diff --git a/dom/base/Element.cpp b/dom/base/Element.cpp index 8da8e829bd000..cc044a95ea0be 100644 --- a/dom/base/Element.cpp +++ b/dom/base/Element.cpp @@ -3920,9 +3920,7 @@ void Element::SetInnerHTML(const nsAString& aInnerHTML, ErrorResult& aError) { // TaintFox: innerHTML sink. - nsAutoString id; - this->GetId(id); - ReportTaintSink(aInnerHTML, "innerHTML", id); + ReportTaintSink(aInnerHTML, "innerHTML", this); SetInnerHTMLInternal(aInnerHTML, aError); } @@ -3944,9 +3942,7 @@ void Element::SetOuterHTML(const nsAString& aOuterHTML, ErrorResult& aError) { } // TaintFox: outerHTML sink. - nsAutoString id; - this->GetId(id); - ReportTaintSink(aOuterHTML, "outerHTML", id); + ReportTaintSink(aOuterHTML, "outerHTML", this); if (OwnerDoc()->IsHTMLDocument()) { nsAtom* localName; @@ -3996,7 +3992,7 @@ enum nsAdjacentPosition { eBeforeBegin, eAfterBegin, eBeforeEnd, eAfterEnd }; void Element::InsertAdjacentHTML(const nsAString& aPosition, const nsAString& aText, ErrorResult& aError) { // TaintFox: insertAdjacentHTML sink - ReportTaintSink(aText, "insertAdjacentHTML"); + ReportTaintSink(aText, "insertAdjacentHTML", this); nsAdjacentPosition position; if (aPosition.LowerCaseEqualsLiteral("beforebegin")) { @@ -4127,7 +4123,7 @@ void Element::InsertAdjacentText(const nsAString& aWhere, RefPtr textNode = OwnerDoc()->CreateTextNode(aData); // TaintFox: insertAdjacentHTML sink - ReportTaintSink(aData, "insertAdjacentText"); + ReportTaintSink(aData, "insertAdjacentText", this); InsertAdjacent(aWhere, textNode, aError); } diff --git a/dom/base/nsStyledElement.cpp b/dom/base/nsStyledElement.cpp index 78bcfcd8b890f..a426014488412 100644 --- a/dom/base/nsStyledElement.cpp +++ b/dom/base/nsStyledElement.cpp @@ -59,9 +59,7 @@ bool nsStyledElement::ParseAttribute(int32_t aNamespaceID, nsAtom* aAttribute, nsresult nsStyledElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName, const nsAString& aValue) { if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::style) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "element.style", id); + ReportTaintSink(aValue, "element.style", this); } return nsStyledElementBase::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); diff --git a/dom/html/HTMLAnchorElement.cpp b/dom/html/HTMLAnchorElement.cpp index 1eea670003e85..68c9a2b42021e 100644 --- a/dom/html/HTMLAnchorElement.cpp +++ b/dom/html/HTMLAnchorElement.cpp @@ -193,9 +193,7 @@ already_AddRefed HTMLAnchorElement::GetHrefURI() const { nsresult HTMLAnchorElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName, const nsAString& aValue) { if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::href) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "a.href", id); + ReportTaintSink(aValue, "a.href", this); } return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); diff --git a/dom/html/HTMLAreaElement.cpp b/dom/html/HTMLAreaElement.cpp index f3aa5d9f422a8..b697c9eba782f 100644 --- a/dom/html/HTMLAreaElement.cpp +++ b/dom/html/HTMLAreaElement.cpp @@ -88,9 +88,7 @@ void HTMLAreaElement::UnbindFromTree(bool aNullParent) { nsresult HTMLAreaElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName, const nsAString& aValue) { if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::href) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "area.href", id); + ReportTaintSink(aValue, "area.href", this); } return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); diff --git a/dom/html/HTMLEmbedElement.cpp b/dom/html/HTMLEmbedElement.cpp index 93586e1ab2397..ad07083be78b3 100644 --- a/dom/html/HTMLEmbedElement.cpp +++ b/dom/html/HTMLEmbedElement.cpp @@ -91,9 +91,7 @@ void HTMLEmbedElement::UnbindFromTree(bool aNullParent) { nsresult HTMLEmbedElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName, const nsAString& aValue) { if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "embed.src", id); + ReportTaintSink(aValue, "embed.src", this); } return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); diff --git a/dom/html/HTMLFormElement.cpp b/dom/html/HTMLFormElement.cpp index 11a945a4196e7..996160c703d05 100644 --- a/dom/html/HTMLFormElement.cpp +++ b/dom/html/HTMLFormElement.cpp @@ -2190,9 +2190,7 @@ void HTMLFormElement::MaybeFireFormRemoved() { nsresult HTMLFormElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName, const nsAString& aValue) { if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::action) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "form.action", id); + ReportTaintSink(aValue, "form.action", this); } return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); diff --git a/dom/html/HTMLIFrameElement.cpp b/dom/html/HTMLIFrameElement.cpp index 1c80a79cc3a2c..687512e57af86 100644 --- a/dom/html/HTMLIFrameElement.cpp +++ b/dom/html/HTMLIFrameElement.cpp @@ -157,13 +157,9 @@ nsMapRuleToAttributesFunc HTMLIFrameElement::GetAttributeMappingFunction() nsresult HTMLIFrameElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName, const nsAString& aValue) { if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "iframe.src", id); + ReportTaintSink(aValue, "iframe.src", this); } else if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::srcdoc) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "iframe.srcdoc", id); + ReportTaintSink(aValue, "iframe.srcdoc", this); } return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); diff --git a/dom/html/HTMLImageElement.cpp b/dom/html/HTMLImageElement.cpp index e1f32f268bafb..a0424fc004528 100644 --- a/dom/html/HTMLImageElement.cpp +++ b/dom/html/HTMLImageElement.cpp @@ -301,9 +301,7 @@ nsresult HTMLImageElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* a (aName == nsGkAtoms::src || aName == nsGkAtoms::srcset)) { // Taintfox: img.src / img.srcset sink const char* sink = (aName == nsGkAtoms::src) ? "img.src" : "img.srcset"; - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, sink, id); + ReportTaintSink(aValue, sink, this); } return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); diff --git a/dom/html/HTMLMediaElement.cpp b/dom/html/HTMLMediaElement.cpp index 15a11f39f5ff8..6bbb16b9dbd61 100644 --- a/dom/html/HTMLMediaElement.cpp +++ b/dom/html/HTMLMediaElement.cpp @@ -4744,9 +4744,7 @@ int32_t HTMLMediaElement::TabIndexDefault() { return 0; } nsresult HTMLMediaElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName, const nsAString& aValue) { if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "media.src", id); + ReportTaintSink(aValue, "media.src", this); } return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); diff --git a/dom/html/HTMLObjectElement.cpp b/dom/html/HTMLObjectElement.cpp index 55d52b4bd8f85..82c4a0eda9707 100644 --- a/dom/html/HTMLObjectElement.cpp +++ b/dom/html/HTMLObjectElement.cpp @@ -116,9 +116,7 @@ void HTMLObjectElement::UnbindFromTree(bool aNullParent) { nsresult HTMLObjectElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName, const nsAString& aValue) { if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::data) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "object.data", id); + ReportTaintSink(aValue, "object.data", this); } return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); diff --git a/dom/html/HTMLScriptElement.cpp b/dom/html/HTMLScriptElement.cpp index eed3fd75181ce..b34da05792e1b 100644 --- a/dom/html/HTMLScriptElement.cpp +++ b/dom/html/HTMLScriptElement.cpp @@ -107,9 +107,7 @@ nsresult HTMLScriptElement::Clone(dom::NodeInfo* aNodeInfo, nsresult HTMLScriptElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName, const nsAString& aValue) { if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "script.src", id); + ReportTaintSink(aValue, "script.src", this); } return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); @@ -146,9 +144,7 @@ void HTMLScriptElement::SetInnerHTML(const nsAString& aInnerHTML, ErrorResult& aError) { aError = nsContentUtils::SetNodeTextContent(this, aInnerHTML, true); // Taintfox: script.innerHTML sink - nsAutoString id; - this->GetId(id); - ReportTaintSink(aInnerHTML, "script.innerHTML", id); + ReportTaintSink(aInnerHTML, "script.innerHTML", this); } void HTMLScriptElement::GetText(nsAString& aValue, ErrorResult& aRv) const { @@ -160,9 +156,7 @@ void HTMLScriptElement::GetText(nsAString& aValue, ErrorResult& aRv) const { void HTMLScriptElement::SetText(const nsAString& aValue, ErrorResult& aRv) { aRv = nsContentUtils::SetNodeTextContent(this, aValue, true); // Taintfox: script.text sink - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "script.text", id); + ReportTaintSink(aValue, "script.text", this); } // variation of this code in SVGScriptElement - check if changes @@ -250,9 +244,7 @@ bool HTMLScriptElement::Supports(const GlobalObject& aGlobal, void HTMLScriptElement::SetTextContentInternal(const nsAString& aTextContent, nsIPrincipal* aScriptedPrincipal, ErrorResult& aError) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aTextContent, "script.textContent", id); + ReportTaintSink(aTextContent, "script.textContent", this); aError = nsContentUtils::SetNodeTextContent(this, aTextContent, true); } } // namespace mozilla::dom diff --git a/dom/html/HTMLSourceElement.cpp b/dom/html/HTMLSourceElement.cpp index 0e7ea3e5be14a..c2bfd57b867e9 100644 --- a/dom/html/HTMLSourceElement.cpp +++ b/dom/html/HTMLSourceElement.cpp @@ -79,9 +79,7 @@ nsresult HTMLSourceElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* (aName == nsGkAtoms::src || aName == nsGkAtoms::srcset)) { // Taintfox: img.src / img.srcset sink const char* sink = (aName == nsGkAtoms::src) ? "source.src" : "source.srcset"; - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, sink, id); + ReportTaintSink(aValue, sink, this); } return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); diff --git a/dom/html/HTMLTrackElement.cpp b/dom/html/HTMLTrackElement.cpp index ea85aca56d9eb..0458d5f4c042e 100644 --- a/dom/html/HTMLTrackElement.cpp +++ b/dom/html/HTMLTrackElement.cpp @@ -494,9 +494,7 @@ void HTMLTrackElement::CancelChannelAndListener() { nsresult HTMLTrackElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName, const nsAString& aValue) { if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) { - nsAutoString id; - this->GetId(id); - ReportTaintSink(aValue, "track.src", id); + ReportTaintSink(aValue, "track.src", this); } return nsGenericHTMLElement::CheckTaintSinkSetAttr(aNamespaceID, aName, aValue); diff --git a/dom/tainting/nsTaintingUtils.cpp b/dom/tainting/nsTaintingUtils.cpp index f0a6147600ce0..4628e311e7077 100644 --- a/dom/tainting/nsTaintingUtils.cpp +++ b/dom/tainting/nsTaintingUtils.cpp @@ -407,6 +407,15 @@ nsresult ReportTaintSink(const nsAString &str, const char* name, const nsAString return ReportTaintSink(nsContentUtils::GetCurrentJSContext(), str, name, arg); } +nsresult ReportTaintSink(const nsAString &str, const char* name, const mozilla::dom::Element* element) +{ + nsAutoString elementDesc; + if (element) { + element->Describe(elementDesc); + } + return ReportTaintSink(str, name, elementDesc); +} + nsresult ReportTaintSink(const nsAString &str, const char* name) { return ReportTaintSink(nsContentUtils::GetCurrentJSContext(), str, name); diff --git a/dom/tainting/nsTaintingUtils.h b/dom/tainting/nsTaintingUtils.h index b2711383bb970..e342cb7863696 100644 --- a/dom/tainting/nsTaintingUtils.h +++ b/dom/tainting/nsTaintingUtils.h @@ -73,6 +73,8 @@ nsresult ReportTaintSink(JSContext *cx, const nsAString &str, const char* name); // TaintFox: Report taint flows into DOM related sinks. nsresult ReportTaintSink(const nsAString &str, const char* name); +nsresult ReportTaintSink(const nsAString &str, const char* name, const mozilla::dom::Element* element); + nsresult ReportTaintSink(const nsACString &str, const char* name); nsresult ReportTaintSink(JSContext *cx, const nsAString &str, const char* name, const nsAString &arg); diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index 5b87021330690..62d179775cd51 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -4096,6 +4096,8 @@ pref("tainting.sink.fetch.url", true); pref("tainting.sink.form.action", true); pref("tainting.sink.iframe.src", true); pref("tainting.sink.iframe.srcdoc", true); +pref("tainting.sink.img.src", true); +pref("tainting.sink.img.srcset", true); pref("tainting.sink.innerHTML", true); pref("tainting.sink.insertAdjacentHTML", true); pref("tainting.sink.insertAdjacentText", true); @@ -4123,6 +4125,8 @@ pref("tainting.sink.sessionStorage.setItem", true); pref("tainting.sink.sessionStorage.setItem(key)", true); pref("tainting.sink.setInterval", true); pref("tainting.sink.setTimeout", true); +pref("tainting.sink.source", true); +pref("tainting.sink.srcset", true); pref("tainting.sink.track.src", true); pref("tainting.sink.window.open", true); pref("tainting.sink.window.postMessage", true);