Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Trusted Types enforcement for document.write/writeln #10328

Merged
merged 1 commit into from
May 28, 2024
Merged

Update Trusted Types enforcement for document.write/writeln #10328

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 41 additions & 13 deletions source
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4608,7 +4608,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
<ul class="brief">
<li><dfn data-x="tt-htmlstring" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#typedefdef-htmlstring"><code>HTMLString</code></dfn></li>
<li><dfn data-x="tt-scripturlstring" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#typedefdef-scripturlstring"><code>ScriptURLString</code></dfn></li>
</ul>
<li><dfn data-x="tt-trustedhtml" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#trustedhtml"><code>TrustedHTML</code></dfn></li>
<li><dfn data-x="tt-trustedhtml-data" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#trustedhtml-data">data</dfn></li>
<li><dfn data-x="tt-getcompliantstring" data-x-href="https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm">Get Trusted Type compliant string</dfn></li>
</ul>
</dd>
</dl>

Expand Down Expand Up @@ -10694,8 +10697,8 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
[<span>CEReactions</span>] <span>Document</span> <span data-x="dom-document-open">open</span>(optional DOMString unused1, optional DOMString unused2); // both arguments are <a href="#dom-document-open-unused-arguments">ignored</a>
<span>WindowProxy</span>? <span data-x="dom-document-open-window">open</span>(USVString url, DOMString name, DOMString features);
[<span>CEReactions</span>] undefined <span data-x="dom-document-close">close</span>();
[<span>CEReactions</span>] undefined <span data-x="dom-document-write">write</span>(<span data-x="tt-htmlstring">HTMLString</span>... text);
[<span>CEReactions</span>] undefined <span data-x="dom-document-writeln">writeln</span>(<span data-x="tt-htmlstring">HTMLString</span>... text);
[<span>CEReactions</span>] undefined <span data-x="dom-document-write">write</span>((<code data-x="tt-trustedhtml">TrustedHTML</code> or DOMString)... text);
[<span>CEReactions</span>] undefined <span data-x="dom-document-writeln">writeln</span>((<code data-x="tt-trustedhtml">TrustedHTML</code> or DOMString)... text);

// <span>user interaction</span>
readonly attribute <span>WindowProxy</span>? <span data-x="dom-document-defaultView">defaultView</span>;
Expand Down Expand Up @@ -112257,10 +112260,35 @@ document.body.appendChild(frame)</code></pre>
away the document by implicitly calling <code data-x="dom-document-open">document.open()</code>.
Initially, the counter must be set to zero.</p>

<p>The <dfn>document write steps</dfn>, given a <code>Document</code> object <var>document</var>
and a string <var>input</var>, are as follows:</p>
<p>The <dfn>document write steps</dfn>, given a <code>Document</code> object <var>document</var>,
a list <var>text</var>, a boolean <var>lineFeed</var> and a string <var>sink</var>, are as
follows:</p>

<ol>
<li><p>Let <var>string</var> be the empty string.</p></li>

<li><p>Let <var>isTrusted</var> be false if <var>text</var> <span data-x="list
contains">contains</span> a string; otherwise true.</p></li>

<li>
<p><span data-x="list iterate">For each</span> <var>value</var> of <var>text</var>:</p>

<ol>
<li><p>If <var>value</var> is a <code data-x="tt-trustedhtml">TrustedHTML</code> object, then
append <var>value</var>'s associated <span data-x="tt-trustedhtml-data">data</span> to
<var>string</var>.</p></li>

<li><p>Otherwise, append <var>value</var> to <var>string</var>.</p></li>
</ol>
</li>

<li><p>If <var>isTrusted</var> is false, set <var>string</var> to the result of invoking the
<span data-x="tt-getcompliantstring">Get Trusted Type compliant string</span> algorithm with
<code data-x="tt-trustedhtml">TrustedHTML</code>, <span>this</span>'s <span>relevant global
object</span>, <var>string</var>, <var>sink</var>, and "<code data-x="">script</code>".</p></li>
lukewarlow marked this conversation as resolved.
Show resolved Hide resolved

<li><p>If <var>lineFeed</var> is true, append U+000A LINE FEED to <var>string</var>.</p></li>

<li><p>If <var>document</var> is an <span data-x="XML documents">XML document</span>, then throw
an <span>"<code>InvalidStateError</code>"</span> <code>DOMException</code>.</p></li>
<!-- Where would document.write() insert?
Expand All @@ -112286,12 +112314,12 @@ document.body.appendChild(frame)</code></pre>
</ol>
</li>

<li><p>Insert <var>input</var> into the <span>input stream</span> just before the <span>insertion
<li><p>Insert <var>string</var> into the <span>input stream</span> just before the <span>insertion
lukewarlow marked this conversation as resolved.
Show resolved Hide resolved
point</span>.</p></li>

<li>
lukewarlow marked this conversation as resolved.
Show resolved Hide resolved
<p>If <var>document</var>'s <span>pending parsing-blocking script</span> is null, then have the
lukewarlow marked this conversation as resolved.
Show resolved Hide resolved
<span>HTML parser</span> process <var>input</var>, one code point at a time, processing
<span>HTML parser</span> process <var>string</var>, one code point at a time, processing
resulting tokens as they are emitted, and stopping when the tokenizer reaches the insertion
lukewarlow marked this conversation as resolved.
Show resolved Hide resolved
point or when the processing of the tokenizer is aborted by the tree construction stage (this
can happen if a <code>script</code> end tag token is emitted by the tokenizer).
Expand All @@ -112306,9 +112334,9 @@ document.body.appendChild(frame)</code></pre>
</ol>

<p>The <dfn method for="Document"><code
data-x="dom-document-write">document.write(...)</code></dfn> method steps are to run the
<span>document write steps</span> with <span>this</span> and a string that is the concatenation
of all arguments passed.</p>
data-x="dom-document-write">document.write(...<var>text</var>)</code></dfn> method steps are
to run the <span>document write steps</span> with <span>this</span>, <var>text</var>, false and
"<code data-x="">Document write</code>".</p>

</div>

Expand Down Expand Up @@ -112337,9 +112365,9 @@ document.body.appendChild(frame)</code></pre>
<div w-nodev>

<p>The <dfn method for="Document"><code
data-x="dom-document-writeln">document.writeln(...)</code></dfn> method steps are to run the
<span>document write steps</span> with <span>this</span> and a string that is the concatenation
of all arguments passed and U+000A LINE FEED.</p>
data-x="dom-document-writeln">document.writeln(...<var>text</var>)</code></dfn> method steps are
to run the <span>document write steps</span> with <span>this</span>, <var>text</var>, true and
"<code data-x="">Document writeln</code>".</p>

</div>

Expand Down
Loading