Skip to content

Commit

Permalink
Add script protection mechanisms to SVGScriptElement
Browse files Browse the repository at this point in the history
  • Loading branch information
lukewarlow committed Jun 12, 2024
1 parent a1862e5 commit 8ad33ec
Showing 1 changed file with 39 additions and 9 deletions.
48 changes: 39 additions & 9 deletions spec/index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ spec:ECMA-262; urlPrefix: https://tc39.github.io/ecma262/
spec: HTML; urlPrefix: https://html.spec.whatwg.org/
type: dfn; text: prepare the script element; url: prepare-the-script-element
type: dfn; text: The text insertion mode; url: parsing-main-incdata
type: dfn; text: The rules for parsing tokens in foreign content; url: parsing-main-inforeign
type: dfn; text: reentrant invocation of the parser; url: nestedParsing
type: dfn; text: get the text steps; url: get-the-text-steps
type: dfn; text: set the inner text steps; url: set-the-inner-text-steps
Expand Down Expand Up @@ -1070,8 +1071,8 @@ Given a {{TrustedType}} type (|expectedType|), a [=realm/global object=] (|globa

Given an {{HTMLScriptElement}} (|script|), this algorithm performs the following steps:

1. If |script|'s [=script text=] value is not equal to its [=child text content=],
set |script|'s [=script text=] to the result of executing [$Get Trusted Type compliant string$], with the following arguments:
1. If |script|'s [=HTMLScriptElement/script text=] value is not equal to its [=child text content=],
set |script|'s [=HTMLScriptElement/script text=] to the result of executing [$Get Trusted Type compliant string$], with the following arguments:
* {{TrustedScriptURL}} as |expectedType|,
* |script|'s {{Document}}'s [=relevant global object=] as |global|,
* |script|'s [=child text content=] attribute value,
Expand Down Expand Up @@ -1177,14 +1178,21 @@ This document modifies {{HTMLScriptElement}}s. Each script has:
through a compliant sink. Equivalent to script's
[=child text content=]. Initially an empty string.

This document also modifies {{SVGScriptElement}}s. Each script has:

: an associated string <dfn export for="SVGScriptElement">script text</dfn>.
:: A string, containing the body of the script to execute that was set
through a compliant sink. Equivalent to script's
[=child text content=]. Initially an empty string.

#### The {{HTMLScriptElement/innerText}} IDL attribute #### {#the-innerText-idl-attribute}

The {{HTMLScriptElement/innerText}} setter steps are:

1. Let |value| be the result of calling [$Get Trusted Type compliant string$] with
{{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `HTMLScriptElement innerText`, and
`script`.
1. Set [=this=]'s [=script text=] value to |value|.
1. Set [=this=]'s [=HTMLScriptElement/script text=] value to |value|.
1. Run [=set the inner text steps=] with [=this=] and |value|.

The {{HTMLScriptElement/innerText}} getter steps are:
Expand All @@ -1199,7 +1207,7 @@ empty string instead, and then do as described below:
1. Let |value| be the result of calling [$Get Trusted Type compliant string$] with
{{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `HTMLScriptElement textContent`, and
`script`.
1. Set [=this=]'s [=script text=] value to |value|.
1. Set [=this=]'s [=HTMLScriptElement/script text=] value to |value|.
1. Run [=set text content=] with [=this=] and |value|.

The {{HTMLScriptElement/textContent}} getter steps are:
Expand All @@ -1213,7 +1221,7 @@ Update the {{HTMLScriptElement/text}} setter steps algorithm as follows.
1. <ins>Let |value| be the result of calling [$Get Trusted Type compliant string$] with
{{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `HTMLScriptElement text`, and
`script`.</ins>
1. <ins>Set [=this=]'s [=script text=] value to the given value.</ins>
1. <ins>Set [=this=]'s [=HTMLScriptElement/script text=] value to the given value.</ins>
1. [=String replace all=] with the given value within [=this=].


Expand All @@ -1228,7 +1236,7 @@ The {{HTMLScriptElement/src}} setter steps are:

#### Setting slot values from parser #### {#setting-slot-values-from-parser}

This document modifies the HTML parser to set the [=script text=] value when the script is created.
This document modifies the HTML parser to set the [=HTMLScriptElement/script text=] value when the script is created.

Modify the [=The text insertion mode=] algorithm as follows:

Expand All @@ -1237,7 +1245,7 @@ Modify the [=The text insertion mode=] algorithm as follows:
<dd>
<p>...</p>

<ins><p>Set <var>script</var>'s [=script text=] value to its [=child text content=].</p></ins>
<ins><p>Set <var>script</var>'s [=HTMLScriptElement/script text=] value to its [=child text content=].</p></ins>

<p>If the <span>active speculative HTML parser</span> is null, then <span>prepare the script
element</span> <var>script</var>. This might cause some script to execute, which might cause
Expand All @@ -1248,7 +1256,27 @@ Modify the [=The text insertion mode=] algorithm as follows:
</dd>
</dl>

Issue: The above algorithm doesn't account for the case when the script element's content is changed mid-parse. Implementors should ensure they protect against this case. See [https://github.com/w3c/trusted-types/issues/507](https://github.com/w3c/trusted-types/issues/507).
This document also modifies the HTML parser to set the [=SVGScriptElement/script text=] value when the script is created.

Modify the [=The rules for parsing tokens in foreign content=] as follows:

<dl class="switch">
<dt id="scriptForeignEndTag">An end tag whose tag name is "script", if the <span>current
node</span> is an <span>SVG <code>script</code></span> element</dt>
<dd>
<p>...</p>

<ins><p>Set <var>script</var>'s [=SVGScriptElement/script text=] value to its [=child text content=].</p></ins>

<p>If the <span>active speculative HTML parser</span> is null and the user agent supports SVG,
then <a href="https://www.w3.org/TR/SVGMobile12/script.html#ScriptContentProcessing">Process the
SVG <code data-x="">script</code> element</a> according to the SVG rules. <ref>SVG</ref></p>

<p>...</p>
</dd>
</dl>

Issue: The above algorithms don't account for the case when the script element's content is changed mid-parse. Implementors should ensure they protect against this case. See [https://github.com/w3c/trusted-types/issues/507](https://github.com/w3c/trusted-types/issues/507).

#### Slot value verification #### {#slot-value-verification}

Expand All @@ -1270,10 +1298,12 @@ The first few steps of the [=prepare the script element=] algorithm are modified
run when the parser tries to run it, but it is later executed after a script dynamically
updates it, it will execute in an async fashion even if the <code id=script-processing-model:attr-script-async-5><a href=https://html.spec.whatwg.org/#attr-script-async>async</a></code> attribute isn't set.</p>
<li><ins><p>Execute the [$Prepare the script text$] algorithm on <var>el</var>. If that algorithm threw an error, then return.</p></ins></li>
<li><p>Let <var ignore="">source text</var> be <var>el</var>'s <del><a id=script-processing-model:child-text-content href=https://dom.spec.whatwg.org/#concept-child-text-content data-x-internal=child-text-content>child text content</a>.</del> <ins>[=script text=] value.</ins>
<li><p>Let <var ignore="">source text</var> be <var>el</var>'s <del><a id=script-processing-model:child-text-content href=https://dom.spec.whatwg.org/#concept-child-text-content data-x-internal=child-text-content>child text content</a>.</del> <ins>[=HTMLScriptElement/script text=] value.</ins>
<li>...
</ol>

Issue: There's no proper definition for the processing of SVG script elements. However, you should apply a similar change to the processing of {{SVGScriptElement}}s.

### HostEnsureCanCompileStrings ### {#host-ensure-can-compile-strings}

JavaScript contains an <span>implementation-defined</span> <a href="https://tc39.es/ecma262/#sec-hostensurecancompilestrings">HostEnsureCanCompileStrings</a>(<var>realm</var>, <ins><var>parameterStrings</var>,
Expand Down

0 comments on commit 8ad33ec

Please sign in to comment.