[dom] Remove attributes from descendants when setting sanitized style.

This avoids a number of problems with incomplete sanitation.

2 files changed, 19 insertions, 0 deletions

diff --git a/dom/base/nsTreeSanitizer.cpp b/dom/base/nsTreeSanitizer.cpp
index c8150d0c24..39c2408b7c 100644
--- a/dom/base/nsTreeSanitizer.cpp
+++ b/dom/base/nsTreeSanitizer.cpp
@@ -1384,6 +1384,8 @@ nsTreeSanitizer::SanitizeChildren(nsINode* aRoot)
         nsAutoString styleText;
         nsContentUtils::GetNodeTextContent(node, false, styleText);
 
+        RemoveAllAttributesFromDescendants(elt);
+        
         nsAutoString sanitizedStyle;
         nsCOMPtr<nsIURI> baseURI = node->GetBaseURI();
         if (SanitizeStyleSheet(styleText,
@@ -1479,6 +1481,17 @@ nsTreeSanitizer::RemoveAllAttributes(nsIContent* aElement)
   }
 }
 
+void nsTreeSanitizer::RemoveAllAttributesFromDescendants(mozilla::dom::Element* aElement) {
+  nsIContent* node = aElement->GetFirstChild();
+  while (node) {
+    if (node->IsElement()) {
+      mozilla::dom::Element* elt = node->AsElement();
+      RemoveAllAttributes(elt);
+    }
+    node = node->GetNextNode(aElement);
+  }
+}
+
 void
 nsTreeSanitizer::InitializeStatics()
 {
diff --git a/dom/base/nsTreeSanitizer.h b/dom/base/nsTreeSanitizer.h
index b8700d775f..b4a333f619 100644
--- a/dom/base/nsTreeSanitizer.h
+++ b/dom/base/nsTreeSanitizer.h
@@ -184,6 +184,12 @@ class MOZ_STACK_CLASS nsTreeSanitizer {
     void RemoveAllAttributes(nsIContent* aElement);
 
     /**
+     * Removes all attributes from the descendants of an element but not from
+     * the element itself.
+     */
+    void RemoveAllAttributesFromDescendants(mozilla::dom::Element* aElement);
+
+    /**
      * The whitelist of HTML elements.
      */
     static nsTHashtable<nsISupportsHashKey>* sElementsHTML;