content/base/public/nsTreeSanitizer.h@6474c204b198 (annotated)
content/base/public/nsTreeSanitizer.h
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 4 | |
| michael@0 | 5 | #ifndef nsTreeSanitizer_h_ |
| michael@0 | 6 | #define nsTreeSanitizer_h_ |
| michael@0 | 7 | |
| michael@0 | 8 | #include "mozilla/css/StyleRule.h" |
| michael@0 | 9 | #include "nsIPrincipal.h" |
| michael@0 | 10 | #include "mozilla/dom/Element.h" |
| michael@0 | 11 | |
| michael@0 | 12 | class nsIContent; |
| michael@0 | 13 | |
| michael@0 | 14 | /** |
| michael@0 | 15 | * See the documentation of nsIParserUtils::sanitize for documentation |
| michael@0 | 16 | * about the default behavior and the configuration options of this sanitizer. |
| michael@0 | 17 | */ |
| michael@0 | 18 | class MOZ_STACK_CLASS nsTreeSanitizer { |
| michael@0 | 19 | |
| michael@0 | 20 | public: |
| michael@0 | 21 | |
| michael@0 | 22 | /** |
| michael@0 | 23 | * The constructor. |
| michael@0 | 24 | * |
| michael@0 | 25 | * @param aFlags Flags from nsIParserUtils |
| michael@0 | 26 | */ |
| michael@0 | 27 | nsTreeSanitizer(uint32_t aFlags = 0); |
| michael@0 | 28 | |
| michael@0 | 29 | static void InitializeStatics(); |
| michael@0 | 30 | static void ReleaseStatics(); |
| michael@0 | 31 | |
| michael@0 | 32 | /** |
| michael@0 | 33 | * Sanitizes a disconnected DOM fragment freshly obtained from a parser. |
| michael@0 | 34 | * The argument must be of type nsINode::eDOCUMENT_FRAGMENT and, |
| michael@0 | 35 | * consequently, must not be in the document. Furthermore, the fragment |
| michael@0 | 36 | * must have just come from a parser so that it can't have mutation |
| michael@0 | 37 | * event listeners set on it. |
| michael@0 | 38 | */ |
| michael@0 | 39 | void Sanitize(nsIContent* aFragment); |
| michael@0 | 40 | |
| michael@0 | 41 | /** |
| michael@0 | 42 | * Sanitizes a disconnected (not in a docshell) document freshly obtained |
| michael@0 | 43 | * from a parser. The document must not be embedded in a docshell and must |
| michael@0 | 44 | * not have had a chance to get mutation event listeners attached to it. |
| michael@0 | 45 | * The root element must be <html>. |
| michael@0 | 46 | */ |
| michael@0 | 47 | void Sanitize(nsIDocument* aDocument); |
| michael@0 | 48 | |
| michael@0 | 49 | private: |
| michael@0 | 50 | |
| michael@0 | 51 | /** |
| michael@0 | 52 | * Whether <style> and style="" are allowed. |
| michael@0 | 53 | */ |
| michael@0 | 54 | bool mAllowStyles; |
| michael@0 | 55 | |
| michael@0 | 56 | /** |
| michael@0 | 57 | * Whether comment nodes are allowed. |
| michael@0 | 58 | */ |
| michael@0 | 59 | bool mAllowComments; |
| michael@0 | 60 | |
| michael@0 | 61 | /** |
| michael@0 | 62 | * Whether HTML <font>, <center>, bgcolor="", etc., are dropped. |
| michael@0 | 63 | */ |
| michael@0 | 64 | bool mDropNonCSSPresentation; |
| michael@0 | 65 | |
| michael@0 | 66 | /** |
| michael@0 | 67 | * Whether to remove forms and form controls (excluding fieldset/legend). |
| michael@0 | 68 | */ |
| michael@0 | 69 | bool mDropForms; |
| michael@0 | 70 | |
| michael@0 | 71 | /** |
| michael@0 | 72 | * Whether only cid: embeds are allowed. |
| michael@0 | 73 | */ |
| michael@0 | 74 | bool mCidEmbedsOnly; |
| michael@0 | 75 | |
| michael@0 | 76 | /** |
| michael@0 | 77 | * Whether to drop <img>, <video>, <audio> and <svg>. |
| michael@0 | 78 | */ |
| michael@0 | 79 | bool mDropMedia; |
| michael@0 | 80 | |
| michael@0 | 81 | /** |
| michael@0 | 82 | * Whether we are sanitizing a full document (as opposed to a fragment). |
| michael@0 | 83 | */ |
| michael@0 | 84 | bool mFullDocument; |
| michael@0 | 85 | |
| michael@0 | 86 | void SanitizeChildren(nsINode* aRoot); |
| michael@0 | 87 | |
| michael@0 | 88 | /** |
| michael@0 | 89 | * Queries if an element must be replaced with its children. |
| michael@0 | 90 | * @param aNamespace the namespace of the element the question is about |
| michael@0 | 91 | * @param aLocal the local name of the element the question is about |
| michael@0 | 92 | * @return true if the element must be replaced with its children and |
| michael@0 | 93 | * false if the element is to be kept |
| michael@0 | 94 | */ |
| michael@0 | 95 | bool MustFlatten(int32_t aNamespace, nsIAtom* aLocal); |
| michael@0 | 96 | |
| michael@0 | 97 | /** |
| michael@0 | 98 | * Queries if an element including its children must be removed. |
| michael@0 | 99 | * @param aNamespace the namespace of the element the question is about |
| michael@0 | 100 | * @param aLocal the local name of the element the question is about |
| michael@0 | 101 | * @param aElement the element node itself for inspecting attributes |
| michael@0 | 102 | * @return true if the element and its children must be removed and |
| michael@0 | 103 | * false if the element is to be kept |
| michael@0 | 104 | */ |
| michael@0 | 105 | bool MustPrune(int32_t aNamespace, |
| michael@0 | 106 | nsIAtom* aLocal, |
| michael@0 | 107 | mozilla::dom::Element* aElement); |
| michael@0 | 108 | |
| michael@0 | 109 | /** |
| michael@0 | 110 | * Checks if a given local name (for an attribute) is on the given list |
| michael@0 | 111 | * of URL attribute names. |
| michael@0 | 112 | * @param aURLs the list of URL attribute names |
| michael@0 | 113 | * @param aLocalName the name to search on the list |
| michael@0 | 114 | * @return true if aLocalName is on the aURLs list and false otherwise |
| michael@0 | 115 | */ |
| michael@0 | 116 | bool IsURL(nsIAtom*** aURLs, nsIAtom* aLocalName); |
| michael@0 | 117 | |
| michael@0 | 118 | /** |
| michael@0 | 119 | * Removes dangerous attributes from the element. If the style attribute |
| michael@0 | 120 | * is allowed, its value is sanitized. The values of URL attributes are |
| michael@0 | 121 | * sanitized, except src isn't sanitized when it is allowed to remain |
| michael@0 | 122 | * potentially dangerous. |
| michael@0 | 123 | * |
| michael@0 | 124 | * @param aElement the element whose attributes should be sanitized |
| michael@0 | 125 | * @param aAllowed the whitelist of permitted local names to use |
| michael@0 | 126 | * @param aURLs the local names of URL-valued attributes |
| michael@0 | 127 | * @param aAllowXLink whether XLink attributes are allowed |
| michael@0 | 128 | * @param aAllowStyle whether the style attribute is allowed |
| michael@0 | 129 | * @param aAllowDangerousSrc whether to leave the value of the src |
| michael@0 | 130 | * attribute unsanitized |
| michael@0 | 131 | */ |
| michael@0 | 132 | void SanitizeAttributes(mozilla::dom::Element* aElement, |
| michael@0 | 133 | nsTHashtable<nsISupportsHashKey>* aAllowed, |
| michael@0 | 134 | nsIAtom*** aURLs, |
| michael@0 | 135 | bool aAllowXLink, |
| michael@0 | 136 | bool aAllowStyle, |
| michael@0 | 137 | bool aAllowDangerousSrc); |
| michael@0 | 138 | |
| michael@0 | 139 | /** |
| michael@0 | 140 | * Remove the named URL attribute from the element if the URL fails a |
| michael@0 | 141 | * security check. |
| michael@0 | 142 | * |
| michael@0 | 143 | * @param aElement the element whose attribute to possibly modify |
| michael@0 | 144 | * @param aNamespace the namespace of the URL attribute |
| michael@0 | 145 | * @param aLocalName the local name of the URL attribute |
| michael@0 | 146 | * @return true if the attribute was removed and false otherwise |
| michael@0 | 147 | */ |
| michael@0 | 148 | bool SanitizeURL(mozilla::dom::Element* aElement, |
| michael@0 | 149 | int32_t aNamespace, |
| michael@0 | 150 | nsIAtom* aLocalName); |
| michael@0 | 151 | |
| michael@0 | 152 | /** |
| michael@0 | 153 | * Checks a style rule for the presence of the 'binding' CSS property and |
| michael@0 | 154 | * removes that property from the rule and reserializes in case the |
| michael@0 | 155 | * property was found. |
| michael@0 | 156 | * |
| michael@0 | 157 | * @param aRule The style rule to check |
| michael@0 | 158 | * @param aRuleText the serialized mutated rule if the method returns true |
| michael@0 | 159 | * @return true if the rule was modified and false otherwise |
| michael@0 | 160 | */ |
| michael@0 | 161 | bool SanitizeStyleRule(mozilla::css::StyleRule* aRule, |
| michael@0 | 162 | nsAutoString &aRuleText); |
| michael@0 | 163 | |
| michael@0 | 164 | /** |
| michael@0 | 165 | * Parses a style sheet and reserializes it with the 'binding' property |
| michael@0 | 166 | * removed if it was present. |
| michael@0 | 167 | * |
| michael@0 | 168 | * @param aOrigin the original style sheet source |
| michael@0 | 169 | * @param aSanitized the reserialization without 'binding'; only valid if |
| michael@0 | 170 | * this method return true |
| michael@0 | 171 | * @param aDocument the document the style sheet belongs to |
| michael@0 | 172 | * @param aBaseURI the base URI to use |
| michael@0 | 173 | * @return true if the 'binding' property was encountered and false |
| michael@0 | 174 | * otherwise |
| michael@0 | 175 | */ |
| michael@0 | 176 | bool SanitizeStyleSheet(const nsAString& aOriginal, |
| michael@0 | 177 | nsAString& aSanitized, |
| michael@0 | 178 | nsIDocument* aDocument, |
| michael@0 | 179 | nsIURI* aBaseURI); |
| michael@0 | 180 | |
| michael@0 | 181 | /** |
| michael@0 | 182 | * Removes all attributes from an element node. |
| michael@0 | 183 | */ |
| michael@0 | 184 | void RemoveAllAttributes(nsIContent* aElement); |
| michael@0 | 185 | |
| michael@0 | 186 | /** |
| michael@0 | 187 | * The whitelist of HTML elements. |
| michael@0 | 188 | */ |
| michael@0 | 189 | static nsTHashtable<nsISupportsHashKey>* sElementsHTML; |
| michael@0 | 190 | |
| michael@0 | 191 | /** |
| michael@0 | 192 | * The whitelist of non-presentational HTML attributes. |
| michael@0 | 193 | */ |
| michael@0 | 194 | static nsTHashtable<nsISupportsHashKey>* sAttributesHTML; |
| michael@0 | 195 | |
| michael@0 | 196 | /** |
| michael@0 | 197 | * The whitelist of presentational HTML attributes. |
| michael@0 | 198 | */ |
| michael@0 | 199 | static nsTHashtable<nsISupportsHashKey>* sPresAttributesHTML; |
| michael@0 | 200 | |
| michael@0 | 201 | /** |
| michael@0 | 202 | * The whitelist of SVG elements. |
| michael@0 | 203 | */ |
| michael@0 | 204 | static nsTHashtable<nsISupportsHashKey>* sElementsSVG; |
| michael@0 | 205 | |
| michael@0 | 206 | /** |
| michael@0 | 207 | * The whitelist of SVG attributes. |
| michael@0 | 208 | */ |
| michael@0 | 209 | static nsTHashtable<nsISupportsHashKey>* sAttributesSVG; |
| michael@0 | 210 | |
| michael@0 | 211 | /** |
| michael@0 | 212 | * The whitelist of SVG elements. |
| michael@0 | 213 | */ |
| michael@0 | 214 | static nsTHashtable<nsISupportsHashKey>* sElementsMathML; |
| michael@0 | 215 | |
| michael@0 | 216 | /** |
| michael@0 | 217 | * The whitelist of MathML attributes. |
| michael@0 | 218 | */ |
| michael@0 | 219 | static nsTHashtable<nsISupportsHashKey>* sAttributesMathML; |
| michael@0 | 220 | |
| michael@0 | 221 | /** |
| michael@0 | 222 | * Reusable null principal for URL checks. |
| michael@0 | 223 | */ |
| michael@0 | 224 | static nsIPrincipal* sNullPrincipal; |
| michael@0 | 225 | }; |
| michael@0 | 226 | |
| michael@0 | 227 | #endif // nsTreeSanitizer_h_ |
