summaryrefslogtreecommitdiffstats
path: root/dom/security/sanitizer
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--dom/security/sanitizer/Sanitizer.cpp203
-rw-r--r--dom/security/sanitizer/Sanitizer.h105
-rw-r--r--dom/security/sanitizer/moz.build37
-rw-r--r--dom/security/sanitizer/tests/mochitest/mochitest.ini5
-rw-r--r--dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html82
5 files changed, 432 insertions, 0 deletions
diff --git a/dom/security/sanitizer/Sanitizer.cpp b/dom/security/sanitizer/Sanitizer.cpp
new file mode 100644
index 0000000000..7a3e2b0206
--- /dev/null
+++ b/dom/security/sanitizer/Sanitizer.cpp
@@ -0,0 +1,203 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "BindingDeclarations.h"
+#include "mozilla/dom/BindingUtils.h"
+#include "mozilla/dom/DocumentFragment.h"
+#include "mozilla/dom/SanitizerBinding.h"
+#include "nsContentUtils.h"
+#include "nsGenericHTMLElement.h"
+#include "nsTreeSanitizer.h"
+#include "Sanitizer.h"
+
+namespace mozilla {
+namespace dom {
+
+NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(Sanitizer, mGlobal)
+
+NS_IMPL_CYCLE_COLLECTING_ADDREF(Sanitizer)
+NS_IMPL_CYCLE_COLLECTING_RELEASE(Sanitizer)
+
+NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(Sanitizer)
+ NS_WRAPPERCACHE_INTERFACE_MAP_ENTRY
+ NS_INTERFACE_MAP_ENTRY(nsISupports)
+NS_INTERFACE_MAP_END
+
+JSObject* Sanitizer::WrapObject(JSContext* aCx,
+ JS::Handle<JSObject*> aGivenProto) {
+ return Sanitizer_Binding::Wrap(aCx, this, aGivenProto);
+}
+
+/* static */
+already_AddRefed<Sanitizer> Sanitizer::Constructor(
+ const GlobalObject& aGlobal, const SanitizerOptions& aOptions,
+ ErrorResult& aRv) {
+ // Note: Later, aOptions will be interpreted and stored as a member.
+ // We'll just ignore it for now.
+ nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(aGlobal.GetAsSupports());
+ RefPtr<Sanitizer> sanitizer = new Sanitizer(global);
+ AutoTArray<nsString, 1> params = {};
+ sanitizer->LogLocalizedString("SanitizerOptionsDiscarded", params,
+ nsIScriptError::infoFlag);
+ return sanitizer.forget();
+}
+
+/* static */
+already_AddRefed<DocumentFragment> Sanitizer::InputToNewFragment(
+ const Optional<mozilla::dom::StringOrDocumentFragmentOrDocument>& aInput,
+ ErrorResult& aRv) {
+ // turns an StringOrDocumentFragmentOrDocument into a DocumentFragment for
+ // internal use with nsTreeSanitizer
+
+ nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal);
+ if (!window || !window->GetDoc()) {
+ // FIXME: Should we throw another exception?
+ aRv.Throw(NS_ERROR_FAILURE);
+ return nullptr;
+ }
+ if (!aInput.WasPassed()) {
+ AutoTArray<nsString, 1> params = {};
+ LogLocalizedString("SanitizerRcvdNoInput", params,
+ nsIScriptError::warningFlag);
+
+ RefPtr<DocumentFragment> emptyFragment =
+ window->GetDoc()->CreateDocumentFragment();
+ return emptyFragment.forget();
+ }
+ // We need to create a new docfragment based on the input
+ // and can't use a live document (possibly with mutation observershandlers)
+ nsAutoString innerHTML;
+ if (aInput.Value().IsDocumentFragment()) {
+ RefPtr<DocumentFragment> inFragment =
+ &aInput.Value().GetAsDocumentFragment();
+ inFragment->GetInnerHTML(innerHTML);
+ } else if (aInput.Value().IsString()) {
+ innerHTML.Assign(aInput.Value().GetAsString());
+ } else if (aInput.Value().IsDocument()) {
+ RefPtr<Document> doc = &aInput.Value().GetAsDocument();
+ nsCOMPtr<Element> docElement = doc->GetDocumentElement();
+
+ docElement->GetInnerHTML(innerHTML, IgnoreErrors());
+ }
+ if (innerHTML.IsEmpty()) {
+ AutoTArray<nsString, 1> params = {};
+ LogLocalizedString("SanitizerRcvdNoInput", params,
+ nsIScriptError::warningFlag);
+
+ RefPtr<DocumentFragment> emptyFragment =
+ window->GetDoc()->CreateDocumentFragment();
+ return emptyFragment.forget();
+ }
+ // We don't have a context element yet. let's create a mock HTML body element
+ RefPtr<mozilla::dom::NodeInfo> info =
+ window->GetDoc()->NodeInfoManager()->GetNodeInfo(
+ nsGkAtoms::body, nullptr, kNameSpaceID_XHTML, nsINode::ELEMENT_NODE);
+
+ nsCOMPtr<nsINode> context = NS_NewHTMLBodyElement(
+ info.forget(), mozilla::dom::FromParser::FROM_PARSER_FRAGMENT);
+ RefPtr<DocumentFragment> fragment = nsContentUtils::CreateContextualFragment(
+ context, innerHTML, true /* aPreventScriptExecution */, aRv);
+ if (aRv.Failed()) {
+ aRv.Throw(NS_ERROR_FAILURE);
+ return nullptr;
+ }
+ return fragment.forget();
+}
+
+already_AddRefed<DocumentFragment> Sanitizer::Sanitize(
+ const Optional<mozilla::dom::StringOrDocumentFragmentOrDocument>& aInput,
+ ErrorResult& aRv) {
+ nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal);
+ if (!window || !window->GetDoc()) {
+ aRv.Throw(NS_ERROR_FAILURE);
+ return nullptr;
+ }
+ if (!aInput.WasPassed()) {
+ AutoTArray<nsString, 1> params = {};
+ LogLocalizedString("SanitizerRcvdNoInput", params,
+ nsIScriptError::warningFlag);
+ RefPtr<DocumentFragment> fragment =
+ window->GetDoc()->CreateDocumentFragment();
+ return fragment.forget();
+ }
+ ErrorResult error;
+ RefPtr<DocumentFragment> fragment =
+ Sanitizer::InputToNewFragment(aInput, error);
+ if (error.Failed()) {
+ return fragment.forget();
+ }
+ nsTreeSanitizer treeSanitizer(mSanitizationFlags);
+
+ treeSanitizer.Sanitize(fragment);
+ return fragment.forget();
+}
+
+void Sanitizer::SanitizeToString(
+ const Optional<StringOrDocumentFragmentOrDocument>& aInput,
+ nsAString& outSanitized, ErrorResult& aRv) {
+ outSanitized.Truncate();
+ if (!aInput.WasPassed()) {
+ AutoTArray<nsString, 1> params = {};
+ LogLocalizedString("SanitizerRcvdNoInput", params,
+ nsIScriptError::warningFlag);
+ return;
+ }
+ ErrorResult error;
+ RefPtr<DocumentFragment> fragment =
+ Sanitizer::InputToNewFragment(aInput, error);
+ if (error.Failed()) {
+ return;
+ }
+ nsTreeSanitizer treeSanitizer(mSanitizationFlags);
+
+ treeSanitizer.Sanitize(fragment);
+ fragment->GetInnerHTML(outSanitized);
+}
+
+/* ------ Logging ------ */
+
+void Sanitizer::LogLocalizedString(const char* aName,
+ const nsTArray<nsString>& aParams,
+ uint32_t aFlags) {
+ uint64_t innerWindowID = 0;
+ bool isPrivateBrowsing = true;
+ nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal);
+ if (window && window->GetDoc()) {
+ auto* doc = window->GetDoc();
+ innerWindowID = doc->InnerWindowID();
+ isPrivateBrowsing = nsContentUtils::IsInPrivateBrowsing(doc);
+ }
+ nsAutoString logMsg;
+ nsContentUtils::FormatLocalizedString(nsContentUtils::eSECURITY_PROPERTIES,
+ aName, aParams, logMsg);
+ LogMessage(logMsg, aFlags, innerWindowID, isPrivateBrowsing);
+}
+
+/* static */
+void Sanitizer::LogMessage(const nsAString& aMessage, uint32_t aFlags,
+ uint64_t aInnerWindowID, bool aFromPrivateWindow) {
+ // Prepending 'Sanitizer' to the outgoing console message
+ nsString message;
+ message.AppendLiteral(u"Sanitizer: ");
+ message.Append(aMessage);
+
+ // Allow for easy distinction in devtools code.
+ nsCString category("Sanitizer");
+
+ if (aInnerWindowID > 0) {
+ // Send to content console
+ nsContentUtils::ReportToConsoleByWindowID(message, aFlags, category,
+ aInnerWindowID);
+ } else {
+ // Send to browser console
+ nsContentUtils::LogSimpleConsoleError(
+ message, category.get(), aFromPrivateWindow,
+ true /* from chrome context */, aFlags);
+ }
+}
+
+} // namespace dom
+} // namespace mozilla
diff --git a/dom/security/sanitizer/Sanitizer.h b/dom/security/sanitizer/Sanitizer.h
new file mode 100644
index 0000000000..9e9407655c
--- /dev/null
+++ b/dom/security/sanitizer/Sanitizer.h
@@ -0,0 +1,105 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_dom_Sanitizer_h
+#define mozilla_dom_Sanitizer_h
+
+#include "mozilla/dom/BindingDeclarations.h"
+#include "mozilla/dom/DocumentFragment.h"
+#include "mozilla/dom/SanitizerBinding.h"
+#include "nsString.h"
+#include "nsIParserUtils.h"
+#include "nsTreeSanitizer.h"
+
+// XXX(Bug 1673929) This is not really needed here, but the generated
+// SanitizerBinding.cpp needs it and does not include it.
+#include "mozilla/dom/Document.h"
+
+class nsISupports;
+
+namespace mozilla {
+
+class ErrorResult;
+
+namespace dom {
+
+class GlobalObject;
+
+class Sanitizer final : public nsISupports, public nsWrapperCache {
+ public:
+ NS_DECL_CYCLE_COLLECTING_ISUPPORTS
+ NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS(Sanitizer)
+
+ explicit Sanitizer(nsIGlobalObject* aGlobal) : mGlobal(aGlobal) {
+ MOZ_ASSERT(aGlobal);
+ // FIXME(freddyb): Waiting for wicg-draft to evolve. Bug 1658564.
+ mSanitizationFlags = nsIParserUtils::SanitizerAllowStyle |
+ nsIParserUtils::SanitizerAllowComments;
+ }
+
+ nsIGlobalObject* GetParentObject() const { return mGlobal; }
+
+ JSObject* WrapObject(JSContext* aCx,
+ JS::Handle<JSObject*> aGivenProto) override;
+
+ /**
+ * Sanitizer() WebIDL constructor
+ * @return a new Sanitizer object, with methods as below
+ */
+ static already_AddRefed<Sanitizer> Constructor(
+ const GlobalObject& aGlobal, const SanitizerOptions& aOptions,
+ ErrorResult& aRv);
+
+ /**
+ * sanitize WebIDL method.
+ * @param aInput "bad" HTML that needs to be sanitized
+ * @return DocumentFragment of the sanitized HTML
+ */
+ already_AddRefed<DocumentFragment> Sanitize(
+ const Optional<mozilla::dom::StringOrDocumentFragmentOrDocument>& aInput,
+ ErrorResult& aRv);
+
+ /**
+ * sanitizeToString WebIDL method.
+ * @param aInput "bad" HTML that needs to be sanitized
+ * @param outSanitized out-param for the string of sanitized HTML
+ */
+ void SanitizeToString(
+ const Optional<StringOrDocumentFragmentOrDocument>& aInput,
+ nsAString& outSanitized, ErrorResult& aRv);
+
+ /**
+ * Logs localized message to either content console or browser console
+ * @param aName Localization key
+ * @param aParams Localization parameters
+ * @param aFlags Logging Flag (see nsIScriptError)
+ */
+ void LogLocalizedString(const char* aName, const nsTArray<nsString>& aParams,
+ uint32_t aFlags);
+
+ private:
+ ~Sanitizer() = default;
+ already_AddRefed<DocumentFragment> InputToNewFragment(
+ const Optional<mozilla::dom::StringOrDocumentFragmentOrDocument>& aInput,
+ ErrorResult& aRv);
+ /**
+ * Logs localized message to either content console or browser console
+ * @param aMessage Message to log
+ * @param aFlags Logging Flag (see nsIScriptError)
+ * @param aInnerWindowID Inner Window ID (Logged on browser console if 0)
+ * @param aFromPrivateWindow If from private window
+ */
+ static void LogMessage(const nsAString& aMessage, uint32_t aFlags,
+ uint64_t aInnerWindowID, bool aFromPrivateWindow);
+
+ SanitizerOptions mOptions;
+ uint32_t mSanitizationFlags;
+ nsCOMPtr<nsIGlobalObject> mGlobal;
+};
+} // namespace dom
+} // namespace mozilla
+
+#endif // ifndef mozilla_dom_Sanitizer_h
diff --git a/dom/security/sanitizer/moz.build b/dom/security/sanitizer/moz.build
new file mode 100644
index 0000000000..4baec486c5
--- /dev/null
+++ b/dom/security/sanitizer/moz.build
@@ -0,0 +1,37 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+with Files("**"):
+ BUG_COMPONENT = ("Core", "DOM: Security")
+
+# TEST_DIRS += [ 'tests' ]
+
+MOCHITEST_MANIFESTS += ["tests/mochitest/mochitest.ini"]
+
+
+EXPORTS.mozilla.dom += [
+ "Sanitizer.h",
+]
+
+UNIFIED_SOURCES += [
+ "Sanitizer.cpp",
+]
+
+LOCAL_INCLUDES += [
+ "/dom/base",
+ "/dom/bindings",
+ "/dom/html",
+]
+
+# include('/ipc/chromium/chromium-config.mozbuild')
+# include('/tools/fuzzing/libfuzzer-config.mozbuild')
+
+FINAL_LIBRARY = "xul"
+
+# if CONFIG['FUZZING_INTERFACES']:
+# TEST_DIRS += [
+# 'fuzztest'
+# ]
diff --git a/dom/security/sanitizer/tests/mochitest/mochitest.ini b/dom/security/sanitizer/tests/mochitest/mochitest.ini
new file mode 100644
index 0000000000..ccc8440d87
--- /dev/null
+++ b/dom/security/sanitizer/tests/mochitest/mochitest.ini
@@ -0,0 +1,5 @@
+[DEFAULT]
+prefs =
+ dom.security.sanitizer.enabled=true
+scheme=https
+[test_sanitizer_api.html]
diff --git a/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html b/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html
new file mode 100644
index 0000000000..6e0a827cd9
--- /dev/null
+++ b/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html
@@ -0,0 +1,82 @@
+<!DOCTYPE HTML>
+<title>Test sanitizer api</title>
+<script src="/tests/SimpleTest/SimpleTest.js"></script>
+<link rel="stylesheet" href="/tests/SimpleTest/test.css" />
+<div id="div"></div>
+<script type="text/javascript">
+"use strict";
+/* global Sanitizer */
+// we're not done after "onload"
+SimpleTest.waitForExplicitFinish();
+(async function() {
+ // Ensure Sanitizer is not exposed when the pref is false
+ await SpecialPowers.pushPrefEnv({
+ set: [["dom.security.sanitizer.enabled", false]],
+ });
+ ok(typeof Sanitizer === "undefined", "Sanitizer undefined when preffed off");
+
+ // The rest of this test assumes the sanitizer is enabled
+ await SpecialPowers.pushPrefEnv({
+ set: [["dom.security.sanitizer.enabled", true]],
+ });
+
+
+ function* possibleInputTypes(inputStr) {
+ /* This generator function, given a string, yields all possible input objects
+ for our sanitizer API (string, docfragment, document).
+ */
+
+ // 1) as string
+ yield ({testInput: inputStr, testType: "String" });
+ // 2) as DocumentFragment
+ let temp = document.createElement('template');
+ // asking eslint to skip this: innerHTML is safe for template elements.
+ // eslint-disable-next-line no-unsanitized/property
+ temp.innerHTML = inputStr;
+ yield ({testInput: temp.content, testType: "DocumentFragment" });
+ // 3) as HTMLDocument
+ const parser = new DOMParser;
+ yield ({testInput: parser.parseFromString(inputStr, "text/html"), testType: "Document" });
+ }
+ // basic interface smoke test
+ ok(typeof Sanitizer === "function", "Sanitizer constructor exposed when preffed on");
+ const mySanitizer = new Sanitizer();
+ ok(mySanitizer, "Sanitizer constructor works");
+ ok(mySanitizer.sanitize, "sanitize function exists");
+
+ // testing sanitizer results
+ const testCases = [
+ {
+ testString: "<p>hello</p>",
+ testExpected: "<p>hello</p>"
+ },
+ {
+ // script element encoded to not confuse the HTML parser and end execution here
+ testString: "<p>second test</p><script>alert(1)\x3C/script>",
+ testExpected: "<p>second test</p>"
+ },
+ ];
+
+
+ const div = document.getElementById("div");
+ for (let test of testCases) {
+ const {testString, testExpected} = test;
+
+ for (let testInputAndType of possibleInputTypes(testString)) {
+ const {testInput, testType} = testInputAndType;
+
+ // test documentfragment API
+ div.innerHTML = "";
+ const docFragment = mySanitizer.sanitize(testInput);
+ div.append(docFragment);
+ is(div.innerHTML, testExpected, `Sanitizer.sanitize() should turn (${testType}) '${testInput}' into '${testExpected}'`);
+
+ // test string api, doesnt work yet
+ /*is(mySanitizer.sanitizeToString(testInput), testExpected,
+ `Sanitizer.sanitizeToString() should turn (${testType}) '${testInput}' into '${testExpected}'`);*/
+ }
+ }
+
+ SimpleTest.finish();
+})();
+</script>