Bug 1691621 - fix bad cast r=emilio
authorFrederik Braun <fbraun@mozilla.com>
Wed, 10 Feb 2021 12:36:59 +0000
changeset 566804 396c4eb0222a9230ae9fe201d7cac78486af8c51
parent 566803 6bdd497670799f09a49875dcd3cfde515740b691
child 566805 01c702b65cc993cd4c228e687c0e234c3c6f85fe
push id38190
push userbtara@mozilla.com
push dateWed, 10 Feb 2021 21:50:51 +0000
treeherdermozilla-central@569826c0fd47 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersemilio
bugs1691621
milestone87.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1691621 - fix bad cast r=emilio Differential Revision: https://phabricator.services.mozilla.com/D104501
dom/base/nsTreeSanitizer.cpp
parser/xml/test/unit/results.js
--- a/dom/base/nsTreeSanitizer.cpp
+++ b/dom/base/nsTreeSanitizer.cpp
@@ -1344,22 +1344,21 @@ void nsTreeSanitizer::SanitizeChildren(n
             RemoveAllAttributes(descendant->AsElement());
           }
         }
         nsIContent* next = node->GetNextNonChildNode(aRoot);
         node->RemoveFromParent();
         node = next;
         continue;
       }
-      if (nsGkAtoms::_template == localName) {
+      if (auto* templateEl = HTMLTemplateElement::FromNode(elt)) {
         // traverse into the DocFragment content attribute of template elements
         bool wasFullDocument = mFullDocument;
         mFullDocument = false;
-        RefPtr<DocumentFragment> frag =
-            static_cast<HTMLTemplateElement*>(elt)->Content();
+        RefPtr<DocumentFragment> frag = templateEl->Content();
         SanitizeChildren(frag);
         mFullDocument = wasFullDocument;
       }
       if (nsGkAtoms::style == localName) {
         // If !mOnlyConditionalCSS check the following condition:
         // If styles aren't allowed, style elements got pruned above. Even
         // if styles are allowed, non-HTML, non-SVG style elements got pruned
         // above.
--- a/parser/xml/test/unit/results.js
+++ b/parser/xml/test/unit/results.js
@@ -995,13 +995,19 @@ var vectors = [
       "<html><head></head><body><picture>allowed</picture></body></html>",
   },
   {
     data: "<template>allowed</template>",
     sanitized:
       "<html><head><template>allowed</template></head><body></body></html>",
   },
   {
+    // traverse into HTML template elements
     data: '<template><img src="x" onerror="alert(1)"></template>',
     sanitized:
       "<html><head><template><img></template></head><body></body></html>",
   },
+  {
+    // do not traverse into SVG template elements (that's not a thing)
+    data: "<svg><template></template></svg>",
+    sanitized: "<html><head></head><body></body></html>",
+  },
 ];