tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

nsTreeSanitizer.h (8069B)

      1 /* This Source Code Form is subject to the terms of the Mozilla Public
      2 * License, v. 2.0. If a copy of the MPL was not distributed with this
      3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      4 
      5 #ifndef nsTreeSanitizer_h_
      6 #define nsTreeSanitizer_h_
      7 
      8 #include "mozilla/dom/NameSpaceConstants.h"
      9 #include "mozilla/dom/StaticAtomSet.h"
     10 #include "nsAtom.h"
     11 #include "nsHashKeys.h"
     12 #include "nsHashtablesFwd.h"
     13 #include "nsIPrincipal.h"
     14 #include "nsTArray.h"
     15 
     16 class nsIContent;
     17 class nsIGlobalObject;
     18 class nsINode;
     19 
     20 namespace mozilla {
     21 class DeclarationBlock;
     22 class ErrorResult;
     23 enum class StyleSanitizationKind : uint8_t;
     24 }  // namespace mozilla
     25 
     26 namespace mozilla::dom {
     27 class DocumentFragment;
     28 class Element;
     29 }  // namespace mozilla::dom
     30 
     31 /**
     32 * See the documentation of nsIParserUtils::sanitize for documentation
     33 * about the default behavior and the configuration options of this sanitizer.
     34 */
     35 class nsTreeSanitizer {
     36 public:
     37  /**
     38   * The constructor.
     39   *
     40   * @param aFlags Flags from nsIParserUtils
     41   */
     42  explicit nsTreeSanitizer(uint32_t aFlags = 0);
     43 
     44  static void InitializeStatics();
     45  static void ReleaseStatics();
     46 
     47  /**
     48   * Sanitizes a disconnected DOM fragment freshly obtained from a parser.
     49   * The fragment must have just come from a parser so that it can't have
     50   * mutation event listeners set on it.
     51   */
     52  void Sanitize(mozilla::dom::DocumentFragment* aFragment);
     53 
     54  /**
     55   * Sanitizes a disconnected (not in a docshell) document freshly obtained
     56   * from a parser. The document must not be embedded in a docshell and must
     57   * not have had a chance to get mutation event listeners attached to it.
     58   * The root element must be <html>.
     59   */
     60  void Sanitize(mozilla::dom::Document* aDocument);
     61 
     62  /**
     63   * Removes conditional CSS from this subtree.
     64   */
     65  static void RemoveConditionalCSSFromSubtree(nsINode* aRoot);
     66 
     67 private:
     68  /**
     69   * Whether <style> and style="" are allowed.
     70   */
     71  bool mAllowStyles;
     72 
     73  /**
     74   * Whether comment nodes are allowed.
     75   */
     76  bool mAllowComments;
     77 
     78  /**
     79   * Whether HTML <font>, <center>, bgcolor="", etc., are dropped.
     80   */
     81  bool mDropNonCSSPresentation;
     82 
     83  /**
     84   * Whether to remove forms and form controls (excluding fieldset/legend).
     85   */
     86  bool mDropForms;
     87 
     88  /**
     89   * Whether only cid: embeds are allowed.
     90   */
     91  bool mCidEmbedsOnly;
     92 
     93  /**
     94   * Whether to drop <img>, <video>, <audio> and <svg>.
     95   */
     96  bool mDropMedia;
     97 
     98  /**
     99   * Whether we are sanitizing a full document (as opposed to a fragment).
    100   */
    101  bool mFullDocument;
    102 
    103  /**
    104   * Whether we should notify to the console for anything that's stripped.
    105   */
    106  bool mLogRemovals;
    107 
    108  void SanitizeChildren(nsINode* aRoot);
    109 
    110  /**
    111   * Queries if an element must be replaced with its children.
    112   * @param aNamespace the namespace of the element the question is about
    113   * @param aLocal the local name of the element the question is about
    114   * @return true if the element must be replaced with its children and
    115   *         false if the element is to be kept
    116   */
    117  bool MustFlatten(int32_t aNamespace, nsAtom* aLocal);
    118 
    119  /**
    120   * Queries if an element including its children must be removed.
    121   * @param aNamespace the namespace of the element the question is about
    122   * @param aLocal the local name of the element the question is about
    123   * @param aElement the element node itself for inspecting attributes
    124   * @return true if the element and its children must be removed and
    125   *         false if the element is to be kept
    126   */
    127  bool MustPrune(int32_t aNamespace, nsAtom* aLocal,
    128                 mozilla::dom::Element* aElement);
    129 
    130  /**
    131   * Checks if a given local name (for an attribute) is on the given list
    132   * of URL attribute names.
    133   * @param aURLs the list of URL attribute names
    134   * @param aLocalName the name to search on the list
    135   * @return true if aLocalName is on the aURLs list and false otherwise
    136   */
    137  bool IsURL(const nsStaticAtom* const* aURLs, nsAtom* aLocalName);
    138 
    139  /**
    140   * Struct for what attributes and their values are allowed.
    141   */
    142  struct AllowedAttributes {
    143    // The whitelist of permitted local names to use.
    144    mozilla::dom::StaticAtomSet* mNames = nullptr;
    145    // The local names of URL-valued attributes for URL checking.
    146    const nsStaticAtom* const* mURLs = nullptr;
    147    // Whether XLink attributes are allowed.
    148    bool mXLink = false;
    149    // Whether the style attribute is allowed.
    150    bool mStyle = false;
    151    // Whether to leave the value of the src attribute unsanitized.
    152    bool mDangerousSrc = false;
    153  };
    154 
    155  /**
    156   * Removes dangerous attributes from the element. If the style attribute
    157   * is allowed, its value is sanitized. The values of URL attributes are
    158   * sanitized, except src isn't sanitized when it is allowed to remain
    159   * potentially dangerous.
    160   *
    161   * @param aElement the element whose attributes should be sanitized
    162   * @param aAllowed options for sanitizing attributes
    163   */
    164  void SanitizeAttributes(mozilla::dom::Element* aElement,
    165                          AllowedAttributes aAllowed);
    166 
    167  /**
    168   * Remove the named URL attribute from the element if the URL fails a
    169   * security check.
    170   *
    171   * @param aElement the element whose attribute to possibly modify
    172   * @param aNamespace the namespace of the URL attribute
    173   * @param aLocalName the local name of the URL attribute
    174   * @param aFragmentsOnly allows same-document references only
    175   * @return true if the attribute was removed and false otherwise
    176   */
    177  bool SanitizeURL(mozilla::dom::Element* aElement, int32_t aNamespace,
    178                   nsAtom* aLocalName, bool aFragmentsOnly = false);
    179 
    180  /**
    181   * Checks a style rule for the presence of the 'binding' CSS property and
    182   * removes that property from the rule.
    183   *
    184   * @param aDeclaration The style declaration to check
    185   * @return true if the rule was modified and false otherwise
    186   */
    187  bool SanitizeStyleDeclaration(mozilla::DeclarationBlock* aDeclaration);
    188 
    189  /**
    190   * Sanitizes an inline style element (an HTML or SVG <style>).
    191   *
    192   * Returns whether the style has changed.
    193   */
    194  static bool SanitizeInlineStyle(mozilla::dom::Element*,
    195                                  mozilla::StyleSanitizationKind);
    196 
    197  /**
    198   * Removes all attributes from an element node.
    199   */
    200  static void RemoveAllAttributes(mozilla::dom::Element* aElement);
    201 
    202  /**
    203   * Removes all attributes from the descendants of an element but not from
    204   * the element itself.
    205   */
    206  static void RemoveAllAttributesFromDescendants(mozilla::dom::Element*);
    207 
    208  /**
    209   * Log a Console Service message to indicate we removed something.
    210   * If you pass an element and/or attribute, their information will
    211   * be appended to the message.
    212   *
    213   * @param aMessage   the basic message to log.
    214   * @param aDocument  the base document we're modifying
    215   *                   (used for the error message)
    216   * @param aElement   optional, the element being removed or modified.
    217   * @param aAttribute optional, the attribute being removed or modified.
    218   */
    219  void LogMessage(const char* aMessage, mozilla::dom::Document* aDoc,
    220                  mozilla::dom::Element* aElement = nullptr,
    221                  nsAtom* aAttr = nullptr);
    222 
    223  /**
    224   * The whitelist of HTML elements.
    225   */
    226  static mozilla::dom::StaticAtomSet* sElementsHTML;
    227 
    228  /**
    229   * The whitelist of non-presentational HTML attributes.
    230   */
    231  static mozilla::dom::StaticAtomSet* sAttributesHTML;
    232 
    233  /**
    234   * The whitelist of presentational HTML attributes.
    235   */
    236  static mozilla::dom::StaticAtomSet* sPresAttributesHTML;
    237 
    238  /**
    239   * The whitelist of SVG elements.
    240   */
    241  static mozilla::dom::StaticAtomSet* sElementsSVG;
    242 
    243  /**
    244   * The whitelist of SVG attributes.
    245   */
    246  static mozilla::dom::StaticAtomSet* sAttributesSVG;
    247 
    248  /**
    249   * The whitelist of SVG elements.
    250   */
    251  static mozilla::dom::StaticAtomSet* sElementsMathML;
    252 
    253  /**
    254   * The whitelist of MathML attributes.
    255   */
    256  static mozilla::dom::StaticAtomSet* sAttributesMathML;
    257 
    258  /**
    259   * Reusable null principal for URL checks.
    260   */
    261  static nsIPrincipal* sNullPrincipal;
    262 };
    263 
    264 #endif  // nsTreeSanitizer_h_