2012-05-21 11:12:37 +00:00
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
2011-07-29 11:48:04 +00:00
|
|
|
|
|
|
|
|
#ifndef nsTreeSanitizer_h_
|
|
|
|
|
#define nsTreeSanitizer_h_
|
|
|
|
|
|
|
|
|
|
#include "mozilla/css/StyleRule.h"
|
|
|
|
|
#include "nsIPrincipal.h"
|
|
|
|
|
#include "mozilla/dom/Element.h"
|
|
|
|
|
|
2013-03-22 00:05:20 +00:00
|
|
|
class nsIContent;
|
|
|
|
|
|
2012-03-19 08:16:20 +00:00
|
|
|
/**
|
|
|
|
|
* See the documentation of nsIParserUtils::sanitize for documentation
|
|
|
|
|
* about the default behavior and the configuration options of this sanitizer.
|
|
|
|
|
*/
|
2013-04-12 03:20:09 +00:00
|
|
|
class MOZ_STACK_CLASS nsTreeSanitizer {
|
2011-07-29 11:48:04 +00:00
|
|
|
|
|
|
|
|
public:
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The constructor.
|
|
|
|
|
*
|
2012-03-19 08:16:20 +00:00
|
|
|
* @param aFlags Flags from nsIParserUtils
|
2011-07-29 11:48:04 +00:00
|
|
|
*/
|
2014-09-02 00:49:25 +00:00
|
|
|
explicit nsTreeSanitizer(uint32_t aFlags = 0);
|
2011-07-29 11:48:04 +00:00
|
|
|
|
|
|
|
|
static void InitializeStatics();
|
|
|
|
|
static void ReleaseStatics();
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Sanitizes a disconnected DOM fragment freshly obtained from a parser.
|
|
|
|
|
* The argument must be of type nsINode::eDOCUMENT_FRAGMENT and,
|
|
|
|
|
* consequently, must not be in the document. Furthermore, the fragment
|
|
|
|
|
* must have just come from a parser so that it can't have mutation
|
|
|
|
|
* event listeners set on it.
|
|
|
|
|
*/
|
|
|
|
|
void Sanitize(nsIContent* aFragment);
|
|
|
|
|
|
2012-03-19 08:16:20 +00:00
|
|
|
/**
|
|
|
|
|
* Sanitizes a disconnected (not in a docshell) document freshly obtained
|
|
|
|
|
* from a parser. The document must not be embedded in a docshell and must
|
|
|
|
|
* not have had a chance to get mutation event listeners attached to it.
|
|
|
|
|
* The root element must be <html>.
|
|
|
|
|
*/
|
|
|
|
|
void Sanitize(nsIDocument* aDocument);
|
|
|
|
|
|
2011-07-29 11:48:04 +00:00
|
|
|
private:
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Whether <style> and style="" are allowed.
|
|
|
|
|
*/
|
2011-09-29 06:19:26 +00:00
|
|
|
bool mAllowStyles;
|
2011-07-29 11:48:04 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Whether comment nodes are allowed.
|
|
|
|
|
*/
|
2011-09-29 06:19:26 +00:00
|
|
|
bool mAllowComments;
|
2011-07-29 11:48:04 +00:00
|
|
|
|
2012-03-19 08:16:20 +00:00
|
|
|
/**
|
|
|
|
|
* Whether HTML <font>, <center>, bgcolor="", etc., are dropped.
|
|
|
|
|
*/
|
|
|
|
|
bool mDropNonCSSPresentation;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Whether to remove forms and form controls (excluding fieldset/legend).
|
|
|
|
|
*/
|
|
|
|
|
bool mDropForms;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Whether only cid: embeds are allowed.
|
|
|
|
|
*/
|
|
|
|
|
bool mCidEmbedsOnly;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Whether to drop <img>, <video>, <audio> and <svg>.
|
|
|
|
|
*/
|
|
|
|
|
bool mDropMedia;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Whether we are sanitizing a full document (as opposed to a fragment).
|
|
|
|
|
*/
|
|
|
|
|
bool mFullDocument;
|
|
|
|
|
|
|
|
|
|
void SanitizeChildren(nsINode* aRoot);
|
|
|
|
|
|
2011-07-29 11:48:04 +00:00
|
|
|
/**
|
|
|
|
|
* Queries if an element must be replaced with its children.
|
|
|
|
|
* @param aNamespace the namespace of the element the question is about
|
|
|
|
|
* @param aLocal the local name of the element the question is about
|
|
|
|
|
* @return true if the element must be replaced with its children and
|
|
|
|
|
* false if the element is to be kept
|
|
|
|
|
*/
|
2012-08-22 15:56:38 +00:00
|
|
|
bool MustFlatten(int32_t aNamespace, nsIAtom* aLocal);
|
2011-07-29 11:48:04 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Queries if an element including its children must be removed.
|
|
|
|
|
* @param aNamespace the namespace of the element the question is about
|
|
|
|
|
* @param aLocal the local name of the element the question is about
|
|
|
|
|
* @param aElement the element node itself for inspecting attributes
|
|
|
|
|
* @return true if the element and its children must be removed and
|
|
|
|
|
* false if the element is to be kept
|
|
|
|
|
*/
|
2012-08-22 15:56:38 +00:00
|
|
|
bool MustPrune(int32_t aNamespace,
|
2011-07-29 11:48:04 +00:00
|
|
|
nsIAtom* aLocal,
|
|
|
|
|
mozilla::dom::Element* aElement);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Checks if a given local name (for an attribute) is on the given list
|
|
|
|
|
* of URL attribute names.
|
|
|
|
|
* @param aURLs the list of URL attribute names
|
|
|
|
|
* @param aLocalName the name to search on the list
|
|
|
|
|
* @return true if aLocalName is on the aURLs list and false otherwise
|
|
|
|
|
*/
|
2011-09-29 06:19:26 +00:00
|
|
|
bool IsURL(nsIAtom*** aURLs, nsIAtom* aLocalName);
|
2011-07-29 11:48:04 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Removes dangerous attributes from the element. If the style attribute
|
|
|
|
|
* is allowed, its value is sanitized. The values of URL attributes are
|
|
|
|
|
* sanitized, except src isn't sanitized when it is allowed to remain
|
|
|
|
|
* potentially dangerous.
|
|
|
|
|
*
|
|
|
|
|
* @param aElement the element whose attributes should be sanitized
|
|
|
|
|
* @param aAllowed the whitelist of permitted local names to use
|
|
|
|
|
* @param aURLs the local names of URL-valued attributes
|
|
|
|
|
* @param aAllowXLink whether XLink attributes are allowed
|
|
|
|
|
* @param aAllowStyle whether the style attribute is allowed
|
|
|
|
|
* @param aAllowDangerousSrc whether to leave the value of the src
|
|
|
|
|
* attribute unsanitized
|
|
|
|
|
*/
|
|
|
|
|
void SanitizeAttributes(mozilla::dom::Element* aElement,
|
|
|
|
|
nsTHashtable<nsISupportsHashKey>* aAllowed,
|
|
|
|
|
nsIAtom*** aURLs,
|
2011-09-29 06:19:26 +00:00
|
|
|
bool aAllowXLink,
|
|
|
|
|
bool aAllowStyle,
|
|
|
|
|
bool aAllowDangerousSrc);
|
2011-07-29 11:48:04 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Remove the named URL attribute from the element if the URL fails a
|
|
|
|
|
* security check.
|
|
|
|
|
*
|
|
|
|
|
* @param aElement the element whose attribute to possibly modify
|
|
|
|
|
* @param aNamespace the namespace of the URL attribute
|
|
|
|
|
* @param aLocalName the local name of the URL attribute
|
2011-08-02 17:45:38 +00:00
|
|
|
* @return true if the attribute was removed and false otherwise
|
2011-07-29 11:48:04 +00:00
|
|
|
*/
|
2011-09-29 06:19:26 +00:00
|
|
|
bool SanitizeURL(mozilla::dom::Element* aElement,
|
2012-08-22 15:56:38 +00:00
|
|
|
int32_t aNamespace,
|
2011-08-02 17:45:38 +00:00
|
|
|
nsIAtom* aLocalName);
|
2011-07-29 11:48:04 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Checks a style rule for the presence of the 'binding' CSS property and
|
|
|
|
|
* removes that property from the rule and reserializes in case the
|
|
|
|
|
* property was found.
|
|
|
|
|
*
|
|
|
|
|
* @param aRule The style rule to check
|
|
|
|
|
* @param aRuleText the serialized mutated rule if the method returns true
|
|
|
|
|
* @return true if the rule was modified and false otherwise
|
|
|
|
|
*/
|
2011-09-29 06:19:26 +00:00
|
|
|
bool SanitizeStyleRule(mozilla::css::StyleRule* aRule,
|
2011-07-29 11:48:04 +00:00
|
|
|
nsAutoString &aRuleText);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Parses a style sheet and reserializes it with the 'binding' property
|
|
|
|
|
* removed if it was present.
|
|
|
|
|
*
|
|
|
|
|
* @param aOrigin the original style sheet source
|
|
|
|
|
* @param aSanitized the reserialization without 'binding'; only valid if
|
|
|
|
|
* this method return true
|
|
|
|
|
* @param aDocument the document the style sheet belongs to
|
|
|
|
|
* @param aBaseURI the base URI to use
|
|
|
|
|
* @return true if the 'binding' property was encountered and false
|
|
|
|
|
* otherwise
|
|
|
|
|
*/
|
2011-09-29 06:19:26 +00:00
|
|
|
bool SanitizeStyleSheet(const nsAString& aOriginal,
|
2011-07-29 11:48:04 +00:00
|
|
|
nsAString& aSanitized,
|
|
|
|
|
nsIDocument* aDocument,
|
|
|
|
|
nsIURI* aBaseURI);
|
|
|
|
|
|
2012-06-14 06:14:47 +00:00
|
|
|
/**
|
|
|
|
|
* Removes all attributes from an element node.
|
|
|
|
|
*/
|
|
|
|
|
void RemoveAllAttributes(nsIContent* aElement);
|
|
|
|
|
|
2011-07-29 11:48:04 +00:00
|
|
|
/**
|
|
|
|
|
* The whitelist of HTML elements.
|
|
|
|
|
*/
|
|
|
|
|
static nsTHashtable<nsISupportsHashKey>* sElementsHTML;
|
|
|
|
|
|
|
|
|
|
/**
|
2012-03-19 08:16:20 +00:00
|
|
|
* The whitelist of non-presentational HTML attributes.
|
2011-07-29 11:48:04 +00:00
|
|
|
*/
|
|
|
|
|
static nsTHashtable<nsISupportsHashKey>* sAttributesHTML;
|
|
|
|
|
|
2012-03-19 08:16:20 +00:00
|
|
|
/**
|
|
|
|
|
* The whitelist of presentational HTML attributes.
|
|
|
|
|
*/
|
|
|
|
|
static nsTHashtable<nsISupportsHashKey>* sPresAttributesHTML;
|
|
|
|
|
|
2011-07-29 11:48:04 +00:00
|
|
|
/**
|
|
|
|
|
* The whitelist of SVG elements.
|
|
|
|
|
*/
|
|
|
|
|
static nsTHashtable<nsISupportsHashKey>* sElementsSVG;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The whitelist of SVG attributes.
|
|
|
|
|
*/
|
|
|
|
|
static nsTHashtable<nsISupportsHashKey>* sAttributesSVG;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The whitelist of SVG elements.
|
|
|
|
|
*/
|
|
|
|
|
static nsTHashtable<nsISupportsHashKey>* sElementsMathML;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The whitelist of MathML attributes.
|
|
|
|
|
*/
|
|
|
|
|
static nsTHashtable<nsISupportsHashKey>* sAttributesMathML;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Reusable null principal for URL checks.
|
|
|
|
|
*/
|
|
|
|
|
static nsIPrincipal* sNullPrincipal;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#endif // nsTreeSanitizer_h_
|
