script.textContent sink

One of the browser tests did fail due to a) not resetting the script, and, b) testing for script.textContent which was not declared as a sink before. This PR resolves the test issue und adds support for the script.textContent sink.

Author: leeN

dom/html/HTMLScriptElement.cpp

@@ -126,6 +126,15 @@ nsresult HTMLScriptElement::Clone(dom::NodeInfo* aNodeInfo,
   return NS_OK;
 }
 
+void HTMLScriptElement::SetTextContentInternal(const nsAString& aTextContent,
+  nsIPrincipal* aSubjectPrincipal,
+  ErrorResult& aError) {
+    if(aTextContent.isTainted()) {
+      ReportTaintSink(aTextContent, "script.textContent", this);
+    }
+    FragmentOrElement::SetTextContentInternal(aTextContent, aSubjectPrincipal, aError);
+  }
+
 nsresult HTMLScriptElement::CheckTaintSinkSetAttr(int32_t aNamespaceID, nsAtom* aName,
                                                   const nsAString& aValue) {
   if (aNamespaceID == kNameSpaceID_None && aName == nsGkAtoms::src) {

dom/html/HTMLScriptElement.h

@@ -152,6 +152,9 @@ class HTMLScriptElement final : public nsGenericHTMLElement,
   [[nodiscard]] static bool Supports(const GlobalObject& aGlobal,
                                      const nsAString& aType);
 
+  virtual void SetTextContentInternal(const nsAString& aTextContent,
+                                      nsIPrincipal* aSubjectPrincipal,
+                                      ErrorResult& aError) override;
  protected:
   virtual ~HTMLScriptElement();
 

taint/test/mochitest/test_script_sinks.html

@@ -19,29 +19,38 @@
 
       SimpleTest.waitForExplicitFinish();
       addEventListener("__taintreport", (report) => {
-          SimpleTest.is(report.detail.str, "tainted=hello", "Check sink string content");
-
+        if(i == 0) {
+          SimpleTest.is(report.detail.str, "url", "Check sink string content");
+        } else {
+          SimpleTest.is(report.detail.str, "console.log();", "Check sink string content");
+        }
           let flow = report.detail.str.taint[0].flow;
-          SimpleTest.is(flow[2].operation, sink_names[i]);
+          SimpleTest.is(flow[2].operation, sink_names[i], `${sink_names[i]} sink test`);
 
           i += 1;
           if (i >= sink_names.length) {
               SimpleTest.finish();
           }
       }, false);
 
+      function setScriptProperty(text, f) {
+        let script = document.createElement("script");
+        script.id = "tempscript";
+        f(script, text);
+        document.body.appendChild(script);
+        document.body.removeChild(script);
+      }
+
       function startTest() {
-          let tainted = String.tainted("tainted=hello");
-          let script = document.getElementById("emptyScript");
-          script.src = tainted;
-          script.text = tainted;
-          script.innerHTML = tainted;
-          script.textContent = tainted;
+          let tainted = String.tainted("console.log();");
+          setScriptProperty(String.tainted("url"), (s,t) => s.src = t);
+          setScriptProperty(tainted, (s,t) => s.text = t);
+          setScriptProperty(tainted, (s,t) => s.innerHTML = t);
+          setScriptProperty(tainted, (s,t) => s.textContent = t);
       }
 
     </script>
-    <script id="emptyScript">
-    </script>
+
   </head>
 
   <body onload="startTest();">