Mercurial > mozilla-central / changeset / 396c4eb0222a9230ae9fe201d7cac78486af8c51
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1691621 - fix bad cast r=emilio
authorFrederik Braun <fbraun@mozilla.com>
Wed, 10 Feb 2021 12:36:59 +0000
changeset 566804 396c4eb0222a9230ae9fe201d7cac78486af8c51
parent 566803 6bdd497670799f09a49875dcd3cfde515740b691
child 566805 01c702b65cc993cd4c228e687c0e234c3c6f85fe
push id38190
push userbtara@mozilla.com
push dateWed, 10 Feb 2021 21:50:51 +0000
treeherdermozilla-central@569826c0fd47 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersemilio
bugs1691621
milestone87.0a1
first release with
nightly linux32
569826c0fd47 / 87.0a1 / 20210210215051 / files
nightly linux64
569826c0fd47 / 87.0a1 / 20210210215051 / files
nightly mac
569826c0fd47 / 87.0a1 / 20210210215051 / files
nightly win32
569826c0fd47 / 87.0a1 / 20210210215051 / files
nightly win64
569826c0fd47 / 87.0a1 / 20210210215051 / files
last release without
nightly linux32
ee330ff7f4af / 87.0a1 / 20210210094937 / files
nightly linux64
ee330ff7f4af / 87.0a1 / 20210210094937 / files
nightly mac
ee330ff7f4af / 87.0a1 / 20210210094937 / files
nightly win32
ee330ff7f4af / 87.0a1 / 20210210094937 / files
nightly win64
ee330ff7f4af / 87.0a1 / 20210210094937 / files
Bug 1691621 - fix bad cast r=emilio Differential Revision: https://phabricator.services.mozilla.com/D104501
dom/base/nsTreeSanitizer.cpp file | annotate | diff | comparison | revisions
parser/xml/test/unit/results.js file | annotate | diff | comparison | revisions 
--- a/dom/base/nsTreeSanitizer.cpp
+++ b/dom/base/nsTreeSanitizer.cpp
@@ -1344,22 +1344,21 @@ void nsTreeSanitizer::SanitizeChildren(n
             RemoveAllAttributes(descendant->AsElement());
           }
         }
         nsIContent* next = node->GetNextNonChildNode(aRoot);
         node->RemoveFromParent();
         node = next;
         continue;
       }
-      if (nsGkAtoms::_template == localName) {
+      if (auto* templateEl = HTMLTemplateElement::FromNode(elt)) {
         // traverse into the DocFragment content attribute of template elements
         bool wasFullDocument = mFullDocument;
         mFullDocument = false;
-        RefPtr<DocumentFragment> frag =
-            static_cast<HTMLTemplateElement*>(elt)->Content();
+        RefPtr<DocumentFragment> frag = templateEl->Content();
         SanitizeChildren(frag);
         mFullDocument = wasFullDocument;
       }
       if (nsGkAtoms::style == localName) {
         // If !mOnlyConditionalCSS check the following condition:
         // If styles aren't allowed, style elements got pruned above. Even
         // if styles are allowed, non-HTML, non-SVG style elements got pruned
         // above.
--- a/parser/xml/test/unit/results.js
+++ b/parser/xml/test/unit/results.js
@@ -995,13 +995,19 @@ var vectors = [
       "<html><head></head><body><picture>allowed</picture></body></html>",
   },
   {
     data: "<template>allowed</template>",
     sanitized:
       "<html><head><template>allowed</template></head><body></body></html>",
   },
   {
+    // traverse into HTML template elements
     data: '<template><img src="x" onerror="alert(1)"></template>',
     sanitized:
       "<html><head><template><img></template></head><body></body></html>",
   },
+  {
+    // do not traverse into SVG template elements (that's not a thing)
+    data: "<svg><template></template></svg>",
+    sanitized: "<html><head></head><body></body></html>",
+  },
 ];
mozilla-central
Deployed from 18d8b634a3eb at 2022-06-27T19:41:42Z.