1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/public/nsTreeSanitizer.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,227 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#ifndef nsTreeSanitizer_h_
1.9 +#define nsTreeSanitizer_h_
1.10 +
1.11 +#include "mozilla/css/StyleRule.h"
1.12 +#include "nsIPrincipal.h"
1.13 +#include "mozilla/dom/Element.h"
1.14 +
1.15 +class nsIContent;
1.16 +
1.17 +/**
1.18 + * See the documentation of nsIParserUtils::sanitize for documentation
1.19 + * about the default behavior and the configuration options of this sanitizer.
1.20 + */
1.21 +class MOZ_STACK_CLASS nsTreeSanitizer {
1.22 +
1.23 + public:
1.24 +
1.25 + /**
1.26 + * The constructor.
1.27 + *
1.28 + * @param aFlags Flags from nsIParserUtils
1.29 + */
1.30 + nsTreeSanitizer(uint32_t aFlags = 0);
1.31 +
1.32 + static void InitializeStatics();
1.33 + static void ReleaseStatics();
1.34 +
1.35 + /**
1.36 + * Sanitizes a disconnected DOM fragment freshly obtained from a parser.
1.37 + * The argument must be of type nsINode::eDOCUMENT_FRAGMENT and,
1.38 + * consequently, must not be in the document. Furthermore, the fragment
1.39 + * must have just come from a parser so that it can't have mutation
1.40 + * event listeners set on it.
1.41 + */
1.42 + void Sanitize(nsIContent* aFragment);
1.43 +
1.44 + /**
1.45 + * Sanitizes a disconnected (not in a docshell) document freshly obtained
1.46 + * from a parser. The document must not be embedded in a docshell and must
1.47 + * not have had a chance to get mutation event listeners attached to it.
1.48 + * The root element must be <html>.
1.49 + */
1.50 + void Sanitize(nsIDocument* aDocument);
1.51 +
1.52 + private:
1.53 +
1.54 + /**
1.55 + * Whether <style> and style="" are allowed.
1.56 + */
1.57 + bool mAllowStyles;
1.58 +
1.59 + /**
1.60 + * Whether comment nodes are allowed.
1.61 + */
1.62 + bool mAllowComments;
1.63 +
1.64 + /**
1.65 + * Whether HTML <font>, <center>, bgcolor="", etc., are dropped.
1.66 + */
1.67 + bool mDropNonCSSPresentation;
1.68 +
1.69 + /**
1.70 + * Whether to remove forms and form controls (excluding fieldset/legend).
1.71 + */
1.72 + bool mDropForms;
1.73 +
1.74 + /**
1.75 + * Whether only cid: embeds are allowed.
1.76 + */
1.77 + bool mCidEmbedsOnly;
1.78 +
1.79 + /**
1.80 + * Whether to drop <img>, <video>, <audio> and <svg>.
1.81 + */
1.82 + bool mDropMedia;
1.83 +
1.84 + /**
1.85 + * Whether we are sanitizing a full document (as opposed to a fragment).
1.86 + */
1.87 + bool mFullDocument;
1.88 +
1.89 + void SanitizeChildren(nsINode* aRoot);
1.90 +
1.91 + /**
1.92 + * Queries if an element must be replaced with its children.
1.93 + * @param aNamespace the namespace of the element the question is about
1.94 + * @param aLocal the local name of the element the question is about
1.95 + * @return true if the element must be replaced with its children and
1.96 + * false if the element is to be kept
1.97 + */
1.98 + bool MustFlatten(int32_t aNamespace, nsIAtom* aLocal);
1.99 +
1.100 + /**
1.101 + * Queries if an element including its children must be removed.
1.102 + * @param aNamespace the namespace of the element the question is about
1.103 + * @param aLocal the local name of the element the question is about
1.104 + * @param aElement the element node itself for inspecting attributes
1.105 + * @return true if the element and its children must be removed and
1.106 + * false if the element is to be kept
1.107 + */
1.108 + bool MustPrune(int32_t aNamespace,
1.109 + nsIAtom* aLocal,
1.110 + mozilla::dom::Element* aElement);
1.111 +
1.112 + /**
1.113 + * Checks if a given local name (for an attribute) is on the given list
1.114 + * of URL attribute names.
1.115 + * @param aURLs the list of URL attribute names
1.116 + * @param aLocalName the name to search on the list
1.117 + * @return true if aLocalName is on the aURLs list and false otherwise
1.118 + */
1.119 + bool IsURL(nsIAtom*** aURLs, nsIAtom* aLocalName);
1.120 +
1.121 + /**
1.122 + * Removes dangerous attributes from the element. If the style attribute
1.123 + * is allowed, its value is sanitized. The values of URL attributes are
1.124 + * sanitized, except src isn't sanitized when it is allowed to remain
1.125 + * potentially dangerous.
1.126 + *
1.127 + * @param aElement the element whose attributes should be sanitized
1.128 + * @param aAllowed the whitelist of permitted local names to use
1.129 + * @param aURLs the local names of URL-valued attributes
1.130 + * @param aAllowXLink whether XLink attributes are allowed
1.131 + * @param aAllowStyle whether the style attribute is allowed
1.132 + * @param aAllowDangerousSrc whether to leave the value of the src
1.133 + * attribute unsanitized
1.134 + */
1.135 + void SanitizeAttributes(mozilla::dom::Element* aElement,
1.136 + nsTHashtable<nsISupportsHashKey>* aAllowed,
1.137 + nsIAtom*** aURLs,
1.138 + bool aAllowXLink,
1.139 + bool aAllowStyle,
1.140 + bool aAllowDangerousSrc);
1.141 +
1.142 + /**
1.143 + * Remove the named URL attribute from the element if the URL fails a
1.144 + * security check.
1.145 + *
1.146 + * @param aElement the element whose attribute to possibly modify
1.147 + * @param aNamespace the namespace of the URL attribute
1.148 + * @param aLocalName the local name of the URL attribute
1.149 + * @return true if the attribute was removed and false otherwise
1.150 + */
1.151 + bool SanitizeURL(mozilla::dom::Element* aElement,
1.152 + int32_t aNamespace,
1.153 + nsIAtom* aLocalName);
1.154 +
1.155 + /**
1.156 + * Checks a style rule for the presence of the 'binding' CSS property and
1.157 + * removes that property from the rule and reserializes in case the
1.158 + * property was found.
1.159 + *
1.160 + * @param aRule The style rule to check
1.161 + * @param aRuleText the serialized mutated rule if the method returns true
1.162 + * @return true if the rule was modified and false otherwise
1.163 + */
1.164 + bool SanitizeStyleRule(mozilla::css::StyleRule* aRule,
1.165 + nsAutoString &aRuleText);
1.166 +
1.167 + /**
1.168 + * Parses a style sheet and reserializes it with the 'binding' property
1.169 + * removed if it was present.
1.170 + *
1.171 + * @param aOrigin the original style sheet source
1.172 + * @param aSanitized the reserialization without 'binding'; only valid if
1.173 + * this method return true
1.174 + * @param aDocument the document the style sheet belongs to
1.175 + * @param aBaseURI the base URI to use
1.176 + * @return true if the 'binding' property was encountered and false
1.177 + * otherwise
1.178 + */
1.179 + bool SanitizeStyleSheet(const nsAString& aOriginal,
1.180 + nsAString& aSanitized,
1.181 + nsIDocument* aDocument,
1.182 + nsIURI* aBaseURI);
1.183 +
1.184 + /**
1.185 + * Removes all attributes from an element node.
1.186 + */
1.187 + void RemoveAllAttributes(nsIContent* aElement);
1.188 +
1.189 + /**
1.190 + * The whitelist of HTML elements.
1.191 + */
1.192 + static nsTHashtable<nsISupportsHashKey>* sElementsHTML;
1.193 +
1.194 + /**
1.195 + * The whitelist of non-presentational HTML attributes.
1.196 + */
1.197 + static nsTHashtable<nsISupportsHashKey>* sAttributesHTML;
1.198 +
1.199 + /**
1.200 + * The whitelist of presentational HTML attributes.
1.201 + */
1.202 + static nsTHashtable<nsISupportsHashKey>* sPresAttributesHTML;
1.203 +
1.204 + /**
1.205 + * The whitelist of SVG elements.
1.206 + */
1.207 + static nsTHashtable<nsISupportsHashKey>* sElementsSVG;
1.208 +
1.209 + /**
1.210 + * The whitelist of SVG attributes.
1.211 + */
1.212 + static nsTHashtable<nsISupportsHashKey>* sAttributesSVG;
1.213 +
1.214 + /**
1.215 + * The whitelist of SVG elements.
1.216 + */
1.217 + static nsTHashtable<nsISupportsHashKey>* sElementsMathML;
1.218 +
1.219 + /**
1.220 + * The whitelist of MathML attributes.
1.221 + */
1.222 + static nsTHashtable<nsISupportsHashKey>* sAttributesMathML;
1.223 +
1.224 + /**
1.225 + * Reusable null principal for URL checks.
1.226 + */
1.227 + static nsIPrincipal* sNullPrincipal;
1.228 +};
1.229 +
1.230 +#endif // nsTreeSanitizer_h_
