Foxhound: Unify DOM element sink reporting.

dom/base/Element.cpp

@@ -3920,9 +3920,7 @@ void Element::SetInnerHTML(const nsAString& aInnerHTML,
                            ErrorResult& aError) {
 
   // TaintFox: innerHTML sink.
-  nsAutoString id;
-  this->GetId(id);
-  ReportTaintSink(aInnerHTML, "innerHTML", id);
+  ReportTaintSink(aInnerHTML, "innerHTML", this);
 
   SetInnerHTMLInternal(aInnerHTML, aError);
 }
@@ -3944,9 +3942,7 @@ void Element::SetOuterHTML(const nsAString& aOuterHTML, ErrorResult& aError) {
   }
 
   // TaintFox: outerHTML sink.
-  nsAutoString id;
-  this->GetId(id);
-  ReportTaintSink(aOuterHTML, "outerHTML", id);
+  ReportTaintSink(aOuterHTML, "outerHTML", this);
 
   if (OwnerDoc()->IsHTMLDocument()) {
     nsAtom* localName;
@@ -3996,7 +3992,7 @@ enum nsAdjacentPosition { eBeforeBegin, eAfterBegin, eBeforeEnd, eAfterEnd };
 void Element::InsertAdjacentHTML(const nsAString& aPosition,
                                  const nsAString& aText, ErrorResult& aError) {
   // TaintFox: insertAdjacentHTML sink
-  ReportTaintSink(aText, "insertAdjacentHTML");
+  ReportTaintSink(aText, "insertAdjacentHTML", this);
 
   nsAdjacentPosition position;
   if (aPosition.LowerCaseEqualsLiteral("beforebegin")) {
@@ -4127,7 +4123,7 @@ void Element::InsertAdjacentText(const nsAString& aWhere,
   RefPtr<nsTextNode> textNode = OwnerDoc()->CreateTextNode(aData);
 
   // TaintFox: insertAdjacentHTML sink
-  ReportTaintSink(aData, "insertAdjacentText");
+  ReportTaintSink(aData, "insertAdjacentText", this);
 
   InsertAdjacent(aWhere, textNode, aError);
 }

dom/base/nsStyledElement.cpp

@@ -59,9 +59,7 @@ bool nsStyledElement::ParseAttribute(int32_t aNamespaceID, nsAtom* aAttribute,
 nsresult nsStyledElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                   const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::style) {
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, "element.style", id);
+    ReportTaintSink(aValue, "element.style", this);
   }
 
   return nsStyledElementBase::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

dom/html/HTMLAnchorElement.cpp

@@ -193,9 +193,7 @@ already_AddRefed<nsIURI> HTMLAnchorElement::GetHrefURI() const {
 nsresult HTMLAnchorElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                   const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::href) {
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, "a.href", id);
+    ReportTaintSink(aValue, "a.href", this);
   }
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

dom/html/HTMLAreaElement.cpp

@@ -88,9 +88,7 @@ void HTMLAreaElement::UnbindFromTree(bool aNullParent) {
 nsresult HTMLAreaElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                   const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::href) {
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, "area.href", id);
+    ReportTaintSink(aValue, "area.href", this);
   }
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

dom/html/HTMLEmbedElement.cpp

@@ -91,9 +91,7 @@ void HTMLEmbedElement::UnbindFromTree(bool aNullParent) {
 nsresult HTMLEmbedElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                  const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) {
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, "embed.src", id);
+    ReportTaintSink(aValue, "embed.src", this);
   }
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

dom/html/HTMLFormElement.cpp

@@ -2190,9 +2190,7 @@ void HTMLFormElement::MaybeFireFormRemoved() {
 nsresult HTMLFormElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                   const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::action) {
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, "form.action", id);
+    ReportTaintSink(aValue, "form.action", this);
   } 
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

dom/html/HTMLIFrameElement.cpp

@@ -157,13 +157,9 @@ nsMapRuleToAttributesFunc HTMLIFrameElement::GetAttributeMappingFunction()
 nsresult HTMLIFrameElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                   const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) {
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, "iframe.src", id);
+    ReportTaintSink(aValue, "iframe.src", this);
   } else if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::srcdoc) {
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, "iframe.srcdoc", id);
+    ReportTaintSink(aValue, "iframe.srcdoc", this);
   }
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

dom/html/HTMLImageElement.cpp

@@ -301,9 +301,7 @@ nsresult HTMLImageElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* a
       (aName == nsGkAtoms::src || aName == nsGkAtoms::srcset)) {
     // Taintfox: img.src / img.srcset sink
     const char* sink = (aName == nsGkAtoms::src) ? "img.src" : "img.srcset";
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, sink, id);
+    ReportTaintSink(aValue, sink, this);
   }
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

dom/html/HTMLMediaElement.cpp

@@ -4744,9 +4744,7 @@ int32_t HTMLMediaElement::TabIndexDefault() { return 0; }
 nsresult HTMLMediaElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                   const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) {
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, "media.src", id);
+    ReportTaintSink(aValue, "media.src", this);
   }
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

dom/html/HTMLObjectElement.cpp

@@ -116,9 +116,7 @@ void HTMLObjectElement::UnbindFromTree(bool aNullParent) {
 nsresult HTMLObjectElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                   const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::data) {
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, "object.data", id);
+    ReportTaintSink(aValue, "object.data", this);
   }
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

dom/html/HTMLScriptElement.cpp

@@ -107,9 +107,7 @@ nsresult HTMLScriptElement::Clone(dom::NodeInfo* aNodeInfo,
 nsresult HTMLScriptElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                   const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) {
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, "script.src", id);
+    ReportTaintSink(aValue, "script.src", this);
   }
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);
@@ -146,9 +144,7 @@ void HTMLScriptElement::SetInnerHTML(const nsAString& aInnerHTML,
                                      ErrorResult& aError) {
   aError = nsContentUtils::SetNodeTextContent(this, aInnerHTML, true);
   // Taintfox: script.innerHTML sink
-  nsAutoString id;
-  this->GetId(id);
-  ReportTaintSink(aInnerHTML, "script.innerHTML", id); 
+  ReportTaintSink(aInnerHTML, "script.innerHTML", this); 
 }
 
 void HTMLScriptElement::GetText(nsAString& aValue, ErrorResult& aRv) const {
@@ -160,9 +156,7 @@ void HTMLScriptElement::GetText(nsAString& aValue, ErrorResult& aRv) const {
 void HTMLScriptElement::SetText(const nsAString& aValue, ErrorResult& aRv) {
   aRv = nsContentUtils::SetNodeTextContent(this, aValue, true);
   // Taintfox: script.text sink
-  nsAutoString id;
-  this->GetId(id);
-  ReportTaintSink(aValue, "script.text", id); 
+  ReportTaintSink(aValue, "script.text", this); 
 }
 
 // variation of this code in SVGScriptElement - check if changes
@@ -250,9 +244,7 @@ bool HTMLScriptElement::Supports(const GlobalObject& aGlobal,
 void HTMLScriptElement::SetTextContentInternal(const nsAString& aTextContent,
                                               nsIPrincipal* aScriptedPrincipal,
                                               ErrorResult& aError) {
-  nsAutoString id;
-  this->GetId(id);
-  ReportTaintSink(aTextContent, "script.textContent", id);
+  ReportTaintSink(aTextContent, "script.textContent", this);
   aError = nsContentUtils::SetNodeTextContent(this, aTextContent, true);
 }
 }  // namespace mozilla::dom

dom/html/HTMLSourceElement.cpp

@@ -79,9 +79,7 @@ nsresult HTMLSourceElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom*
       (aName == nsGkAtoms::src || aName == nsGkAtoms::srcset)) {
     // Taintfox: img.src / img.srcset sink
     const char* sink = (aName == nsGkAtoms::src) ? "source.src" : "source.srcset";
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, sink, id);
+    ReportTaintSink(aValue, sink, this);
   }
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

dom/html/HTMLTrackElement.cpp

@@ -494,9 +494,7 @@ void HTMLTrackElement::CancelChannelAndListener() {
 nsresult HTMLTrackElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                   const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) {
-    nsAutoString id;
-    this->GetId(id);
-    ReportTaintSink(aValue, "track.src", id);
+    ReportTaintSink(aValue, "track.src", this);
   }
 
   return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue);

dom/tainting/nsTaintingUtils.cpp

@@ -407,6 +407,15 @@ nsresult ReportTaintSink(const nsAString &str, const char* name, const nsAString
   return ReportTaintSink(nsContentUtils::GetCurrentJSContext(), str, name, arg);
 }
 
+nsresult ReportTaintSink(const nsAString &str, const char* name, const mozilla::dom::Element* element)
+{
+  nsAutoString elementDesc;
+  if (element) {
+    element->Describe(elementDesc);
+  }
+  return ReportTaintSink(str, name, elementDesc);
+}
+
 nsresult ReportTaintSink(const nsAString &str, const char* name)
 {
   return ReportTaintSink(nsContentUtils::GetCurrentJSContext(), str, name);

dom/tainting/nsTaintingUtils.h

@@ -73,6 +73,8 @@ nsresult ReportTaintSink(JSContext *cx, const nsAString &str, const char* name);
 // TaintFox: Report taint flows into DOM related sinks.
 nsresult ReportTaintSink(const nsAString &str, const char* name);
 
+nsresult ReportTaintSink(const nsAString &str, const char* name, const mozilla::dom::Element* element);
+
 nsresult ReportTaintSink(const nsACString &str, const char* name);
 
 nsresult ReportTaintSink(JSContext *cx, const nsAString &str, const char* name, const nsAString &arg);

modules/libpref/init/all.js

@@ -4096,6 +4096,8 @@ pref("tainting.sink.fetch.url", true);
 pref("tainting.sink.form.action", true);
 pref("tainting.sink.iframe.src", true);
 pref("tainting.sink.iframe.srcdoc", true);
+pref("tainting.sink.img.src", true);
+pref("tainting.sink.img.srcset", true);
 pref("tainting.sink.innerHTML", true);
 pref("tainting.sink.insertAdjacentHTML", true);
 pref("tainting.sink.insertAdjacentText", true);
@@ -4123,6 +4125,8 @@ pref("tainting.sink.sessionStorage.setItem", true);
 pref("tainting.sink.sessionStorage.setItem(key)", true);
 pref("tainting.sink.setInterval", true);
 pref("tainting.sink.setTimeout", true);
+pref("tainting.sink.source", true);
+pref("tainting.sink.srcset", true);
 pref("tainting.sink.track.src", true);
 pref("tainting.sink.window.open", true);
 pref("tainting.sink.window.postMessage", true);