search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1852740: add tests for the `fetchpriority` attribute in Link headers. r=necko...
[gecko.git] / dom / base / nsTreeSanitizer.h
blobed1c49c60ca523e73c10bd5b3fd7c26a1453a3d8
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 #ifndef nsTreeSanitizer_h_
6 #define nsTreeSanitizer_h_
7
8 #include "nsAtom.h"
9 #include "nsHashKeys.h"
10 #include "nsHashtablesFwd.h"
11 #include "nsIPrincipal.h"
12 #include "nsTArray.h"
13 #include "nsTHashSet.h"
14 #include "mozilla/UniquePtr.h"
15 #include "mozilla/dom/NameSpaceConstants.h"
16 #include "mozilla/dom/SanitizerBinding.h"
17
18 class nsIContent;
19 class nsIGlobalObject;
20 class nsINode;
21
22 namespace mozilla {
23 class DeclarationBlock;
24 class ErrorResult;
25 enum class StyleSanitizationKind : uint8_t;
26 } // namespace mozilla
27
28 namespace mozilla::dom {
29 class DocumentFragment;
30 class Element;
31 class OwningStringOrSanitizerElementNameNamespace;
32 struct SanitizerAttribute;
33 } // namespace mozilla::dom
34
35 /**
36 * See the documentation of nsIParserUtils::sanitize for documentation
37 * about the default behavior and the configuration options of this sanitizer.
38 */
39 class nsTreeSanitizer {
40 public:
41 /**
42 * The constructor.
43 *
44 * @param aFlags Flags from nsIParserUtils
45 */
46 explicit nsTreeSanitizer(uint32_t aFlags = 0);
47
48 static void InitializeStatics();
49 static void ReleaseStatics();
50
51 /**
52 * Sanitizes a disconnected DOM fragment freshly obtained from a parser.
53 * The fragment must have just come from a parser so that it can't have
54 * mutation event listeners set on it.
55 */
56 void Sanitize(mozilla::dom::DocumentFragment* aFragment);
57
58 /**
59 * Sanitizes a disconnected (not in a docshell) document freshly obtained
60 * from a parser. The document must not be embedded in a docshell and must
61 * not have had a chance to get mutation event listeners attached to it.
62 * The root element must be <html>.
63 */
64 void Sanitize(mozilla::dom::Document* aDocument);
65
66 /**
67 * Provides additional options for usage from the Web Sanitizer API
68 * which allows modifying the allow-list from above
69 */
70 void WithWebSanitizerOptions(nsIGlobalObject* aGlobal,
71 const mozilla::dom::SanitizerConfig& aOptions,
72 mozilla::ErrorResult& aRv);
73
74 /**
75 * Removes conditional CSS from this subtree.
76 */
77 static void RemoveConditionalCSSFromSubtree(nsINode* aRoot);
78
79 private:
80 /**
81 * Whether <style> and style="" are allowed.
82 */
83 bool mAllowStyles;
84
85 /**
86 * Whether comment nodes are allowed.
87 */
88 bool mAllowComments;
89
90 /**
91 * Whether HTML <font>, <center>, bgcolor="", etc., are dropped.
92 */
93 bool mDropNonCSSPresentation;
94
95 /**
96 * Whether to remove forms and form controls (excluding fieldset/legend).
97 */
98 bool mDropForms;
99
100 /**
101 * Whether only cid: embeds are allowed.
102 */
103 bool mCidEmbedsOnly;
104
105 /**
106 * Whether to drop <img>, <video>, <audio> and <svg>.
107 */
108 bool mDropMedia;
109
110 /**
111 * Whether we are sanitizing a full document (as opposed to a fragment).
112 */
113 bool mFullDocument;
114
115 /**
116 * Whether we should notify to the console for anything that's stripped.
117 */
118 bool mLogRemovals;
119
120 // WindowID used for logging removals.
121 uint64_t mInnerWindowID = 0;
122
123 /**
124 * We have various tables of static atoms for elements and attributes.
125 */
126 class AtomsTable : public nsTHashSet<const nsStaticAtom*> {
127 public:
128 explicit AtomsTable(uint32_t aLength)
129 : nsTHashSet<const nsStaticAtom*>(aLength) {}
130
131 bool Contains(nsAtom* aAtom) {
132 // Because this table only contains static atoms, if aAtom isn't
133 // static we can immediately fail.
134 return aAtom->IsStatic() && GetEntry(aAtom->AsStatic());
135 }
136 };
137
138 // The name of an element combined with its namespace.
139 class NamespaceAtom : public PLDHashEntryHdr {
140 public:
141 using KeyType = const NamespaceAtom&;
142 using KeyTypePointer = const NamespaceAtom*;
143
144 explicit NamespaceAtom(KeyTypePointer aKey)
145 : mNamespaceID(aKey->mNamespaceID), mLocalName(aKey->mLocalName) {}
146 NamespaceAtom(int32_t aNamespaceID, RefPtr<nsAtom> aLocalName)
147 : mNamespaceID(aNamespaceID), mLocalName(std::move(aLocalName)) {}
148 NamespaceAtom(NamespaceAtom&&) = default;
149 ~NamespaceAtom() = default;
150
151 bool KeyEquals(KeyTypePointer aKey) const {
152 return mNamespaceID == aKey->mNamespaceID &&
153 mLocalName == aKey->mLocalName;
154 }
155
156 static KeyTypePointer KeyToPointer(KeyType aKey) { return &aKey; }
157 static PLDHashNumber HashKey(KeyTypePointer aKey) {
158 if (!aKey) {
159 return 0;
160 }
161
162 return mozilla::HashGeneric(aKey->mNamespaceID, aKey->mLocalName.get());
163 }
164
165 enum { ALLOW_MEMMOVE = true };
166
167 private:
168 int32_t mNamespaceID = kNameSpaceID_None;
169 RefPtr<nsAtom> mLocalName;
170 };
171
172 using ElementName = NamespaceAtom;
173 using AttributeName = NamespaceAtom;
174
175 using ElementNameSet = nsTHashSet<ElementName>;
176 // nullptr value (ElementNameSet) means all elements (*).
177 using AttributesToElementsMap =
178 nsTHashMap<AttributeName, mozilla::UniquePtr<ElementNameSet>>;
179
180 void SanitizeChildren(nsINode* aRoot);
181
182 /**
183 * Queries if an element must be replaced with its children.
184 * @param aNamespace the namespace of the element the question is about
185 * @param aLocal the local name of the element the question is about
186 * @return true if the element must be replaced with its children and
187 * false if the element is to be kept
188 */
189 bool MustFlatten(int32_t aNamespace, nsAtom* aLocal);
190 bool MustFlattenForSanitizerAPI(int32_t aNamespace, nsAtom* aLocal);
191
192 /**
193 * Queries if an element including its children must be removed.
194 * @param aNamespace the namespace of the element the question is about
195 * @param aLocal the local name of the element the question is about
196 * @param aElement the element node itself for inspecting attributes
197 * @return true if the element and its children must be removed and
198 * false if the element is to be kept
199 */
200 bool MustPrune(int32_t aNamespace, nsAtom* aLocal,
201 mozilla::dom::Element* aElement);
202 bool MustPruneForSanitizerAPI(int32_t aNamespace, nsAtom* aLocal,
203 mozilla::dom::Element* aElement);
204
205 /**
206 * Checks if a given local name (for an attribute) is on the given list
207 * of URL attribute names.
208 * @param aURLs the list of URL attribute names
209 * @param aLocalName the name to search on the list
210 * @return true if aLocalName is on the aURLs list and false otherwise
211 */
212 bool IsURL(const nsStaticAtom* const* aURLs, nsAtom* aLocalName);
213
214 /**
215 * Struct for what attributes and their values are allowed.
216 */
217 struct AllowedAttributes {
218 // The whitelist of permitted local names to use.
219 AtomsTable* mNames = nullptr;
220 // The local names of URL-valued attributes for URL checking.
221 const nsStaticAtom* const* mURLs = nullptr;
222 // Whether XLink attributes are allowed.
223 bool mXLink = false;
224 // Whether the style attribute is allowed.
225 bool mStyle = false;
226 // Whether to leave the value of the src attribute unsanitized.
227 bool mDangerousSrc = false;
228 };
229
230 /**
231 * Removes dangerous attributes from the element. If the style attribute
232 * is allowed, its value is sanitized. The values of URL attributes are
233 * sanitized, except src isn't sanitized when it is allowed to remain
234 * potentially dangerous.
235 *
236 * @param aElement the element whose attributes should be sanitized
237 * @param aAllowed options for sanitizing attributes
238 */
239 void SanitizeAttributes(mozilla::dom::Element* aElement,
240 AllowedAttributes aAllowed);
241 // Currently only used for the Sanitizer API.
242 bool MustDropAttribute(mozilla::dom::Element* aElement,
243 int32_t aAttrNamespace, nsAtom* aAttrLocalName);
244 bool MustDropFunkyAttribute(mozilla::dom::Element* aElement,
245 int32_t aAttrNamespace, nsAtom* aAttrLocalName);
246
247 /**
248 * Remove the named URL attribute from the element if the URL fails a
249 * security check.
250 *
251 * @param aElement the element whose attribute to possibly modify
252 * @param aNamespace the namespace of the URL attribute
253 * @param aLocalName the local name of the URL attribute
254 * @param aFragmentsOnly allows same-document references only
255 * @return true if the attribute was removed and false otherwise
256 */
257 bool SanitizeURL(mozilla::dom::Element* aElement, int32_t aNamespace,
258 nsAtom* aLocalName, bool aFragmentsOnly = false);
259
260 /**
261 * Checks a style rule for the presence of the 'binding' CSS property and
262 * removes that property from the rule.
263 *
264 * @param aDeclaration The style declaration to check
265 * @return true if the rule was modified and false otherwise
266 */
267 bool SanitizeStyleDeclaration(mozilla::DeclarationBlock* aDeclaration);
268
269 /**
270 * Sanitizes an inline style element (an HTML or SVG <style>).
271 *
272 * Returns whether the style has changed.
273 */
274 static bool SanitizeInlineStyle(mozilla::dom::Element*,
275 mozilla::StyleSanitizationKind);
276
277 /**
278 * Removes all attributes from an element node.
279 */
280 static void RemoveAllAttributes(mozilla::dom::Element* aElement);
281
282 /**
283 * Removes all attributes from the descendants of an element but not from
284 * the element itself.
285 */
286 static void RemoveAllAttributesFromDescendants(mozilla::dom::Element*);
287
288 static bool MatchesElementName(ElementNameSet& aNames, int32_t aNamespace,
289 nsAtom* aLocalName);
290 static bool MatchesAttributeMatchList(AttributesToElementsMap& aMatchList,
291 mozilla::dom::Element& aElement,
292 int32_t aAttrNamespace,
293 nsAtom* aAttrLocalName);
294
295 static mozilla::UniquePtr<ElementNameSet> ConvertElements(
296 const nsTArray<mozilla::dom::OwningStringOrSanitizerElementNamespace>&
297 aElements,
298 mozilla::ErrorResult& aRv);
299
300 static mozilla::UniquePtr<ElementNameSet> ConvertElements(
301 const mozilla::dom::OwningStarOrStringOrSanitizerElementNamespaceSequence&
302 aElements,
303 mozilla::ErrorResult& aRv);
304
305 static mozilla::UniquePtr<AttributesToElementsMap> ConvertAttributes(
306 const nsTArray<mozilla::dom::SanitizerAttribute>& aAttributes,
307 mozilla::ErrorResult& aRv);
308
309 /**
310 * Log a Console Service message to indicate we removed something.
311 * If you pass an element and/or attribute, their information will
312 * be appended to the message.
313 *
314 * @param aMessage the basic message to log.
315 * @param aDocument the base document we're modifying
316 * (used for the error message)
317 * @param aElement optional, the element being removed or modified.
318 * @param aAttribute optional, the attribute being removed or modified.
319 */
320 void LogMessage(const char* aMessage, mozilla::dom::Document* aDoc,
321 mozilla::dom::Element* aElement = nullptr,
322 nsAtom* aAttr = nullptr);
323
324 /**
325 * The whitelist of HTML elements.
326 */
327 static AtomsTable* sElementsHTML;
328
329 /**
330 * The whitelist of non-presentational HTML attributes.
331 */
332 static AtomsTable* sAttributesHTML;
333
334 /**
335 * The whitelist of presentational HTML attributes.
336 */
337 static AtomsTable* sPresAttributesHTML;
338
339 /**
340 * The whitelist of SVG elements.
341 */
342 static AtomsTable* sElementsSVG;
343
344 /**
345 * The whitelist of SVG attributes.
346 */
347 static AtomsTable* sAttributesSVG;
348
349 /**
350 * The whitelist of SVG elements.
351 */
352 static AtomsTable* sElementsMathML;
353
354 /**
355 * The whitelist of MathML attributes.
356 */
357 static AtomsTable* sAttributesMathML;
358
359 /**
360 * The built-in baseline attribute allow list used by the Sanitizer API.
361 */
362 static AtomsTable* sBaselineAttributeAllowlist;
363
364 /**
365 * The built-in baseline element allow list used by the Sanitizer API.
366 */
367 static AtomsTable* sBaselineElementAllowlist;
368
369 /**
370 * The default configuration's attribute allow list used by the Sanitizer API.
371 */
372 static AtomsTable* sDefaultConfigurationAttributeAllowlist;
373
374 /**
375 * The default configuration's element allow list used by the Sanitizer API.
376 */
377 static AtomsTable* sDefaultConfigurationElementAllowlist;
378
379 /**
380 * Reusable null principal for URL checks.
381 */
382 static nsIPrincipal* sNullPrincipal;
383
384 // === Variables used to implement HTML Sanitizer API. ==
385
386 // This nsTreeSanitizer instance should behave like the Sanitizer API.
387 bool mIsForSanitizerAPI = false;
388
389 bool mAllowCustomElements = false;
390 bool mAllowUnknownMarkup = false;
391
392 // An allow-list of elements to keep.
393 mozilla::UniquePtr<ElementNameSet> mAllowElements;
394
395 // A deny-list of elements to block. (aka flatten)
396 mozilla::UniquePtr<ElementNameSet> mBlockElements;
397
398 // A deny-list of elements to drop. (aka prune)
399 mozilla::UniquePtr<ElementNameSet> mDropElements;
400
401 // An allow-list of attributes to keep.
402 mozilla::UniquePtr<AttributesToElementsMap> mAllowAttributes;
403
404 // A deny-list of attributes to drop.
405 mozilla::UniquePtr<AttributesToElementsMap> mDropAttributes;
406 };
407
408 #endif // nsTreeSanitizer_h_