Bug 1342348 part 1 - Don't check fragment url in tree sanitizer. r=hsivonen
authorXidorn Quan <me@upsuper.org>
Tue, 28 Feb 2017 10:21:33 +1100
changeset 345115 661208405ab2221c1fe819b012552319bd519373
parent 345114 3cbede0babaf680ffec2a15e93fdf7df45e9ad38
child 345116 8894970bdee6fd843deb6f50ec0f7bc33b4214c0
push id38060
push userxquan@mozilla.com
push dateTue, 28 Feb 2017 01:09:29 +0000
treeherderautoland@8894970bdee6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershsivonen
bugs1342348
milestone54.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1342348 part 1 - Don't check fragment url in tree sanitizer. r=hsivonen MozReview-Commit-ID: 8tIiMtexHxd
dom/base/nsTreeSanitizer.cpp
--- a/dom/base/nsTreeSanitizer.cpp
+++ b/dom/base/nsTreeSanitizer.cpp
@@ -1276,16 +1276,20 @@ nsTreeSanitizer::SanitizeURL(mozilla::do
 {
   nsAutoString value;
   aElement->GetAttr(aNamespace, aLocalName, value);
 
   // Get value and remove mandatory quotes
   static const char* kWhitespace = "\n\r\t\b";
   const nsAString& v =
     nsContentUtils::TrimCharsInSet(kWhitespace, value);
+  // Fragment-only url cannot be harmful.
+  if (!v.IsEmpty() && v.First() == u'#') {
+    return false;
+  }
 
   nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
   uint32_t flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL;
 
   nsCOMPtr<nsIURI> baseURI = aElement->GetBaseURI();
   nsCOMPtr<nsIURI> attrURI;
   nsresult rv = NS_NewURI(getter_AddRefs(attrURI), v, nullptr, baseURI);
   if (NS_SUCCEEDED(rv)) {