Bug 1757210 - sanitizer restrict href in svg:use to fragment-only URL…

…s r=hsivonen Differential Revision: https://phabricator.services.mozilla.com/D139823
dothq · Apr 29, 2022 · 3139021 · 3139021
1 parent 8f08153
commit 3139021
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 4 deletions.
diff --git a/dom/base/nsTreeSanitizer.cpp b/dom/base/nsTreeSanitizer.cpp
@@ -1187,7 +1187,7 @@ void nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement,
         }
       }
       // checking drop list last
-      // i.e., if listd as both allowed and dropped, it will still be dropped
+      // i.e., if listed as both allowed and dropped, it will still be dropped
       if (mDroppedAttributes) {
         auto dropElements = mDroppedAttributes->Lookup(attrLocal);
         if (dropElements) {
@@ -1215,7 +1215,8 @@ void nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement,
         continue;
       }
       if (IsURL(aAllowed.mURLs, attrLocal)) {
-        if (SanitizeURL(aElement, attrNs, attrLocal)) {
+        bool fragmentOnly = aElement->IsSVGElement(nsGkAtoms::use);
+        if (SanitizeURL(aElement, attrNs, attrLocal, fragmentOnly)) {
           // in case the attribute removal shuffled the attribute order, start
           // the loop again.
           --ac;
@@ -1294,7 +1295,7 @@ void nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement,
 }
 
 bool nsTreeSanitizer::SanitizeURL(mozilla::dom::Element* aElement,
-                                  int32_t aNamespace, nsAtom* aLocalName) {
+                                  int32_t aNamespace, nsAtom* aLocalName, bool aFragmentsOnly) {
   nsAutoString value;
   aElement->GetAttr(aNamespace, aLocalName, value);
 
@@ -1305,6 +1306,15 @@ bool nsTreeSanitizer::SanitizeURL(mozilla::dom::Element* aElement,
   if (!v.IsEmpty() && v.First() == u'#') {
     return false;
   }
+  // if we allow only same-document fragment URLs, stop and remove here
+  if (aFragmentsOnly) {
+    aElement->UnsetAttr(aNamespace, aLocalName, false);
+    if (mLogRemovals) {
+      LogMessage("Removed unsafe URI from element attribute.",
+                 aElement->OwnerDoc(), aElement, aLocalName);
+    }
+    return true;
+  }
 
   nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
   uint32_t flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL;

diff --git a/dom/base/nsTreeSanitizer.h b/dom/base/nsTreeSanitizer.h
@@ -198,10 +198,11 @@ class nsTreeSanitizer {
    * @param aElement the element whose attribute to possibly modify
    * @param aNamespace the namespace of the URL attribute
    * @param aLocalName the local name of the URL attribute
+   * @param aFragmentsOnly allows same-document references only
    * @return true if the attribute was removed and false otherwise
    */
   bool SanitizeURL(mozilla::dom::Element* aElement, int32_t aNamespace,
-                   nsAtom* aLocalName);
+                   nsAtom* aLocalName, bool aFragmentsOnly = false);
 
   /**
    * Checks a style rule for the presence of the 'binding' CSS property and