocal) {
+ return true;
+ }
+ return false;
+}
+
+bool
+nsTreeSanitizer::SanitizeStyleRule(mozilla::css::StyleRule *aRule,
+ nsAutoString &aRuleText)
+{
+ bool didSanitize = false;
+ aRuleText.Truncate();
+ mozilla::css::Declaration* style = aRule->GetDeclaration();
+ if (style) {
+ didSanitize = style->HasProperty(eCSSProperty_binding);
+ style->RemoveProperty(eCSSProperty_binding);
+ style->ToString(aRuleText);
+ }
+ return didSanitize;
+}
+
+bool
+nsTreeSanitizer::SanitizeStyleSheet(const nsAString& aOriginal,
+ nsAString& aSanitized,
+ nsIDocument* aDocument,
+ nsIURI* aBaseURI)
+{
+ nsresult rv;
+ aSanitized.Truncate();
+ // aSanitized will hold the permitted CSS text.
+ // -moz-binding is blacklisted.
+ bool didSanitize = false;
+ // Create a sheet to hold the parsed CSS
+ nsRefPtr<CSSStyleSheet> sheet = new CSSStyleSheet(CORS_NONE, aDocument->GetReferrerPolicy());
+ sheet->SetURIs(aDocument->GetDocumentURI(), nullptr, aBaseURI);
+ sheet->SetPrincipal(aDocument->NodePrincipal());
+ // Create the CSS parser, and parse the CSS text.
+ nsCSSParser parser(nullptr, sheet);
+ rv = parser.ParseSheet(aOriginal, aDocument->GetDocumentURI(), aBaseURI,
+ aDocument->NodePrincipal(), 0, false);
+ NS_ENSURE_SUCCESS(rv, true);
+ // Mark the sheet as complete.
+ MOZ_ASSERT(!sheet->IsModified(),
+ "should not get marked modified during parsing");
+ sheet->SetComplete();
+ // Loop through all the rules found in the CSS text
+ int32_t ruleCount = sheet->StyleRuleCount();
+ for (int32_t i = 0; i < ruleCount; ++i) {
+ mozilla::css::Rule* rule = sheet->GetStyleRuleAt(i);
+ if (!rule)
+ continue;
+ switch (rule->GetType()) {
+ default:
+ didSanitize = true;
+ // Ignore these rule types.
+ break;
+ case mozilla::css::Rule::NAMESPACE_RULE:
+ case mozilla::css::Rule::FONT_FACE_RULE: {
+ // Append @namespace and @font-face rules verbatim.
+ nsAutoString cssText;
+ nsCOMPtr<nsIDOMCSSRule> styleRule = do_QueryInterface(rule);
+ if (styleRule) {
+ rv = styleRule->GetCssText(cssText);
+ if (NS_SUCCEEDED(rv)) {
+ aSanitized.Append(cssText);
+ }
+ }
+ break;
+ }
+ case mozilla::css::Rule::STYLE_RULE: {
+ // For style rules, we will just look for and remove the
+ // -moz-binding properties.
+ nsRefPtr<mozilla::css::StyleRule> styleRule = do_QueryObject(rule);
+ NS_ASSERTION(styleRule, "Must be a style rule");
+ nsAutoString decl;
+ bool sanitized = SanitizeStyleRule(styleRule, decl);
+ didSanitize = sanitized || didSanitize;
+ if (!sanitized) {
+ styleRule->GetCssText(decl);
+ }
+ aSanitized.Append(decl);
+ }
+ }
+ }
+ return didSanitize;
+}
+
+void
+nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement,
+ nsTHashtable<nsISupportsHashKey>* aAllowed,
+ nsIAtom*** aURLs,
+ bool aAllowXLink,
+ bool aAllowStyle,
+ bool aAllowDangerousSrc)
+{
+ uint32_t ac = aElement->GetAttrCount();
+
+ nsresult rv;
+
+ for (int32_t i = ac - 1; i >= 0; --i) {
+ rv = NS_OK;
+ const nsAttrName* attrName = aElement->GetAttrNameAt(i);
+ int32_t attrNs = attrName->NamespaceID();
+ nsCOMPtr<nsIAtom> attrLocal = attrName->LocalName();
+
+ if (kNameSpaceID_None == attrNs) {
+ if (aAllowStyle && nsGkAtoms::style == attrLocal) {
+ nsCOMPtr<nsIURI> baseURI = aElement->GetBaseURI();
+ nsIDocument* document = aElement->OwnerDoc();
+ // Pass the CSS Loader object to the parser, to allow parser error
+ // reports to include the outer window ID.
+ nsCSSParser parser(document->CSSLoader());
+ nsRefPtr<mozilla::css::StyleRule> rule;
+ nsAutoString value;
+ aElement->GetAttr(attrNs, attrLocal, value);
+ rv = parser.ParseStyleAttribute(value,
+ document->GetDocumentURI(),
+ baseURI,
+ document->NodePrincipal(),
+ getter_AddRefs(rule));
+ if (NS_SUCCEEDED(rv)) {
+ nsAutoString cleanValue;
+ if (SanitizeStyleRule(rule, cleanValue)) {
+ aElement->SetAttr(kNameSpaceID_None,
+ nsGkAtoms::style,
+ cleanValue,
+ false);
+ }
+ }
+ continue;
+ }
+ if (aAllowDangerousSrc && nsGkAtoms::src == attrLocal) {
+ continue;
+ }
+ if (IsURL(aURLs, attrLocal)) {
+ if (SanitizeURL(aElement, attrNs, attrLocal)) {
+ // in case the attribute removal shuffled the attribute order, start
+ // the loop again.
+ --ac;
+ i = ac; // i will be decremented immediately thanks to the for loop
+ continue;
+ }
+ // else fall through to see if there's another reason to drop this
+ // attribute (in particular if the attribute is background="" on an
+ // HTML element)
+ }
+ if (!mDropNonCSSPresentation &&
+ (aAllowed == sAttributesHTML) && // element is HTML
+ sPresAttributesHTML->GetEntry(attrLocal)) {
+ continue;
+ }
+ if (aAllowed->GetEntry(attrLocal) &&
+ !((attrLocal == nsGkAtoms::rel &&
+ aElement->IsHTML(nsGkAtoms::link)) ||
+ (!mFullDocument &&
+ attrLocal == nsGkAtoms::name &&
+ aElement->IsHTML(nsGkAtoms::meta)))) {
+ // name="" and rel="" are whitelisted, but treat them as blacklisted
+ // for <meta name> (fragment case) and <link rel> (all cases) to avoid
+ // document-wide metadata or styling overrides with non-conforming
+ // <meta name itemprop> or
+ // <link rel itemprop>
+ continue;
+ }
+ const char16_t* localStr = attrLocal->GetUTF16String();
+ // Allow underscore to cater to the MCE editor library.
+ // Allow data-* on SVG and MathML, too, as a forward-compat measure.
+ if (*localStr == '_' || (attrLocal->GetLength() > 5 && localStr[0] == 'd'
+ && localStr[1] == 'a' && localStr[2] == 't' && localStr[3] == 'a'
+ && localStr[4] == '-')) {
+ continue;
+ }
+ // else not allowed
+ } else if (kNameSpaceID_XML == attrNs) {
+ if (nsGkAtoms::base == attrLocal) {
+ if (SanitizeURL(aElement, attrNs, attrLocal)) {
+ // in case the attribute removal shuffled the attribute order, start
+ // the loop again.
+ --ac;
+ i = ac; // i will be decremented immediately thanks to the for loop
+ }
+ continue;
+ }
+ if (nsGkAtoms::lang == attrLocal || nsGkAtoms::space == attrLocal) {
+ continue;
+ }
+ // else not allowed
+ } else if (aAllowXLink && kNameSpaceID_XLink == attrNs) {
+ if (nsGkAtoms::href == attrLocal) {
+ if (SanitizeURL(aElement, attrNs, attrLocal)) {
+ // in case the attribute removal shuffled the attribute order, start
+ // the loop again.
+ --ac;
+ i = ac; // i will be decremented immediately thanks to the for loop
+ }
+ continue;
+ }
+ if (nsGkAtoms::type == attrLocal || nsGkAtoms::title == attrLocal
+ || nsGkAtoms::show == attrLocal || nsGkAtoms::actuate == attrLocal) {
+ continue;
+ }
+ // else not allowed
+ }
+ aElement->UnsetAttr(kNameSpaceID_None, attrLocal, false);
+ // in case the attribute removal shuffled the attribute order, start the
+ // loop again.
+ --ac;
+ i = ac; // i will be decremented immediately thanks to the for loop
+ }
+
+ // If we've got HTML audio or video, add the controls attribute, because
+ // otherwise the content is unplayable with scripts removed.
+ if (aElement->IsHTML(nsGkAtoms::video) ||
+ aElement->IsHTML(nsGkAtoms::audio)) {
+ aElement->SetAttr(kNameSpaceID_None,
+ nsGkAtoms::controls,
+ EmptyString(),
+ false);
+ }
+}
+
+bool
+nsTreeSanitizer::SanitizeURL(mozilla::dom::Element* aElement,
+ int32_t aNamespace,
+ nsIAtom* aLocalName)
+{
+ nsAutoString value;
+ aElement->GetAttr(aNamespace, aLocalName, value);
+
+ // Get value and remove mandatory quotes
+ static const char* kWhitespace = "\n\r\t\b";
+ const nsAString& v =
+ nsContentUtils::TrimCharsInSet(kWhitespace, value);
+
+ nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
+ uint32_t flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL;
+
+ nsCOMPtr<nsIURI> baseURI = aElement->GetBaseURI();
+ nsCOMPtr<nsIURI> attrURI;
+ nsresult rv = NS_NewURI(getter_AddRefs(attrURI), v, nullptr, baseURI);
+ if (NS_SUCCEEDED(rv)) {
+ if (mCidEmbedsOnly &&
+ kNameSpaceID_None == aNamespace) {
+ if (nsGkAtoms::src == aLocalName || nsGkAtoms::background == aLocalName) {
+ // comm-central uses a hack that makes nsIURIs created with cid: specs
+ // actually have an about:blank spec. Therefore, nsIURI facilities are
+ // useless for cid: when comm-central code is participating.
+ if (!(v.Length() > 4 &&
+ (v[0] == 'c' || v[0] == 'C') &&
+ (v[1] == 'i' || v[1] == 'I') &&
+ (v[2] == 'd' || v[2] == 'D') &&
+ v[3] == ':')) {
+ rv = NS_ERROR_FAILURE;
+ }
+ } else if (nsGkAtoms::cdgroup_ == aLocalName ||
+ nsGkAtoms::altimg_ == aLocalName ||
+ nsGkAtoms::definitionURL_ == aLocalName) {
+ // Goanna doesn't fetch these now and shouldn't in the future, but
+ // in case someone goofs with these in the future, let's drop them.
+ rv = NS_ERROR_FAILURE;
+ } else {
+ rv = secMan->CheckLoadURIWithPrincipal(sNullPrincipal, attrURI, flags);
+ }
+ } else {
+ rv = secMan->CheckLoadURIWithPrincipal(sNullPrincipal, attrURI, flags);
+ }
+ }
+ if (NS_FAILED(rv)) {
+ aElement->UnsetAttr(aNamespace, aLocalName, false);
+ return true;
+ }
+ return false;
+}
+
+void
+nsTreeSanitizer::Sanitize(nsIContent* aFragment)
+{
+ // If you want to relax these preconditions, be sure to check the code in
+ // here that notifies / does not notify or that fires mutation events if
+ // in tree.
+ NS_PRECONDITION(aFragment->IsNodeOfType(nsINode::eDOCUMENT_FRAGMENT),
+ "Argument was not DOM fragment.");
+ NS_PRECONDITION(!aFragment->IsInDoc(), "The fragment is in doc?");
+
+ mFullDocument = false;
+ SanitizeChildren(aFragment);
+}
+
+void
+nsTreeSanitizer::Sanitize(nsIDocument* aDocument)
+{
+ // If you want to relax these preconditions, be sure to check the code in
+ // here that notifies / does not notify or that fires mutation events if
+ // in tree.
+#ifdef DEBUG
+ NS_PRECONDITION(!aDocument->GetContainer(), "The document is in a shell.");
+ nsRefPtr<mozilla::dom::Element> root = aDocument->GetRootElement();
+ NS_PRECONDITION(root->IsHTML(nsGkAtoms::html), "Not HTML root.");
+#endif
+
+ mFullDocument = true;
+ SanitizeChildren(aDocument);
+}
+
+void
+nsTreeSanitizer::SanitizeChildren(nsINode* aRoot)
+{
+ nsIContent* node = aRoot->GetFirstChild();
+ while (node) {
+ if (node->IsElement()) {
+ mozilla::dom::Element* elt = node->AsElement();
+ mozilla::dom::NodeInfo* nodeInfo = node->NodeInfo();
+ nsIAtom* localName = nodeInfo->NameAtom();
+ int32_t ns = nodeInfo->NamespaceID();
+
+ if (MustPrune(ns, localName, elt)) {
+ RemoveAllAttributes(node);
+ nsIContent* descendant = node;
+ while ((descendant = descendant->GetNextNode(node))) {
+ RemoveAllAttributes(descendant);
+ }
+ nsIContent* next = node->GetNextNonChildNode(aRoot);
+ node->RemoveFromParent();
+ node = next;
+ continue;
+ }
+ if (nsGkAtoms::style == localName) {
+ // If styles aren't allowed, style elements got pruned above. Even
+ // if styles are allowed, non-HTML, non-SVG style elements got pruned
+ // above.
+ NS_ASSERTION(ns == kNameSpaceID_XHTML || ns == kNameSpaceID_SVG,
+ "Should have only HTML or SVG here!");
+ nsAutoString styleText;
+ if (!nsContentUtils::GetNodeTextContent(node, false, styleText)) {
+ NS_RUNTIMEABORT("OOM");
+ }
+ nsAutoString sanitizedStyle;
+ nsCOMPtr<nsIURI> baseURI = node->GetBaseURI();
+ if (SanitizeStyleSheet(styleText,
+ sanitizedStyle,
+ aRoot->OwnerDoc(),
+ baseURI)) {
+ nsContentUtils::SetNodeTextContent(node, sanitizedStyle, true);
+ } else {
+ // If the node had non-text child nodes, this operation zaps those.
+ nsContentUtils::SetNodeTextContent(node, styleText, true);
+ }
+ if (ns == kNameSpaceID_XHTML) {
+ SanitizeAttributes(elt,
+ sAttributesHTML,
+ (nsIAtom***)kURLAttributesHTML,
+ false,
+ mAllowStyles,
+ false);
+ } else {
+ SanitizeAttributes(elt,
+ sAttributesSVG,
+ (nsIAtom***)kURLAttributesSVG,
+ true,
+ mAllowStyles,
+ false);
+ }
+ node = node->GetNextNonChildNode(aRoot);
+ continue;
+ }
+ if (MustFlatten(ns, localName)) {
+ RemoveAllAttributes(node);
+ nsCOMPtr<nsIContent> next = node->GetNextNode(aRoot);
+ nsCOMPtr<nsIContent> parent = node->GetParent();
+ nsCOMPtr<nsIContent> child; // Must keep the child alive during move
+ ErrorResult rv;
+ while ((child = node->GetFirstChild())) {
+ parent->InsertBefore(*child, node, rv);
+ if (rv.Failed()) {
+ break;
+ }
+ }
+ node->RemoveFromParent();
+ node = next;
+ continue;
+ }
+ NS_ASSERTION(ns == kNameSpaceID_XHTML ||
+ ns == kNameSpaceID_SVG ||
+ ns == kNameSpaceID_MathML,
+ "Should have only HTML, MathML or SVG here!");
+ if (ns == kNameSpaceID_XHTML) {
+ SanitizeAttributes(elt,
+ sAttributesHTML,
+ (nsIAtom***)kURLAttributesHTML,
+ false, mAllowStyles,
+ (nsGkAtoms::img == localName) &&
+ !mCidEmbedsOnly);
+ } else if (ns == kNameSpaceID_SVG) {
+ SanitizeAttributes(elt,
+ sAttributesSVG,
+ (nsIAtom***)kURLAttributesSVG,
+ true,
+ mAllowStyles,
+ false);
+ } else {
+ SanitizeAttributes(elt,
+ sAttributesMathML,
+ (nsIAtom***)kURLAttributesMathML,
+ true,
+ false,
+ false);
+ }
+ node = node->GetNextNode(aRoot);
+ continue;
+ }
+ NS_ASSERTION(!node->GetFirstChild(), "How come non-element node had kids?");
+ nsIContent* next = node->GetNextNonChildNode(aRoot);
+ if (!mAllowComments && node->IsNodeOfType(nsINode::eCOMMENT)) {
+ node->RemoveFromParent();
+ }
+ node = next;
+ }
+}
+
+void
+nsTreeSanitizer::RemoveAllAttributes(nsIContent* aElement)
+{
+ const nsAttrName* attrName;
+ while ((attrName = aElement->GetAttrNameAt(0))) {
+ int32_t attrNs = attrName->NamespaceID();
+ nsCOMPtr<nsIAtom> attrLocal = attrName->LocalName();
+ aElement->UnsetAttr(attrNs, attrLocal, false);
+ }
+}
+
+void
+nsTreeSanitizer::InitializeStatics()
+{
+ NS_PRECONDITION(!sElementsHTML, "Initializing a second time.");
+
+ sElementsHTML = new nsTHashtable<nsISupportsHashKey>(ArrayLength(kElementsHTML));
+ for (uint32_t i = 0; kElementsHTML[i]; i++) {
+ sElementsHTML->PutEntry(*kElementsHTML[i]);
+ }
+
+ sAttributesHTML = new nsTHashtable<nsISupportsHashKey>(ArrayLength(kAttributesHTML));
+ for (uint32_t i = 0; kAttributesHTML[i]; i++) {
+ sAttributesHTML->PutEntry(*kAttributesHTML[i]);
+ }
+
+ sPresAttributesHTML = new nsTHashtable<nsISupportsHashKey>(ArrayLength(kPresAttributesHTML));
+ for (uint32_t i = 0; kPresAttributesHTML[i]; i++) {
+ sPresAttributesHTML->PutEntry(*kPresAttributesHTML[i]);
+ }
+
+ sElementsSVG = new nsTHashtable<nsISupportsHashKey>(ArrayLength(kElementsSVG));
+ for (uint32_t i = 0; kElementsSVG[i]; i++) {
+ sElementsSVG->PutEntry(*kElementsSVG[i]);
+ }
+
+ sAttributesSVG = new nsTHashtable<nsISupportsHashKey>(ArrayLength(kAttributesSVG));
+ for (uint32_t i = 0; kAttributesSVG[i]; i++) {
+ sAttributesSVG->PutEntry(*kAttributesSVG[i]);
+ }
+
+ sElementsMathML = new nsTHashtable<nsISupportsHashKey>(ArrayLength(kElementsMathML));
+ for (uint32_t i = 0; kElementsMathML[i]; i++) {
+ sElementsMathML->PutEntry(*kElementsMathML[i]);
+ }
+
+ sAttributesMathML = new nsTHashtable<nsISupportsHashKey>(ArrayLength(kAttributesMathML));
+ for (uint32_t i = 0; kAttributesMathML[i]; i++) {
+ sAttributesMathML->PutEntry(*kAttributesMathML[i]);
+ }
+
+ nsCOMPtr<nsIPrincipal> principal =
+ do_CreateInstance(NS_NULLPRINCIPAL_CONTRACTID);
+ principal.forget(&sNullPrincipal);
+}
+
+void
+nsTreeSanitizer::ReleaseStatics()
+{
+ delete sElementsHTML;
+ sElementsHTML = nullptr;
+
+ delete sAttributesHTML;
+ sAttributesHTML = nullptr;
+
+ delete sPresAttributesHTML;
+ sPresAttributesHTML = nullptr;
+
+ delete sElementsSVG;
+ sElementsSVG = nullptr;
+
+ delete sAttributesSVG;
+ sAttributesSVG = nullptr;
+
+ delete sElementsMathML;
+ sElementsMathML = nullptr;
+
+ delete sAttributesMathML;
+ sAttributesMathML = nullptr;
+
+ NS_IF_RELEASE(sNullPrincipal);
+}