[dom] Remove attributes from descendants when setting sanitized style.

This avoids a number of problems with incomplete sanitation.

1 files changed, 13 insertions, 0 deletions

diff --git a/dom/base/nsTreeSanitizer.cpp b/dom/base/nsTreeSanitizer.cpp
index c8150d0c2..39c2408b7 100644
--- a/dom/base/nsTreeSanitizer.cpp
+++ b/dom/base/nsTreeSanitizer.cpp
@@ -1384,6 +1384,8 @@ nsTreeSanitizer::SanitizeChildren(nsINode* aRoot)
         nsAutoString styleText;
         nsContentUtils::GetNodeTextContent(node, false, styleText);
 
+        RemoveAllAttributesFromDescendants(elt);
+        
         nsAutoString sanitizedStyle;
         nsCOMPtr<nsIURI> baseURI = node->GetBaseURI();
         if (SanitizeStyleSheet(styleText,
@@ -1479,6 +1481,17 @@ nsTreeSanitizer::RemoveAllAttributes(nsIContent* aElement)
   }
 }
 
+void nsTreeSanitizer::RemoveAllAttributesFromDescendants(mozilla::dom::Element* aElement) {
+  nsIContent* node = aElement->GetFirstChild();
+  while (node) {
+    if (node->IsElement()) {
+      mozilla::dom::Element* elt = node->AsElement();
+      RemoveAllAttributes(elt);
+    }
+    node = node->GetNextNode(aElement);
+  }
+}
+
 void
 nsTreeSanitizer::InitializeStatics()
 {