Merge pull request #273 from leeN/node-normalize-taint

leeN · web-flow · commit d5957feac19d · 2025-03-18T12:55:12.000+01:00
Fixes Node.normalize() losing taints
diff --git a/dom/base/nsINode.cpp b/dom/base/nsINode.cpp
@@ -975,13 +975,14 @@ void nsINode::Normalize() {
           "mutation events messed us up");
       if (!hasRemoveListeners || (target && target->NodeType() == TEXT_NODE)) {
         nsTextNode* t = static_cast<nsTextNode*>(target);
+        SafeStringTaint taint = text->Taint();
         if (text->Is2b()) {
-          t->AppendTextForNormalize(text->Get2b(), text->GetLength(), true,
+          t->AppendTextForNormalize(text->Get2b(), text->GetLength(), taint, true,
                                     node);
         } else {
           tmpStr.Truncate();
           text->AppendTo(tmpStr);
-          t->AppendTextForNormalize(tmpStr.get(), tmpStr.Length(), true, node);
+          t->AppendTextForNormalize(tmpStr.get(), tmpStr.Length(), taint, true, node);
         }
       }
     }
diff --git a/dom/base/nsTextNode.cpp b/dom/base/nsTextNode.cpp
@@ -106,12 +106,11 @@ already_AddRefed<CharacterData> nsTextNode::CloneDataNode(
 }
 
 nsresult nsTextNode::AppendTextForNormalize(const char16_t* aBuffer,
-                                            uint32_t aLength, bool aNotify,
+                                            uint32_t aLength, const StringTaint& aTaint, bool aNotify,
                                             nsIContent* aNextSibling) {
   CharacterDataChangeInfo::Details details = {
       CharacterDataChangeInfo::Details::eMerge, aNextSibling};
-  // TaintFox: no taint information available here. TODO(samuel) can add aTaint?
-  return SetTextInternal(mText.GetLength(), 0, aBuffer, aLength, aNotify, EmptyTaint,
+  return SetTextInternal(mText.GetLength(), 0, aBuffer, aLength, aNotify, aTaint,
                          &details);
 }
 
diff --git a/dom/base/nsTextNode.h b/dom/base/nsTextNode.h
@@ -47,7 +47,7 @@ class nsTextNode : public mozilla::dom::Text {
   nsresult BindToTree(BindContext&, nsINode& aParent) override;
   void UnbindFromTree(UnbindContext&) override;
 
-  nsresult AppendTextForNormalize(const char16_t* aBuffer, uint32_t aLength,
+  nsresult AppendTextForNormalize(const char16_t* aBuffer, uint32_t aLength, const StringTaint& taint,
                                   bool aNotify, nsIContent* aNextSibling);
 
 #ifdef MOZ_DOM_LIST
diff --git a/taint/test/mochitest/test_dom.html b/taint/test/mochitest/test_dom.html
@@ -212,6 +212,24 @@
 
       });
 
+      add_task(async function test_node_normalize() {
+        const wrapper = document.createElement("div");
+
+        wrapper.appendChild(document.createTextNode("Values: "));      
+        wrapper.appendChild(document.createTextNode(String.tainted("taint1")));
+        wrapper.appendChild(document.createTextNode(" - "));      
+        wrapper.appendChild(document.createTextNode(String.tainted("taint2")));
+        check_untainted(wrapper.childNodes[0].textContent);
+        check_tainted(wrapper.childNodes[1].textContent);
+        check_untainted(wrapper.childNodes[2].textContent);
+        check_tainted(wrapper.childNodes[3].textContent);
+        wrapper.normalize();
+        let text = wrapper.firstChild.textContent;
+        check_tainted(text);
+        is(text.taint.length,2, "Two flows");
+
+      });
+
     </script>
   </head>
   <body>

Original file line number	Diff line number	Diff line change
`@@ -975,13 +975,14 @@ void nsINode::Normalize() {`
`975`	`975`	`"mutation events messed us up");`
`976`	`976`	`if (!hasRemoveListeners \|\| (target && target->NodeType() == TEXT_NODE)) {`
`977`	`977`	`nsTextNode* t = static_cast<nsTextNode*>(target);`
	`978`	`+ SafeStringTaint taint = text->Taint();`
`978`	`979`	`if (text->Is2b()) {`
`979`		`- t->AppendTextForNormalize(text->Get2b(), text->GetLength(), true,`
	`980`	`+ t->AppendTextForNormalize(text->Get2b(), text->GetLength(), taint, true,`
`980`	`981`	`node);`
`981`	`982`	`} else {`
`982`	`983`	`tmpStr.Truncate();`
`983`	`984`	`text->AppendTo(tmpStr);`
`984`		`- t->AppendTextForNormalize(tmpStr.get(), tmpStr.Length(), true, node);`
	`985`	`+ t->AppendTextForNormalize(tmpStr.get(), tmpStr.Length(), taint, true, node);`
`985`	`986`	`}`
`986`	`987`	`}`
`987`	`988`	`}`
Original file line number	Diff line number	Diff line change
`@@ -106,12 +106,11 @@ already_AddRefed<CharacterData> nsTextNode::CloneDataNode(`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`nsresult nsTextNode::AppendTextForNormalize(const char16_t* aBuffer,`
`109`		`- uint32_t aLength, bool aNotify,`
	`109`	`+ uint32_t aLength, const StringTaint& aTaint, bool aNotify,`
`110`	`110`	`nsIContent* aNextSibling) {`
`111`	`111`	`CharacterDataChangeInfo::Details details = {`
`112`	`112`	`CharacterDataChangeInfo::Details::eMerge, aNextSibling};`
`113`		`- // TaintFox: no taint information available here. TODO(samuel) can add aTaint?`
`114`		`- return SetTextInternal(mText.GetLength(), 0, aBuffer, aLength, aNotify, EmptyTaint,`
	`113`	`+ return SetTextInternal(mText.GetLength(), 0, aBuffer, aLength, aNotify, aTaint,`
`115`	`114`	`&details);`
`116`	`115`	`}`
`117`	`116`