Merge pull request #282 from leeN/script-textContent-sink

leeN · web-flow · commit b6e7487afacf · 2025-03-28T19:53:30.000+01:00
script.textContent sink
diff --git a/dom/html/HTMLScriptElement.cpp b/dom/html/HTMLScriptElement.cpp
@@ -126,6 +126,15 @@ nsresult HTMLScriptElement::Clone(dom::NodeInfo* aNodeInfo,
   return NS_OK;
 }
 
+void HTMLScriptElement::SetTextContentInternal(const nsAString& aTextContent,
+  nsIPrincipal* aSubjectPrincipal,
+  ErrorResult& aError) {
+    if(aTextContent.isTainted()) {
+      ReportTaintSink(aTextContent, "script.textContent", this);
+    }
+    FragmentOrElement::SetTextContentInternal(aTextContent, aSubjectPrincipal, aError);
+  }
+
 nsresult HTMLScriptElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                   const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) {
diff --git a/dom/html/HTMLScriptElement.h b/dom/html/HTMLScriptElement.h
@@ -152,6 +152,9 @@ class HTMLScriptElement final : public nsGenericHTMLElement,
   [[nodiscard]] static bool Supports(const GlobalObject& aGlobal,
                                      const nsAString& aType);
 
+  virtual void SetTextContentInternal(const nsAString& aTextContent,
+                                      nsIPrincipal* aSubjectPrincipal,
+                                      ErrorResult& aError) override;
  protected:
   virtual ~HTMLScriptElement();
 
diff --git a/taint/test/mochitest/test_script_sinks.html b/taint/test/mochitest/test_script_sinks.html
@@ -19,29 +19,38 @@
       
       SimpleTest.waitForExplicitFinish();
       addEventListener("__taintreport", (report) => {
-          SimpleTest.is(report.detail.str, "tainted=hello", "Check sink string content");
-
+        if(i == 0) {
+          SimpleTest.is(report.detail.str, "url", "Check sink string content");
+        } else {
+          SimpleTest.is(report.detail.str, "console.log();", "Check sink string content");
+        }
           let flow = report.detail.str.taint[0].flow;
-          SimpleTest.is(flow[2].operation, sink_names[i]);
+          SimpleTest.is(flow[2].operation, sink_names[i], `${sink_names[i]} sink test`);
 
           i += 1;
           if (i >= sink_names.length) {
               SimpleTest.finish();
           }
       }, false);
 
+      function setScriptProperty(text, f) {
+        let script = document.createElement("script");
+        script.id = "tempscript";
+        f(script, text);
+        document.body.appendChild(script);
+        document.body.removeChild(script);
+      }
+
       function startTest() {
-          let tainted = String.tainted("tainted=hello");
-          let script = document.getElementById("emptyScript");
-          script.src = tainted;
-          script.text = tainted;
-          script.innerHTML = tainted;
-          script.textContent = tainted;
+          let tainted = String.tainted("console.log();");
+          setScriptProperty(String.tainted("url"), (s,t) => s.src = t);
+          setScriptProperty(tainted, (s,t) => s.text = t);
+          setScriptProperty(tainted, (s,t) => s.innerHTML = t);
+          setScriptProperty(tainted, (s,t) => s.textContent = t);
       }
       
     </script>
-    <script id="emptyScript">
-    </script>
+
   </head>
 
   <body onload="startTest();">
