From 09433ce9398fcfddd9729568672920c20d5d22e5 Mon Sep 17 00:00:00 2001 From: Marco Castelluccio Date: Thu, 3 Dec 2020 23:24:17 +0000 Subject: [PATCH] Bug 1679091 [wpt PR 26631] - Remove setInnerHTML completely, a=testonly Automatic update from web-platform-tests Remove setInnerHTML completely The conversation [1] about the recent changes to setInnerHTML have led to the conclusion [2] that perhaps we shouldn't add a new XSS sink method at all. That would "fix" the declarative Shadow DOM problem, but would create a new sink that all security libraries would need to know about and handle. Seems like not a good trade. In the meantime, a polyfill can stand in for setInnerHTML: Element.prototype.setInnerHTML = function(content) { const fragment = (new DOMParser()).parseFromString(`
${content}
`, 'text/html', {includeShadowRoots: true}); this.replaceChildren(...fragment.body.firstChild.childNodes); }; [1] https://github.com/whatwg/dom/issues/912 [2] https://github.com/whatwg/dom/issues/912#issuecomment-732476002 Bug: 1042130 Change-Id: Ibaf15a3edf86be9a720225dea2ba2741f2882b8c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2555589 Auto-Submit: Mason Freed Commit-Queue: Kouhei Ueno Reviewed-by: Kouhei Ueno Cr-Commit-Position: refs/heads/master{#830501} -- wpt-commits: 60d87a5d19f5cf033f96b26f9597b32ad2732792 wpt-pr: 26631 UltraBlame original commit: 1046b32a6c9d31383f782745ed88a9d1fd4bc71e --- ...ative-shadow-dom-attachment.tentative.html | 24 +- ...eclarative-shadow-dom-basic.tentative.html | 198 +------ ...clarative-shadow-dom-opt-in.tentative.html | 334 ++++-------- .../declarative/setinnerhtml.tentative.html | 490 ------------------ .../shadow-dom/declarative/support/helpers.js | 58 +++ 5 files changed, 196 insertions(+), 908 deletions(-) delete mode 100644 testing/web-platform/tests/shadow-dom/declarative/setinnerhtml.tentative.html create mode 100644 testing/web-platform/tests/shadow-dom/declarative/support/helpers.js diff --git a/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-attachment.tentative.html b/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-attachment.tentative.html index 597dd5768bba5..cebbc200dcffb 100644 --- a/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-attachment.tentative.html +++ b/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-attachment.tentative.html @@ -125,6 +125,22 @@ > < script +src += +" +support +/ +helpers +. +js +" +> +< +/ +script +> +< +script > const shadowContent @@ -256,16 +272,10 @@ ' ) ; -wrapper -. setInnerHTML ( +wrapper declarativeString -{ -includeShadowRoots -: -true -} ) ; const diff --git a/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-basic.tentative.html b/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-basic.tentative.html index 5525e8ad3818c..40822bdc11b24 100644 --- a/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-basic.tentative.html +++ b/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-basic.tentative.html @@ -109,6 +109,22 @@ script > < +script +src += +" +support +/ +helpers +. +js +" +> +< +/ +script +> +< div id = @@ -374,10 +390,9 @@ ' ) ; -div -. setInnerHTML ( +div < div id @@ -436,11 +451,6 @@ / div > -{ -includeShadowRoots -: -true -} ) ; const @@ -598,10 +608,9 @@ ' ) ; -div -. setInnerHTML ( +div < div id @@ -626,11 +635,6 @@ / div > -{ -includeShadowRoots -: -true -} ) ; const @@ -748,10 +752,9 @@ ' ) ; -div -. setInnerHTML ( +div < div id @@ -776,11 +779,6 @@ / div > -{ -includeShadowRoots -: -true -} ) ; const @@ -863,10 +861,9 @@ ' ) ; -div -. setInnerHTML ( +div < div id @@ -904,11 +901,6 @@ / div > -{ -includeShadowRoots -: -true -} ) ; const @@ -1041,10 +1033,9 @@ ' ) ; -div -. setInnerHTML ( +div < div id @@ -1070,11 +1061,6 @@ / div > -{ -includeShadowRoots -: -true -} ) ; var @@ -1120,10 +1106,9 @@ " ) ; -div -. setInnerHTML ( +div < div id @@ -1148,11 +1133,6 @@ / div > -{ -includeShadowRoots -: -true -} ) ; host @@ -1213,140 +1193,6 @@ ' ) ; -test -( -( -) -= -> -{ -const -host -= -document -. -createElement -( -' -div -' -) -; -/ -/ -Root -element -of -setInnerHTML -is -a -< -template -shadowroot -> -: -host -. -setInnerHTML -( -' -< -template -shadowroot -= -open -> -< -/ -template -> -' -{ -allowShadowRoot -: -true -} -) -; -assert_equals -( -host -. -shadowRoot -null -" -Shadow -root -should -not -be -present -" -) -; -const -tmpl -= -host -. -querySelector -( -' -template -' -) -; -assert_true -( -! -! -tmpl -" -Template -should -still -be -present -" -) -; -assert_equals -( -tmpl -. -getAttribute -( -' -shadowroot -' -) -" -open -" -" -' -shadowroot -' -attribute -should -still -be -present -" -) -; -} -' -Declarative -Shadow -DOM -: -setInnerHTML -root -element -' -) -; < / script diff --git a/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-opt-in.tentative.html b/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-opt-in.tentative.html index 2a2acb557d322..c05d503c72da2 100644 --- a/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-opt-in.tentative.html +++ b/testing/web-platform/tests/shadow-dom/declarative/declarative-shadow-dom-opt-in.tentative.html @@ -109,6 +109,29 @@ script > < +script +src += +' +. +. +/ +resources +/ +shadow +- +dom +- +utils +. +js +' +> +< +/ +script +> +< body > < @@ -511,130 +534,94 @@ ' ) ; -test -( -( -) -= -> -{ const -div +noChildElements = -document -. -createElement -( +[ ' -div +iframe ' -) +' +noscript +' +' +script +' +' +select +' +' +style +' +' +textarea +' +' +title +' +' +colgroup +' +] ; -div +const +elements += +HTML5_ELEMENT_NAMES . -innerHTML +filter +( +el = -content -; -assert_dsd +> +! +noChildElements +. +includes ( -div -false +el ) -; -} -' -innerHTML -on -element -- -disallowed -' ) ; +for +( +let +elementName +of +elements +) +{ +var +t += test ( +function ( ) -= -> { const -div +el1 = document . createElement ( -' -div -' +elementName ) ; -div +el1 . -setInnerHTML -( +innerHTML += content -) ; assert_dsd ( -div -false -) -; -div -. -setInnerHTML -( -content -{ -includeShadowRoots -: +el1 false -} ) ; -assert_dsd -( -div -false -) -; -div -. -setInnerHTML -( -content -{ -includeShadowRoots -: -true -} -) -; -assert_dsd -( -div -true -) -; -} -' -setInnerHTML -on -element -' -) -; -test -( -( -) -= -> -{ const templateContent = @@ -653,7 +640,7 @@ > ; const -div +el2 = document . @@ -664,7 +651,7 @@ ' ) ; -div +el2 . innerHTML = @@ -672,7 +659,7 @@ ; assert_dsd ( -div +el2 . querySelector ( @@ -686,46 +673,18 @@ false ) ; -div -. -setInnerHTML -( -templateContent +} +innerHTML +on +a +< { -includeShadowRoots -: -true +elementName } -) -; -assert_dsd -( -div -. -querySelector -( -' -# -tmpl -' -) -. -content -true +> ) ; } -' -setInnerHTML -on -element -with -nested -template -content -' -) -; test ( ( @@ -768,39 +727,9 @@ ' ) ; -temp -. -setInnerHTML -( -content -{ -includeShadowRoots -: -true -} -) -; -assert_dsd -( -temp -. -content -true -' -setInnerHTML -should -allow -declarative -shadow -content -if -enabled -' -) -; } ' -setInnerHTML +innerHTML on template ' @@ -866,39 +795,9 @@ false ) ; -temp -. -setInnerHTML -( -templateContent -{ -includeShadowRoots -: -true -} -) -; -assert_dsd -( -temp -. -content -. -querySelector -( -' -# -tmpl -' -) -. -content -true -) -; } ' -setInnerHTML +innerHTML on template with @@ -955,27 +854,9 @@ false ) ; -shadow -. -setInnerHTML -( -content -{ -includeShadowRoots -: -true -} -) -; -assert_dsd -( -shadow -true -) -; } ' -setInnerHTML +innerHTML on shadowRoot ' @@ -1115,33 +996,14 @@ false ) ; -doc -. -body -. -setInnerHTML -( -content -{ -includeShadowRoots -: -true -} -) -; -assert_dsd -( -doc -. -body -true -) -; } ' createHTMLDocument with -setInnerHTML +innerHTML +- +not +supported ' ) ; @@ -1312,7 +1174,9 @@ } ' XMLHttpRequest -disabled +- +not +supported ' ) ; diff --git a/testing/web-platform/tests/shadow-dom/declarative/setinnerhtml.tentative.html b/testing/web-platform/tests/shadow-dom/declarative/setinnerhtml.tentative.html deleted file mode 100644 index f0d9075410c11..0000000000000 --- a/testing/web-platform/tests/shadow-dom/declarative/setinnerhtml.tentative.html +++ /dev/null @@ -1,490 +0,0 @@ -< -! -DOCTYPE -html -> -< -title -> -getInnerHTML -< -/ -title -> -< -link -rel -= -' -author -' -title -= -' -Mason -Freed -' -href -= -' -mailto -: -masonfreed -chromium -. -org -' -> -< -link -rel -= -' -help -' -href -= -' -https -: -/ -/ -github -. -com -/ -whatwg -/ -dom -/ -issues -/ -831 -' -> -< -script -src -= -' -/ -resources -/ -testharness -. -js -' -> -< -/ -script -> -< -script -src -= -' -/ -resources -/ -testharnessreport -. -js -' -> -< -/ -script -> -< -script -src -= -' -. -. -/ -resources -/ -shadow -- -dom -- -utils -. -js -' -> -< -/ -script -> -< -body -> -< -script -> -function -testElementType -( -allowsShadowDom -elementType -applyToShadow -) -{ -const -t -= -test -( -t -= -> -{ -/ -/ -Create -and -attach -element -let -wrapper -; -if -( -applyToShadow -) -{ -const -host -= -document -. -createElement -( -' -div -' -) -; -t -. -add_cleanup -( -function -( -) -{ -host -. -remove -( -) -; -} -) -; -document -. -body -. -appendChild -( -host -) -; -wrapper -= -host -. -attachShadow -( -{ -mode -: -' -open -' -} -) -; -} -else -{ -wrapper -= -document -. -createElement -( -' -div -' -) -; -t -. -add_cleanup -( -function -( -) -{ -wrapper -. -remove -( -) -; -} -) -; -document -. -body -. -appendChild -( -wrapper -) -; -} -const -html -= -< -{ -elementType -} -> -< -template -shadowroot -= -" -open -" -> -< -slot -> -< -/ -slot -> -< -/ -template -> -< -span -> -< -/ -span -> -< -/ -{ -elementType -} -> -; -wrapper -. -setInnerHTML -( -html -{ -includeShadowRoots -: -true -} -) -; -if -( -allowsShadowDom -) -{ -/ -/ -Retrieve -shadow -root -assert_true -( -! -! -wrapper -. -firstElementChild -. -shadowRoot -' -No -shadow -root -found -' -) -; -} -else -{ -const -leftover -= -wrapper -. -firstElementChild -. -firstElementChild -; -assert_true -( -wrapper -. -firstElementChild -. -childElementCount -= -= -0 -| -| -leftover -instanceof -HTMLTemplateElement -' -Template -should -be -left -over -( -or -no -children -) -' -) -; -} -} -{ -applyToShadow -? -' -ShadowRoot -' -: -' -Element -' -} -. -setInnerHTML -( -) -on -< -{ -elementType -} -> -{ -allowsShadowDom -? -with -declarative -Shadow -DOM -. -: -' -' -} -) -; -} -function -runAllTests -( -) -{ -const -allElements -= -[ -. -. -. -HTML5_ELEMENT_NAMES -' -htmlunknown -' -] -. -filter -( -item -= -> -item -! -= -= -' -body -' -) -; -const -safelisted -= -ATTACHSHADOW_SAFELISTED_ELEMENTS -; -for -( -const -elementName -of -allElements -) -{ -for -( -const -applyToShadow -of -[ -false -true -] -) -{ -testElementType -( -safelisted -. -includes -( -elementName -) -elementName -applyToShadow -) -; -} -} -} -runAllTests -( -) -; -< -/ -script -> diff --git a/testing/web-platform/tests/shadow-dom/declarative/support/helpers.js b/testing/web-platform/tests/shadow-dom/declarative/support/helpers.js new file mode 100644 index 0000000000000..c97c002b003d3 --- /dev/null +++ b/testing/web-platform/tests/shadow-dom/declarative/support/helpers.js @@ -0,0 +1,58 @@ +function +setInnerHTML +( +el +content +) +{ +const +fragment += +( +new +DOMParser +( +) +) +. +parseFromString +( +< +pre +> +{ +content +} +< +/ +pre +> +' +text +/ +html +' +{ +includeShadowRoots +: +true +} +) +; +el +. +replaceChildren +( +. +. +. +fragment +. +body +. +firstChild +. +childNodes +) +; +}