search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Backed out 9 changesets (bug 1846848) for causing multiple build bustages. CLOSED...
[gecko.git] / dom / base / nsTreeSanitizer.h
blobc360f03e126501bf9f8e14a351ad9063763560f6
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 #ifndef nsTreeSanitizer_h_
6 #define nsTreeSanitizer_h_
7
8 #include "nsAtom.h"
9 #include "nsHashKeys.h"
10 #include "nsHashtablesFwd.h"
11 #include "nsIPrincipal.h"
12 #include "nsTArray.h"
13 #include "nsTHashSet.h"
14 #include "mozilla/Maybe.h"
15 #include "mozilla/dom/NameSpaceConstants.h"
16 #include "mozilla/dom/SanitizerBinding.h"
17
18 class nsIContent;
19 class nsIGlobalObject;
20 class nsINode;
21
22 namespace mozilla {
23 class DeclarationBlock;
24 class ErrorResult;
25 enum class StyleSanitizationKind : uint8_t;
26 } // namespace mozilla
27
28 namespace mozilla::dom {
29 class DocumentFragment;
30 class Element;
31
32 class OwningStringOrSanitizerAttributeNamespace;
33 class OwningStringOrSanitizerElementNamespace;
34 class OwningStringOrSanitizerElementNamespaceWithAttributes;
35 } // namespace mozilla::dom
36
37 /**
38 * See the documentation of nsIParserUtils::sanitize for documentation
39 * about the default behavior and the configuration options of this sanitizer.
40 */
41 class nsTreeSanitizer {
42 public:
43 /**
44 * The constructor.
45 *
46 * @param aFlags Flags from nsIParserUtils
47 */
48 explicit nsTreeSanitizer(uint32_t aFlags = 0);
49
50 static void InitializeStatics();
51 static void ReleaseStatics();
52
53 /**
54 * Sanitizes a disconnected DOM fragment freshly obtained from a parser.
55 * The fragment must have just come from a parser so that it can't have
56 * mutation event listeners set on it.
57 */
58 void Sanitize(mozilla::dom::DocumentFragment* aFragment);
59
60 /**
61 * Sanitizes a disconnected (not in a docshell) document freshly obtained
62 * from a parser. The document must not be embedded in a docshell and must
63 * not have had a chance to get mutation event listeners attached to it.
64 * The root element must be <html>.
65 */
66 void Sanitize(mozilla::dom::Document* aDocument);
67
68 /**
69 * Provides additional options for usage from the Web Sanitizer API
70 * which allows modifying the allow-list from above
71 */
72 void WithWebSanitizerOptions(nsIGlobalObject* aGlobal,
73 const mozilla::dom::SanitizerConfig& aOptions,
74 mozilla::ErrorResult& aRv);
75
76 /**
77 * Removes conditional CSS from this subtree.
78 */
79 static void RemoveConditionalCSSFromSubtree(nsINode* aRoot);
80
81 private:
82 /**
83 * Whether <style> and style="" are allowed.
84 */
85 bool mAllowStyles;
86
87 /**
88 * Whether comment nodes are allowed.
89 */
90 bool mAllowComments;
91
92 /**
93 * Whether HTML <font>, <center>, bgcolor="", etc., are dropped.
94 */
95 bool mDropNonCSSPresentation;
96
97 /**
98 * Whether to remove forms and form controls (excluding fieldset/legend).
99 */
100 bool mDropForms;
101
102 /**
103 * Whether only cid: embeds are allowed.
104 */
105 bool mCidEmbedsOnly;
106
107 /**
108 * Whether to drop <img>, <video>, <audio> and <svg>.
109 */
110 bool mDropMedia;
111
112 /**
113 * Whether we are sanitizing a full document (as opposed to a fragment).
114 */
115 bool mFullDocument;
116
117 /**
118 * Whether we should notify to the console for anything that's stripped.
119 */
120 bool mLogRemovals;
121
122 // WindowID used for logging removals.
123 uint64_t mInnerWindowID = 0;
124
125 /**
126 * We have various tables of static atoms for elements and attributes.
127 */
128 class AtomsTable : public nsTHashSet<const nsStaticAtom*> {
129 public:
130 explicit AtomsTable(uint32_t aLength)
131 : nsTHashSet<const nsStaticAtom*>(aLength) {}
132
133 bool Contains(nsAtom* aAtom) {
134 // Because this table only contains static atoms, if aAtom isn't
135 // static we can immediately fail.
136 return aAtom->IsStatic() && GetEntry(aAtom->AsStatic());
137 }
138 };
139
140 // The name of an element combined with its namespace.
141 class NamespaceAtom : public PLDHashEntryHdr {
142 public:
143 using KeyType = const NamespaceAtom&;
144 using KeyTypePointer = const NamespaceAtom*;
145
146 explicit NamespaceAtom(KeyTypePointer aKey)
147 : mNamespaceID(aKey->mNamespaceID), mLocalName(aKey->mLocalName) {}
148 NamespaceAtom(int32_t aNamespaceID, RefPtr<nsAtom> aLocalName)
149 : mNamespaceID(aNamespaceID), mLocalName(std::move(aLocalName)) {}
150 NamespaceAtom(NamespaceAtom&&) = default;
151 ~NamespaceAtom() = default;
152
153 bool KeyEquals(KeyTypePointer aKey) const {
154 return mNamespaceID == aKey->mNamespaceID &&
155 mLocalName == aKey->mLocalName;
156 }
157
158 static KeyTypePointer KeyToPointer(KeyType aKey) { return &aKey; }
159 static PLDHashNumber HashKey(KeyTypePointer aKey) {
160 if (!aKey) {
161 return 0;
162 }
163
164 return mozilla::HashGeneric(aKey->mNamespaceID, aKey->mLocalName.get());
165 }
166
167 enum { ALLOW_MEMMOVE = true };
168
169 private:
170 int32_t mNamespaceID = kNameSpaceID_None;
171 RefPtr<nsAtom> mLocalName;
172 };
173
174 using ElementName = NamespaceAtom;
175 using AttributeName = NamespaceAtom;
176
177 using ElementNameSet = nsTHashSet<ElementName>;
178 using AttributeNameSet = nsTHashSet<AttributeName>;
179
180 class ElementWithAttributes {
181 public:
182 mozilla::Maybe<AttributeNameSet> mAttributes;
183 mozilla::Maybe<AttributeNameSet> mRemoveAttributes;
184 };
185
186 using ElementsToAttributesMap =
187 nsTHashMap<ElementName, ElementWithAttributes>;
188
189 void SanitizeChildren(nsINode* aRoot);
190
191 /**
192 * Queries if an element must be replaced with its children.
193 * @param aNamespace the namespace of the element the question is about
194 * @param aLocal the local name of the element the question is about
195 * @return true if the element must be replaced with its children and
196 * false if the element is to be kept
197 */
198 bool MustFlatten(int32_t aNamespace, nsAtom* aLocal);
199 bool MustFlattenForSanitizerAPI(int32_t aNamespace, nsAtom* aLocal);
200
201 /**
202 * Queries if an element including its children must be removed.
203 * @param aNamespace the namespace of the element the question is about
204 * @param aLocal the local name of the element the question is about
205 * @param aElement the element node itself for inspecting attributes
206 * @return true if the element and its children must be removed and
207 * false if the element is to be kept
208 */
209 bool MustPrune(int32_t aNamespace, nsAtom* aLocal,
210 mozilla::dom::Element* aElement);
211 bool MustPruneForSanitizerAPI(int32_t aNamespace, nsAtom* aLocal,
212 mozilla::dom::Element* aElement);
213
214 /**
215 * Checks if a given local name (for an attribute) is on the given list
216 * of URL attribute names.
217 * @param aURLs the list of URL attribute names
218 * @param aLocalName the name to search on the list
219 * @return true if aLocalName is on the aURLs list and false otherwise
220 */
221 bool IsURL(const nsStaticAtom* const* aURLs, nsAtom* aLocalName);
222
223 /**
224 * Struct for what attributes and their values are allowed.
225 */
226 struct AllowedAttributes {
227 // The whitelist of permitted local names to use.
228 AtomsTable* mNames = nullptr;
229 // The local names of URL-valued attributes for URL checking.
230 const nsStaticAtom* const* mURLs = nullptr;
231 // Whether XLink attributes are allowed.
232 bool mXLink = false;
233 // Whether the style attribute is allowed.
234 bool mStyle = false;
235 // Whether to leave the value of the src attribute unsanitized.
236 bool mDangerousSrc = false;
237 };
238
239 /**
240 * Removes dangerous attributes from the element. If the style attribute
241 * is allowed, its value is sanitized. The values of URL attributes are
242 * sanitized, except src isn't sanitized when it is allowed to remain
243 * potentially dangerous.
244 *
245 * @param aElement the element whose attributes should be sanitized
246 * @param aAllowed options for sanitizing attributes
247 */
248 void SanitizeAttributes(mozilla::dom::Element* aElement,
249 AllowedAttributes aAllowed);
250 // Currently only used for the Sanitizer API.
251 bool MustDropAttribute(mozilla::dom::Element* aElement,
252 int32_t aAttrNamespace, nsAtom* aAttrLocalName);
253 bool MustDropFunkyAttribute(mozilla::dom::Element* aElement,
254 int32_t aAttrNamespace, nsAtom* aAttrLocalName);
255
256 /**
257 * Remove the named URL attribute from the element if the URL fails a
258 * security check.
259 *
260 * @param aElement the element whose attribute to possibly modify
261 * @param aNamespace the namespace of the URL attribute
262 * @param aLocalName the local name of the URL attribute
263 * @param aFragmentsOnly allows same-document references only
264 * @return true if the attribute was removed and false otherwise
265 */
266 bool SanitizeURL(mozilla::dom::Element* aElement, int32_t aNamespace,
267 nsAtom* aLocalName, bool aFragmentsOnly = false);
268
269 /**
270 * Checks a style rule for the presence of the 'binding' CSS property and
271 * removes that property from the rule.
272 *
273 * @param aDeclaration The style declaration to check
274 * @return true if the rule was modified and false otherwise
275 */
276 bool SanitizeStyleDeclaration(mozilla::DeclarationBlock* aDeclaration);
277
278 /**
279 * Sanitizes an inline style element (an HTML or SVG <style>).
280 *
281 * Returns whether the style has changed.
282 */
283 static bool SanitizeInlineStyle(mozilla::dom::Element*,
284 mozilla::StyleSanitizationKind);
285
286 /**
287 * Removes all attributes from an element node.
288 */
289 static void RemoveAllAttributes(mozilla::dom::Element* aElement);
290
291 /**
292 * Removes all attributes from the descendants of an element but not from
293 * the element itself.
294 */
295 static void RemoveAllAttributesFromDescendants(mozilla::dom::Element*);
296
297 static bool MatchesElementName(ElementNameSet& aNames, int32_t aNamespace,
298 nsAtom* aLocalName);
299 static bool MatchesAttributeName(AttributeNameSet& aNames, int32_t aNamespace,
300 nsAtom* aLocalName);
301
302 static ElementNameSet ConvertElements(
303 const nsTArray<mozilla::dom::OwningStringOrSanitizerElementNamespace>&
304 aElements,
305 mozilla::ErrorResult& aRv);
306
307 static ElementsToAttributesMap ConvertElementsWithAttributes(
308 const nsTArray<
309 mozilla::dom::OwningStringOrSanitizerElementNamespaceWithAttributes>&
310 aElements,
311 mozilla::ErrorResult& aRv);
312
313 static AttributeNameSet ConvertAttributes(
314 const nsTArray<mozilla::dom::OwningStringOrSanitizerAttributeNamespace>&
315 aAttributes,
316 mozilla::ErrorResult& aRv);
317
318 /**
319 * Log a Console Service message to indicate we removed something.
320 * If you pass an element and/or attribute, their information will
321 * be appended to the message.
322 *
323 * @param aMessage the basic message to log.
324 * @param aDocument the base document we're modifying
325 * (used for the error message)
326 * @param aElement optional, the element being removed or modified.
327 * @param aAttribute optional, the attribute being removed or modified.
328 */
329 void LogMessage(const char* aMessage, mozilla::dom::Document* aDoc,
330 mozilla::dom::Element* aElement = nullptr,
331 nsAtom* aAttr = nullptr);
332
333 /**
334 * The whitelist of HTML elements.
335 */
336 static AtomsTable* sElementsHTML;
337
338 /**
339 * The whitelist of non-presentational HTML attributes.
340 */
341 static AtomsTable* sAttributesHTML;
342
343 /**
344 * The whitelist of presentational HTML attributes.
345 */
346 static AtomsTable* sPresAttributesHTML;
347
348 /**
349 * The whitelist of SVG elements.
350 */
351 static AtomsTable* sElementsSVG;
352
353 /**
354 * The whitelist of SVG attributes.
355 */
356 static AtomsTable* sAttributesSVG;
357
358 /**
359 * The whitelist of SVG elements.
360 */
361 static AtomsTable* sElementsMathML;
362
363 /**
364 * The whitelist of MathML attributes.
365 */
366 static AtomsTable* sAttributesMathML;
367
368 /**
369 * The built-in baseline attribute allow list used by the Sanitizer API.
370 */
371 static AtomsTable* sBaselineAttributeAllowlist;
372
373 /**
374 * The built-in baseline element allow list used by the Sanitizer API.
375 */
376 static AtomsTable* sBaselineElementAllowlist;
377
378 /**
379 * The default configuration's attribute allow list used by the Sanitizer API.
380 */
381 static AtomsTable* sDefaultConfigurationAttributeAllowlist;
382
383 /**
384 * The default configuration's element allow list used by the Sanitizer API.
385 */
386 static AtomsTable* sDefaultConfigurationElementAllowlist;
387
388 /**
389 * Reusable null principal for URL checks.
390 */
391 static nsIPrincipal* sNullPrincipal;
392
393 // === Variables used to implement HTML Sanitizer API. ==
394
395 // This nsTreeSanitizer instance should behave like the Sanitizer API.
396 bool mIsForSanitizerAPI = false;
397
398 bool mAllowCustomElements = false;
399 bool mAllowUnknownMarkup = false;
400
401 // An allow-list of elements to keep, with potentially associated lists of
402 // attributes to keep/remove.
403 mozilla::Maybe<ElementsToAttributesMap> mElements;
404
405 // A deny-list of elements to remove. (aka prune)
406 mozilla::Maybe<ElementNameSet> mRemoveElements;
407
408 // A deny-list of elements to replace with children. (aka flatten)
409 mozilla::Maybe<ElementNameSet> mReplaceWithChildrenElements;
410
411 // An allow-list of attributes to keep.
412 mozilla::Maybe<AttributeNameSet> mAttributes;
413
414 // A deny-list of attributes to remove.
415 mozilla::Maybe<AttributeNameSet> mRemoveAttributes;
416 };
417
418 #endif // nsTreeSanitizer_h_