1 files changed, 227 insertions, 0 deletions

diff --git a/dom/base/nsTreeSanitizer.h b/dom/base/nsTreeSanitizer.h
new file mode 100644
index 000000000..b8700d775
--- /dev/null
+++ b/dom/base/nsTreeSanitizer.h
@@ -0,0 +1,227 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsTreeSanitizer_h_
+#define nsTreeSanitizer_h_
+
+#include "mozilla/css/StyleRule.h"
+#include "nsIPrincipal.h"
+#include "mozilla/dom/Element.h"
+
+class nsIContent;
+
+/**
+ * See the documentation of nsIParserUtils::sanitize for documentation
+ * about the default behavior and the configuration options of this sanitizer.
+ */
+class MOZ_STACK_CLASS nsTreeSanitizer {
+
+  public:
+
+    /**
+     * The constructor.
+     *
+     * @param aFlags Flags from nsIParserUtils
+     */
+    explicit nsTreeSanitizer(uint32_t aFlags = 0);
+
+    static void InitializeStatics();
+    static void ReleaseStatics();
+
+    /**
+     * Sanitizes a disconnected DOM fragment freshly obtained from a parser.
+     * The argument must be of type nsINode::eDOCUMENT_FRAGMENT and,
+     * consequently, must not be in the document. Furthermore, the fragment
+     * must have just come from a parser so that it can't have mutation
+     * event listeners set on it.
+     */
+    void Sanitize(nsIContent* aFragment);
+
+    /**
+     * Sanitizes a disconnected (not in a docshell) document freshly obtained
+     * from a parser. The document must not be embedded in a docshell and must
+     * not have had a chance to get mutation event listeners attached to it.
+     * The root element must be <html>.
+     */
+    void Sanitize(nsIDocument* aDocument);
+
+  private:
+
+    /**
+     * Whether <style> and style="" are allowed.
+     */
+    bool mAllowStyles;
+
+    /**
+     * Whether comment nodes are allowed.
+     */
+    bool mAllowComments;
+
+    /**
+     * Whether HTML <font>, <center>, bgcolor="", etc., are dropped.
+     */
+    bool mDropNonCSSPresentation;
+
+    /**
+     * Whether to remove forms and form controls (excluding fieldset/legend).
+     */
+    bool mDropForms;
+
+    /**
+     * Whether only cid: embeds are allowed.
+     */
+    bool mCidEmbedsOnly;
+
+    /**
+     * Whether to drop <img>, <video>, <audio> and <svg>.
+     */
+    bool mDropMedia;
+
+    /**
+     * Whether we are sanitizing a full document (as opposed to a fragment).
+     */
+    bool mFullDocument;
+
+    void SanitizeChildren(nsINode* aRoot);
+
+    /**
+     * Queries if an element must be replaced with its children.
+     * @param aNamespace the namespace of the element the question is about
+     * @param aLocal the local name of the element the question is about
+     * @return true if the element must be replaced with its children and
+     *         false if the element is to be kept
+     */
+    bool MustFlatten(int32_t aNamespace, nsIAtom* aLocal);
+
+    /**
+     * Queries if an element including its children must be removed.
+     * @param aNamespace the namespace of the element the question is about
+     * @param aLocal the local name of the element the question is about
+     * @param aElement the element node itself for inspecting attributes
+     * @return true if the element and its children must be removed and
+     *         false if the element is to be kept
+     */
+    bool MustPrune(int32_t aNamespace,
+                     nsIAtom* aLocal,
+                     mozilla::dom::Element* aElement);
+
+    /**
+     * Checks if a given local name (for an attribute) is on the given list
+     * of URL attribute names.
+     * @param aURLs the list of URL attribute names
+     * @param aLocalName the name to search on the list
+     * @return true if aLocalName is on the aURLs list and false otherwise
+     */
+    bool IsURL(nsIAtom*** aURLs, nsIAtom* aLocalName);
+
+    /**
+     * Removes dangerous attributes from the element. If the style attribute
+     * is allowed, its value is sanitized. The values of URL attributes are
+     * sanitized, except src isn't sanitized when it is allowed to remain
+     * potentially dangerous.
+     *
+     * @param aElement the element whose attributes should be sanitized
+     * @param aAllowed the whitelist of permitted local names to use
+     * @param aURLs the local names of URL-valued attributes
+     * @param aAllowXLink whether XLink attributes are allowed
+     * @param aAllowStyle whether the style attribute is allowed
+     * @param aAllowDangerousSrc whether to leave the value of the src
+     *                           attribute unsanitized
+     */
+    void SanitizeAttributes(mozilla::dom::Element* aElement,
+                            nsTHashtable<nsISupportsHashKey>* aAllowed,
+                            nsIAtom*** aURLs,
+                            bool aAllowXLink,
+                            bool aAllowStyle,
+                            bool aAllowDangerousSrc);
+
+    /**
+     * Remove the named URL attribute from the element if the URL fails a
+     * security check.
+     *
+     * @param aElement the element whose attribute to possibly modify
+     * @param aNamespace the namespace of the URL attribute
+     * @param aLocalName the local name of the URL attribute
+     * @return true if the attribute was removed and false otherwise
+     */
+    bool SanitizeURL(mozilla::dom::Element* aElement,
+                       int32_t aNamespace,
+                       nsIAtom* aLocalName);
+
+    /**
+     * Checks a style rule for the presence of the 'binding' CSS property and
+     * removes that property from the rule and reserializes in case the
+     * property was found.
+     *
+     * @param aDeclaration The style declaration to check
+     * @param aRuleText the serialized mutated rule if the method returns true
+     * @return true if the rule was modified and false otherwise
+     */
+    bool SanitizeStyleDeclaration(mozilla::css::Declaration* aDeclaration,
+                                  nsAutoString& aRuleText);
+
+    /**
+     * Parses a style sheet and reserializes it with the 'binding' property
+     * removed if it was present.
+     *
+     * @param aOrigin the original style sheet source
+     * @param aSanitized the reserialization without 'binding'; only valid if
+     *                   this method return true
+     * @param aDocument the document the style sheet belongs to
+     * @param aBaseURI the base URI to use
+     * @return true if the 'binding' property was encountered and false
+     *              otherwise
+     */
+    bool SanitizeStyleSheet(const nsAString& aOriginal,
+                              nsAString& aSanitized,
+                              nsIDocument* aDocument,
+                              nsIURI* aBaseURI);
+
+    /**
+     * Removes all attributes from an element node.
+     */
+    void RemoveAllAttributes(nsIContent* aElement);
+
+    /**
+     * The whitelist of HTML elements.
+     */
+    static nsTHashtable<nsISupportsHashKey>* sElementsHTML;
+
+    /**
+     * The whitelist of non-presentational HTML attributes.
+     */
+    static nsTHashtable<nsISupportsHashKey>* sAttributesHTML;
+
+    /**
+     * The whitelist of presentational HTML attributes.
+     */
+    static nsTHashtable<nsISupportsHashKey>* sPresAttributesHTML;
+
+    /**
+     * The whitelist of SVG elements.
+     */
+    static nsTHashtable<nsISupportsHashKey>* sElementsSVG;
+
+    /**
+     * The whitelist of SVG attributes.
+     */
+    static nsTHashtable<nsISupportsHashKey>* sAttributesSVG;
+
+    /**
+     * The whitelist of SVG elements.
+     */
+    static nsTHashtable<nsISupportsHashKey>* sElementsMathML;
+
+    /**
+     * The whitelist of MathML attributes.
+     */
+    static nsTHashtable<nsISupportsHashKey>* sAttributesMathML;
+
+    /**
+     * Reusable null principal for URL checks.
+     */
+    static nsIPrincipal* sNullPrincipal;
+};
+
+#endif // nsTreeSanitizer_h_