master

分支 (12)

标签 (12)

管理

管理

master

openEuler-22.09

openEuler-22.03-LTS-Next

openEuler-22.03-LTS

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP2

openEuler-21.09

openEuler-20.03-LTS-SP1

openEuler-21.03

openEuler-20.03-LTS-Next

openEuler-20.03-LTS

openEuler-20.09

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200928

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

firefox
/
CVE-2020-26956-1.patch

# HG changeset patch
# User Henri Sivonen <hsivonen@hsivonen.fi>
# Date 1603457329 0
#      Fri Oct 23 12:48:49 2020 +0000
# Node ID 3476387362fb15c82f133f390afef719ad36de0a
# Parent  fd45fcfd6261e9ed6cf83e54ad8286717f1b4762
Bug 1666300 part 1 - Remove attributes from descendants when setting sanitized style. r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D93215

diff -r fd45fcfd6261 -r 3476387362fb dom/base/nsTreeSanitizer.cpp
--- a/dom/base/nsTreeSanitizer.cpp	Fri Oct 23 13:04:19 2020 +0000
+++ b/dom/base/nsTreeSanitizer.cpp	Fri Oct 23 12:48:49 2020 +0000
@@ -1341,6 +1341,7 @@
         nsAutoString sanitizedStyle;
         SanitizeStyleSheet(styleText, sanitizedStyle, aRoot->OwnerDoc(),
                            node->GetBaseURI());
+        RemoveAllAttributesFromDescendants(elt);
         nsContentUtils::SetNodeTextContent(node, sanitizedStyle, true);

         if (!mOnlyConditionalCSS) {
@@ -1427,6 +1428,18 @@
   }
 }

+void nsTreeSanitizer::RemoveAllAttributesFromDescendants(
+    mozilla::dom::Element* aElement) {
+  nsIContent* node = aElement->GetFirstChild();
+  while (node) {
+    if (node->IsElement()) {
+      mozilla::dom::Element* elt = node->AsElement();
+      RemoveAllAttributes(elt);
+    }
+    node = node->GetNextNode(aElement);
+  }
+}
+
 void nsTreeSanitizer::LogMessage(const char* aMessage, Document* aDoc,
                                  Element* aElement, nsAtom* aAttr) {
   if (mLogRemovals) {
diff -r fd45fcfd6261 -r 3476387362fb dom/base/nsTreeSanitizer.h
--- a/dom/base/nsTreeSanitizer.h	Fri Oct 23 13:04:19 2020 +0000
+++ b/dom/base/nsTreeSanitizer.h	Fri Oct 23 12:48:49 2020 +0000
@@ -200,6 +200,12 @@
   void RemoveAllAttributes(mozilla::dom::Element* aElement);

   /**
+   * Removes all attributes from the descendants of an element but not from
+   * the element itself.
+   */
+  void RemoveAllAttributesFromDescendants(mozilla::dom::Element* aElement);
+
+  /**
    * Log a Console Service message to indicate we removed something.
    * If you pass an element and/or attribute, their information will
    * be appended to the message.