Added some XSS sinks we initially overlooked.

SAP · Jul 6, 2023 · d9c268e · d9c268e
1 parent 28a2fe3
commit d9c268e
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 0 deletions.
diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp
@@ -5264,6 +5264,7 @@ already_AddRefed<DocumentFragment> nsContentUtils::CreateContextualFragment(
     aRv.Throw(NS_ERROR_INVALID_ARG);
     return nullptr;
   }
+  ReportTaintSink(aFragment, "Range.createContextualFragment(fragment)");
 
   // If we don't have a document here, we can't get the right security context
   // for compiling event handlers... so just bail out.

diff --git a/dom/html/HTMLFormElement.cpp b/dom/html/HTMLFormElement.cpp
@@ -2274,4 +2274,15 @@ void HTMLFormElement::MaybeFireFormRemoved() {
   asyncDispatcher->RunDOMEventWhenSafe();
 }
 
+nsresult HTMLFormElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
+                                                  const nsAString& aValue) {
+  if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::action) {
+    nsAutoString id;
+    this->GetId(id);
+    ReportTaintSink(aValue, "form.action", id);
+  } 
+
+  return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);
+}
+
 }  // namespace mozilla::dom
diff --git a/dom/html/HTMLFormElement.h b/dom/html/HTMLFormElement.h
@@ -424,6 +424,9 @@ class HTMLFormElement final : public nsGenericHTMLElement,
 
   nsresult DoReset();
 
+  virtual nsresult CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
+                                         const nsAString& aValue) override;
+
   // Async callback to handle removal of our default submit
   void HandleDefaultSubmitRemoval();
 

diff --git a/dom/html/HTMLIFrameElement.cpp b/dom/html/HTMLIFrameElement.cpp
@@ -161,6 +161,10 @@ nsresult HTMLIFrameElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom*
     nsAutoString id;
     this->GetId(id);
     ReportTaintSink(aValue, "iframe.src", id);
+  } else if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::srcdoc) {
+    nsAutoString id;
+    this->GetId(id);
+    ReportTaintSink(aValue, "iframe.srcdoc", id);
   }
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

diff --git a/dom/html/HTMLScriptElement.cpp b/dom/html/HTMLScriptElement.cpp
@@ -281,4 +281,12 @@ bool HTMLScriptElement::Supports(const GlobalObject& aGlobal,
           aType.EqualsLiteral("importmap"));
 }
 
+void HTMLScriptElement::SetTextContentInternal(const nsAString& aTextContent,
+                                              nsIPrincipal* aScriptedPrincipal,
+                                              ErrorResult& aError) {
+  nsAutoString id;
+  this->GetId(id);
+  ReportTaintSink(aTextContent, "script.textContent", id);
+  aError = nsContentUtils::SetNodeTextContent(this, aTextContent, true);
+}
 }  // namespace mozilla::dom
diff --git a/dom/html/HTMLScriptElement.h b/dom/html/HTMLScriptElement.h
@@ -138,6 +138,9 @@ class HTMLScriptElement final : public nsGenericHTMLElement,
   [[nodiscard]] static bool Supports(const GlobalObject& aGlobal,
                                      const nsAString& aType);
 
+  virtual void SetTextContentInternal(const nsAString& aTextContent,
+                                      nsIPrincipal* aSubjectPrincipal,
+                                      mozilla::ErrorResult& aError) override;
  protected:
   virtual ~HTMLScriptElement();