Update Trusted Types enforcement for document.write/writeln

This changes from using HTMLString to a TrustedHTML or DOMString union. This also changes the timing of the default policy call.
whatwg · May 28, 2024 · ae1f8f1 · ae1f8f1
1 parent f499167
commit ae1f8f1
Showing 1 changed file with 41 additions and 13 deletions.
diff --git a/source b/source
@@ -4608,7 +4608,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     <ul class="brief">
      <li><dfn data-x="tt-htmlstring" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#typedefdef-htmlstring"><code>HTMLString</code></dfn></li>
      <li><dfn data-x="tt-scripturlstring" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#typedefdef-scripturlstring"><code>ScriptURLString</code></dfn></li>
-     </ul>
+     <li><dfn data-x="tt-trustedhtml" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#trustedhtml"><code>TrustedHTML</code></dfn></li>
+     <li><dfn data-x="tt-trustedhtml-data" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#trustedhtml-data">data</dfn></li>
+     <li><dfn data-x="tt-getcompliantstring" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm">Get Trusted Type compliant string</dfn></li>
+    </ul>
    </dd>
   </dl>
 
@@ -10694,8 +10697,8 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
   [<span>CEReactions</span>] <span>Document</span> <span data-x="dom-document-open">open</span>(optional DOMString unused1, optional DOMString unused2); // both arguments are <a href="#dom-document-open-unused-arguments">ignored</a>
   <span>WindowProxy</span>? <span data-x="dom-document-open-window">open</span>(USVString url, DOMString name, DOMString features);
   [<span>CEReactions</span>] undefined <span data-x="dom-document-close">close</span>();
-  [<span>CEReactions</span>] undefined <span data-x="dom-document-write">write</span>(<span data-x="tt-htmlstring">HTMLString</span>... text);
-  [<span>CEReactions</span>] undefined <span data-x="dom-document-writeln">writeln</span>(<span data-x="tt-htmlstring">HTMLString</span>... text);
+  [<span>CEReactions</span>] undefined <span data-x="dom-document-write">write</span>((<code data-x="tt-trustedhtml">TrustedHTML</code> or DOMString)... text);
+  [<span>CEReactions</span>] undefined <span data-x="dom-document-writeln">writeln</span>((<code data-x="tt-trustedhtml">TrustedHTML</code> or DOMString)... text);
 
   // <span>user interaction</span>
   readonly attribute <span>WindowProxy</span>? <span data-x="dom-document-defaultView">defaultView</span>;
@@ -112257,10 +112260,35 @@ document.body.appendChild(frame)</code></pre>
   away the document by implicitly calling <code data-x="dom-document-open">document.open()</code>.
   Initially, the counter must be set to zero.</p>
 
-  <p>The <dfn>document write steps</dfn>, given a <code>Document</code> object <var>document</var>
-  and a string <var>input</var>, are as follows:</p>
+  <p>The <dfn>document write steps</dfn>, given a <code>Document</code> object <var>document</var>,
+  a list <var>text</var>, a boolean <var>lineFeed</var> and a string <var>sink</var>, are as
+  follows:</p>
 
   <ol>
+   <li><p>Let <var>string</var> be the empty string.</p></li>
+
+   <li><p>Let <var>isTrusted</var> be false if <var>text</var> <span data-x="list
+   contains">contains</span> a string; otherwise true.</p></li>
+
+   <li>
+    <p><span data-x="list iterate">For each</span> <var>value</var> of <var>text</var>:</p>
+
+    <ol>
+     <li><p>If <var>value</var> is a <code data-x="tt-trustedhtml">TrustedHTML</code> object, then
+     append <var>value</var>'s associated <span data-x="tt-trustedhtml-data">data</span> to
+     <var>string</var>.</p></li>
+
+     <li><p>Otherwise, append <var>value</var> to <var>string</var>.</p></li>
+    </ol>
+   </li>
+
+   <li><p>If <var>isTrusted</var> is false, set <var>string</var> to the result of invoking the
+   <span data-x="tt-getcompliantstring">Get Trusted Type compliant string</span> algorithm with
+   <code data-x="tt-trustedhtml">TrustedHTML</code>, <span>this</span>'s <span>relevant global
+   object</span>, <var>string</var>, <var>sink</var>, and "<code data-x="">script</code>".</p></li>
+
+   <li><p>If <var>lineFeed</var> is true, append U+000A LINE FEED to <var>string</var>.</p></li>
+
    <li><p>If <var>document</var> is an <span data-x="XML documents">XML document</span>, then throw
    an <span>"<code>InvalidStateError</code>"</span> <code>DOMException</code>.</p></li>
    <!-- Where would document.write() insert?
@@ -112286,12 +112314,12 @@ document.body.appendChild(frame)</code></pre>
     </ol>
    </li>
 
-   <li><p>Insert <var>input</var> into the <span>input stream</span> just before the <span>insertion
+   <li><p>Insert <var>string</var> into the <span>input stream</span> just before the <span>insertion
    point</span>.</p></li>
 
    <li>
     <p>If <var>document</var>'s <span>pending parsing-blocking script</span> is null, then have the
-    <span>HTML parser</span> process <var>input</var>, one code point at a time, processing
+    <span>HTML parser</span> process <var>string</var>, one code point at a time, processing
     resulting tokens as they are emitted, and stopping when the tokenizer reaches the insertion
     point or when the processing of the tokenizer is aborted by the tree construction stage (this
     can happen if a <code>script</code> end tag token is emitted by the tokenizer).
@@ -112306,9 +112334,9 @@ document.body.appendChild(frame)</code></pre>
   </ol>
 
   <p>The <dfn method for="Document"><code
-  data-x="dom-document-write">document.write(...)</code></dfn> method steps are to run the
-  <span>document write steps</span> with <span>this</span> and a string that is the concatenation
-  of all arguments passed.</p>
+  data-x="dom-document-write">document.write(...<var>text</var>)</code></dfn> method steps are
+  to run the <span>document write steps</span> with <span>this</span>, <var>text</var>, false and
+  "<code data-x="">Document write</code>".</p>
 
   </div>
 
@@ -112337,9 +112365,9 @@ document.body.appendChild(frame)</code></pre>
   <div w-nodev>
 
   <p>The <dfn method for="Document"><code
-  data-x="dom-document-writeln">document.writeln(...)</code></dfn> method steps are to run the
-  <span>document write steps</span> with <span>this</span> and a string that is the concatenation
-  of all arguments passed and U+000A LINE FEED.</p>
+  data-x="dom-document-writeln">document.writeln(...<var>text</var>)</code></dfn> method steps are
+  to run the <span>document write steps</span> with <span>this</span>, <var>text</var>, true and
+  "<code data-x="">Document writeln</code>".</p>
 
   </div>