From 8ad33ec2118e18b4955a042a8dfff8933ac8c13e Mon Sep 17 00:00:00 2001 From: Luke Warlow Date: Wed, 12 Jun 2024 15:32:45 +0200 Subject: [PATCH] Add script protection mechanisms to SVGScriptElement --- spec/index.bs | 48 +++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 39 insertions(+), 9 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index 91962fb..6606fc7 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -122,6 +122,7 @@ spec:ECMA-262; urlPrefix: https://tc39.github.io/ecma262/ spec: HTML; urlPrefix: https://html.spec.whatwg.org/ type: dfn; text: prepare the script element; url: prepare-the-script-element type: dfn; text: The text insertion mode; url: parsing-main-incdata + type: dfn; text: The rules for parsing tokens in foreign content; url: parsing-main-inforeign type: dfn; text: reentrant invocation of the parser; url: nestedParsing type: dfn; text: get the text steps; url: get-the-text-steps type: dfn; text: set the inner text steps; url: set-the-inner-text-steps @@ -1070,8 +1071,8 @@ Given a {{TrustedType}} type (|expectedType|), a [=realm/global object=] (|globa Given an {{HTMLScriptElement}} (|script|), this algorithm performs the following steps: -1. If |script|'s [=script text=] value is not equal to its [=child text content=], - set |script|'s [=script text=] to the result of executing [$Get Trusted Type compliant string$], with the following arguments: +1. If |script|'s [=HTMLScriptElement/script text=] value is not equal to its [=child text content=], + set |script|'s [=HTMLScriptElement/script text=] to the result of executing [$Get Trusted Type compliant string$], with the following arguments: * {{TrustedScriptURL}} as |expectedType|, * |script|'s {{Document}}'s [=relevant global object=] as |global|, * |script|'s [=child text content=] attribute value, @@ -1177,6 +1178,13 @@ This document modifies {{HTMLScriptElement}}s. Each script has: through a compliant sink. Equivalent to script's [=child text content=]. Initially an empty string. +This document also modifies {{SVGScriptElement}}s. Each script has: + +: an associated string script text. +:: A string, containing the body of the script to execute that was set + through a compliant sink. Equivalent to script's + [=child text content=]. Initially an empty string. + #### The {{HTMLScriptElement/innerText}} IDL attribute #### {#the-innerText-idl-attribute} The {{HTMLScriptElement/innerText}} setter steps are: @@ -1184,7 +1192,7 @@ The {{HTMLScriptElement/innerText}} setter steps are: 1. Let |value| be the result of calling [$Get Trusted Type compliant string$] with {{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `HTMLScriptElement innerText`, and `script`. -1. Set [=this=]'s [=script text=] value to |value|. +1. Set [=this=]'s [=HTMLScriptElement/script text=] value to |value|. 1. Run [=set the inner text steps=] with [=this=] and |value|. The {{HTMLScriptElement/innerText}} getter steps are: @@ -1199,7 +1207,7 @@ empty string instead, and then do as described below: 1. Let |value| be the result of calling [$Get Trusted Type compliant string$] with {{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `HTMLScriptElement textContent`, and `script`. -1. Set [=this=]'s [=script text=] value to |value|. +1. Set [=this=]'s [=HTMLScriptElement/script text=] value to |value|. 1. Run [=set text content=] with [=this=] and |value|. The {{HTMLScriptElement/textContent}} getter steps are: @@ -1213,7 +1221,7 @@ Update the {{HTMLScriptElement/text}} setter steps algorithm as follows. 1. Let |value| be the result of calling [$Get Trusted Type compliant string$] with {{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `HTMLScriptElement text`, and `script`. -1. Set [=this=]'s [=script text=] value to the given value. +1. Set [=this=]'s [=HTMLScriptElement/script text=] value to the given value. 1. [=String replace all=] with the given value within [=this=]. @@ -1228,7 +1236,7 @@ The {{HTMLScriptElement/src}} setter steps are: #### Setting slot values from parser #### {#setting-slot-values-from-parser} -This document modifies the HTML parser to set the [=script text=] value when the script is created. +This document modifies the HTML parser to set the [=HTMLScriptElement/script text=] value when the script is created. Modify the [=The text insertion mode=] algorithm as follows: @@ -1237,7 +1245,7 @@ Modify the [=The text insertion mode=] algorithm as follows:

...

-

Set script's [=script text=] value to its [=child text content=].

 +

Set script's [=HTMLScriptElement/script text=] value to its [=child text content=].

If the active speculative HTML parser is null, then prepare the script element script. This might cause some script to execute, which might cause @@ -1248,7 +1256,27 @@ Modify the [=The text insertion mode=] algorithm as follows:

-Issue: The above algorithm doesn't account for the case when the script element's content is changed mid-parse. Implementors should ensure they protect against this case. See [https://github.com/w3c/trusted-types/issues/507](https://github.com/w3c/trusted-types/issues/507). +This document also modifies the HTML parser to set the [=SVGScriptElement/script text=] value when the script is created. + +Modify the [=The rules for parsing tokens in foreign content=] as follows: + +
+
An end tag whose tag name is "script", if the current + node is an SVG script element
+
+

...

+ +

Set script's [=SVGScriptElement/script text=] value to its [=child text content=].

 + +

If the active speculative HTML parser is null and the user agent supports SVG, + then Process the + SVG script element according to the SVG rules. SVG

+ +

...

+
+
+ +Issue: The above algorithms don't account for the case when the script element's content is changed mid-parse. Implementors should ensure they protect against this case. See [https://github.com/w3c/trusted-types/issues/507](https://github.com/w3c/trusted-types/issues/507). #### Slot value verification #### {#slot-value-verification} @@ -1270,10 +1298,12 @@ The first few steps of the [=prepare the script element=] algorithm are modified run when the parser tries to run it, but it is later executed after a script dynamically updates it, it will execute in an async fashion even if the async attribute isn't set.

  • Execute the [$Prepare the script text$] algorithm on el. If that algorithm threw an error, then return.

    • -

  • Let source text be el's child text content. [=script text=] value. +

  • Let source text be el's child text content. [=HTMLScriptElement/script text=] value.

  • ... +Issue: There's no proper definition for the processing of SVG script elements. However, you should apply a similar change to the processing of {{SVGScriptElement}}s. + ### HostEnsureCanCompileStrings ### {#host-ensure-can-compile-strings} JavaScript contains an implementation-defined HostEnsureCanCompileStrings(realm, parameterStrings,