Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitizer built-ins document #244

Merged
merged 10 commits into from
Jan 16, 2025
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/pr-push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Generate safe-default-configuration.json
run: python builtins/safe-default-configuration.py --input builtins/safe-default-configuration.txt --out builtins/safe-default-configuration.json
- uses: w3c/spec-prod@v2
with:
GH_PAGES_BRANCH: gh-pages
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
/.project
/out
/*.ninja*
/builtins/safe-default-configuration.json
147 changes: 147 additions & 0 deletions builtins/safe-baseline-configuration.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
{
"removeElements": [
{
"namespace": "http://www.w3.org/1999/xhtml",
"name": "script"
},
{
"namespace": "http://www.w3.org/2000/svg",
"name": "script"
}
otherdaniel marked this conversation as resolved.
Show resolved Hide resolved
],
"removeAttributes": [
"onabort",
"onactivate",
"onafterprint",
"onanimationend",
"onanimationiteration",
"onanimationstart",
"onauxclick",
"onbeforecopy",
"onbeforecut",
"onbeforeinput",
"onbeforepaste",
"onbeforeprint",
"onbeforetoggle",
"onbeforeunload",
"onbegin",
"onblur",
"oncancel",
"oncanplay",
"oncanplaythrough",
"onchange",
"onclick",
"onclose",
"oncontentvisibilityautostatechange",
"oncontextlost",
"oncontextmenu",
"oncontextrestored",
"oncopy",
"oncuechange",
"oncut",
"ondblclick",
"ondismiss",
"ondrag",
"ondragend",
"ondragenter",
"ondragleave",
"ondragover",
"ondragstart",
"ondrop",
"ondurationchange",
"onemptied",
"onend",
"onended",
"onerror",
"onfocus",
"onfocusin",
"onfocusout",
"onformdata",
"ongotpointercapture",
"onhashchange",
"oninput",
"oninvalid",
"onkeydown",
"onkeypress",
"onkeyup",
"onlanguagechange",
"onload",
"onloadeddata",
"onloadedmetadata",
"onloadstart",
"onlostpointercapture",
"onmessage",
"onmessageerror",
"onmousedown",
"onmouseenter",
"onmouseleave",
"onmousemove",
"onmouseout",
"onmouseover",
"onmouseup",
"onmousewheel",
"onmove",
"onoffline",
"ononline",
"onorientationchange",
"onoverscroll",
"onpagehide",
"onpageshow",
"onpaste",
"onpause",
"onplay",
"onplaying",
"onpointercancel",
"onpointerdown",
"onpointerenter",
"onpointerleave",
"onpointermove",
"onpointerout",
"onpointerover",
"onpointerrawupdate",
"onpointerup",
"onpopstate",
"onprogress",
"onratechange",
"onrepeat",
"onreset",
"onresize",
"onresolve",
"onscroll",
"onscrollend",
"onscrollsnapchange",
"onscrollsnapchanging",
"onsearch",
"onsecuritypolicyviolation",
"onseeked",
"onseeking",
"onselect",
"onselectionchange",
"onselectstart",
"onshow",
"onslotchange",
"onstalled",
"onstorage",
"onsubmit",
"onsuspend",
"ontimeupdate",
"ontimezonechange",
"ontoggle",
"ontouchcancel",
"ontouchend",
"ontouchmove",
"ontouchstart",
"ontransitionend",
"onunload",
"onvalidationstatuschange",
"onvolumechange",
"onwaiting",
"onwebkitanimationend",
"onwebkitanimationiteration",
"onwebkitanimationstart",
"onwebkitfullscreenchange",
"onwebkitfullscreenerror",
"onwebkittransitionend",
"onwheel"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What should we do here? In spec purity terms, I believe we should stick to those in the HTML standard and make a big note that many engines support non-standardized and add them as a hint or such?
But In reality, I can see this going wrong.

@evilpie: How would we best identify the list of supported event handler attributes in Gecko?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably just check if an attribute is a https://html.spec.whatwg.org/#event-handler-content-attributes. We could then maybe non-normatively list all of them (they're also in an index in HTML). Implementations can do roughly the same thing they do for Trusted Types.

Copy link

@evilpie evilpie Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Gecko, Trusted Types currently uses the EventNameList.h.

Copy link
Collaborator Author

@otherdaniel otherdaniel Jan 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've now removed the list of event handlers, instead adding a rules to remove event-handler-content-attributes. I'm iterating over those, as if they were a list. Not sure if that's legitimate.

I've also added a note and a script that merges in a copy of the event handlers, so it's more easy to see what this does. This should make it easy to modify, and to -- eventually -- just use a list directly derived from the HTML spec text.

Unfortunately, the preview doesn't run the scripts, so that particular bit isn't easy to review.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think iterating over them is okay. We might have to revisit this when upstreaming.

]
}
Empty file.
42 changes: 42 additions & 0 deletions builtins/safe-default-configuration.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Sanitizer API - Build configuration dictionary from text file.

import json
import argparse
import sys

def main():
parser = argparse.ArgumentParser()
parser.add_argument("--input", type=argparse.FileType('r'), required=True)
parser.add_argument("--out", type=argparse.FileType('w'), required=True)
args = parser.parse_args()

try:
lines = args.input.read()
except BaseException as err:
parser.error("Cannot read from --input file.")

result = { "elements": [], "attributes": [] }
current = []
for line in lines.split("\n"):
if not line:
pass
elif line.startswith("//"):
pass
elif line.startswith("- "):
current.append({ "name": line[2:], "namespace": None })
elif line == "[HTML Global]":
current = result["attributes"]
else:
elem = { "name": line, "namespace": "http://www.w3.org/1999/xhtml",
"attributes": [] }
result["elements"].append(elem)
current = elem["attributes"]

try:
json.dump(result, args.out, indent=2)
except BaseException as err:
parser.error("Cannot write to --out file.")
return 0

if __name__ == "__main__":
main()
171 changes: 171 additions & 0 deletions builtins/safe-default-configuration.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
// Document element
// https://html.spec.whatwg.org/#the-root-element

html

// Document metadata
// https://html.spec.whatwg.org/#document-metadata

head
title

// meta and link, purposely omitted

// Sections
// https://html.spec.whatwg.org/#sections

body
article
section
nav
aside
h1
h2
h3
h4
h5
h6
hgroup
header
footer
address

// Grouping Content
// https://html.spec.whatwg.org/#grouping-content

p
hr
pre
blockquote
- cite
ol
- reversed
- start
- type
ul
menu
li
- value
dl
dt
dd
figure
figcaption
main
search
div

// Text-level Semantics
// https://html.spec.whatwg.org/#text-level-semantics ###

a
- href
- rel
- hreflang
- type
// Purposely omitted:
// - target
// - download
// - referrerpolicy
// - ping
em
strong
small
s
cite
q
dfn
- title
abbr
- title
ruby
rt
rp
data
- value
time
- datetime
code
var
samp
kbd
sub
sup
i
b
u
mark
bdi
- dir
bdo
- dir
span
br
wbr

// Edits
// https://html.spec.whatwg.org/#edits

ins
- cite
- datetime
del
- cite
- datetime

// Embedded content
// https://html.spec.whatwg.org/#embedded-content
//
// Purposely omitted.

// Tabular Data
// https://html.spec.whatwg.org/#tables

table
caption
colgroup
- span
col
- span
tbody
thead
tfoot
tr
td
- colspan
- rowspan
- headers
th
- colspan
- rowspan
- headers
- scope
- abbr

// Forms
// https://html.spec.whatwg.org/#forms
//
// Purposely omitted

// Interactive Elements
// https://html.spec.whatwg.org/#interactive-elements
//
// Purposly omitted.

// Scripting
// https://html.spec.whatwg.org/#scripting
//
// Purposely omitted.

// SVG: TBD
// MathML: TDB

// HTML global attributes
//
// Selection of attributes. Most are purposely omitted.

[HTML Global]
- dir
- lang
- title

Loading
Loading