HTMLScriptElement text attributes modified to accept TrustedTypes

HTMLScriptElement::text() and setText() functions modified to accept TrustedScript as an argument. Added HTMLScriptElement::innerText and HTMLScriptElement:textContent attributes to override existing implementations in HTMLElement and Node, and to accept TrustedScript. Changed HTMLElement::innerText and Node::textContent .idl definitions and adjusted setters and getters to accept TrustedScript. Bug: 739170 Change-Id: I63da5714ffac328c6ae2f76e5da58c05f44a1cbf Reviewed-on: https://chromium-review.googlesource.com/c/1178046 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#607232}

HTMLScriptElement text attributes modified to accept TrustedTypes
HTMLScriptElement::text() and setText() functions modified to accept TrustedScript as an argument. Added HTMLScriptElement::innerText and HTMLScriptElement:textContent attributes to override existing implementations in HTMLElement and Node, and to accept TrustedScript. Changed HTMLElement::innerText and Node::textContent .idl definitions and adjusted setters and getters to accept TrustedScript. Bug: 739170 Change-Id: I63da5714ffac328c6ae2f76e5da58c05f44a1cbf Reviewed-on: https://chromium-review.googlesource.com/c/1178046 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#607232}
2abc21e5 · Daniel Vogelheim · Commit Bot · 17d65456 · 2abc21e5 · 2abc21e5
Commit 2abc21e5 authored Nov 12, 2018 by Daniel Vogelheim Committed by Commit Bot Nov 12, 2018
14 changed files
--- a/third_party/WebKit/LayoutTests/external/wpt/trusted-types/HTMLElement-generic.tentative.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/trusted-types/HTMLElement-generic.tentative.html
@@ -8,7 +8,7 @@
 <script>
  var testnb = 0;
  // TrustedURL Assignments
-  let testCases = [
+  const URLTestCases = [
    [ 'a', 'href' ],
    [ 'area', 'href' ],
    [ 'base', 'href' ],
@@ -24,27 +24,27 @@
    [ 'track', 'src' ]
  ];
-  testCases.forEach(c => {
+  URLTestCases.forEach(c => {
    test(t => {
      assert_element_accepts_trusted_url(window, ++testnb, t, c[0], c[1], RESULTS.URL);
    }, c[0] + "." + c[1] + " assigned via policy (successful URL transformation)");
  });
  // TrustedScriptURL Assignments
-  let scriptTestCases = [
+  const scriptURLTestCases = [
    [ 'embed', 'src' ],
    [ 'script', 'src' ]
  ];
  testnb = 0;
-  scriptTestCases.forEach(c => {
+  scriptURLTestCases.forEach(c => {
    test(t => {
      assert_element_accepts_trusted_script_url(window, ++testnb, t, c[0], c[1], RESULTS.SCRIPTURL);
    }, c[0] + "." + c[1] + " assigned via policy (successful ScriptURL transformation)");
  });
  // TrustedHTML Assignments
-  let HTMLTestCases = [
+  const HTMLTestCases = [
    [ 'div', 'innerHTML' ],
    [ 'iframe', 'srcdoc' ]
  ];
@@ -55,4 +55,18 @@
      assert_element_accepts_trusted_html(window, ++testnb, t, c[0], c[1], RESULTS.HTML);
    }, c[0] + "." + c[1] + " assigned via policy (successful HTML transformation)");
  });
+  // TrustedScript Assignments
+  const scriptTestCases = [
+    [ 'script', 'text' ],
+    [ 'script', 'innerText' ],
+    [ 'script', 'textContent' ]
+  ];
+  testnb = 0;
+  scriptTestCases.forEach(c => {
+    test(t => {
+      assert_element_accepts_trusted_script(window, c, t, c[0], c[1], RESULTS.SCRIPT);
+    }, c[0] + "." + c[1] + " assigned via policy (successful Script transformation)");
+  });
 </script>
--- a/third_party/WebKit/LayoutTests/external/wpt/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative-expected.txt
+++ b/third_party/WebKit/LayoutTests/external/wpt/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative-expected.txt
@@ -33,5 +33,8 @@ PASS embed.src accepts string and null after default policy was created
 PASS script.src accepts string and null after default policy was created
 FAIL div.innerHTML accepts string and null after default policy was created assert_equals: expected "null" but got ""
 PASS iframe.srcdoc accepts string and null after default policy was created
+PASS script.text accepts only TrustedScript
+PASS script.innerText accepts only TrustedScript
+PASS script.textContent accepts only TrustedScript
 Harness: the test ran to completion.
--- a/third_party/WebKit/LayoutTests/external/wpt/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html
@@ -89,4 +89,20 @@
      assert_element_accepts_trusted_type(c[0], c[1], null, "null");
    }, c[0] + "." + c[1] + " accepts string and null after default policy was created");
  });
+  // TrustedScript Assignments
+  const scriptTestCases = [
+    [ 'script', 'text' ],
+    [ 'script', 'innerText' ],
+    [ 'script', 'textContent' ]
+  ];
+  testnb = 0;
+  scriptTestCases.forEach(c => {
+    test(t => {
+      assert_element_accepts_trusted_script(window, ++testnb, t, c[0], c[1], RESULTS.SCRIPT);
+      assert_throws_no_trusted_type(c[0], c[1], 'A string');
+      assert_throws_no_trusted_type(c[0], c[1], null);
+    }, c[0] + "." + c[1] + " accepts only TrustedScript");
+  });
 </script>
--- a/third_party/blink/renderer/bindings/core/v8/BUILD.gn
+++ b/third_party/blink/renderer/bindings/core/v8/BUILD.gn
@@ -98,6 +98,8 @@ bindings_core_generated_union_type_files = [
  "$bindings_core_v8_output_dir/string_or_trusted_script_url.h",
  "$bindings_core_v8_output_dir/string_or_unrestricted_double_sequence.cc",
  "$bindings_core_v8_output_dir/string_or_unrestricted_double_sequence.h",
+  "$bindings_core_v8_output_dir/string_treat_null_as_empty_string_or_trusted_script.cc",
+  "$bindings_core_v8_output_dir/string_treat_null_as_empty_string_or_trusted_script.h",
  "$bindings_core_v8_output_dir/usv_string_or_trusted_url.cc",
  "$bindings_core_v8_output_dir/usv_string_or_trusted_url.h",
  "$bindings_core_v8_output_dir/usv_string_sequence_sequence_or_usv_string_usv_string_record_or_usv_string.cc",

--- a/third_party/blink/renderer/core/dom/node.cc
+++ b/third_party/blink/renderer/core/dom/node.cc
@@ -27,6 +27,7 @@
 #include "third_party/blink/renderer/core/dom/node.h"
 #include "third_party/blink/renderer/bindings/core/v8/node_or_string.h"
+#include "third_party/blink/renderer/bindings/core/v8/string_or_trusted_script.h"
 #include "third_party/blink/renderer/core/accessibility/ax_object_cache.h"
 #include "third_party/blink/renderer/core/css/css_selector.h"
 #include "third_party/blink/renderer/core/css/resolver/style_resolver.h"
@@ -108,6 +109,7 @@
 #include "third_party/blink/renderer/core/paint/paint_layer_scrollable_area.h"
 #include "third_party/blink/renderer/core/svg/graphics/svg_image.h"
 #include "third_party/blink/renderer/core/svg/svg_element.h"
+#include "third_party/blink/renderer/core/trustedtypes/trusted_script.h"
 #include "third_party/blink/renderer/platform/bindings/dom_data_store.h"
 #include "third_party/blink/renderer/platform/bindings/exception_state.h"
 #include "third_party/blink/renderer/platform/bindings/microtask.h"
@@ -1743,6 +1745,23 @@ String Node::textContent(bool convert_brs_to_newlines) const {
  return content.ToString();
 }
+void Node::setTextContent(const StringOrTrustedScript& string_or_trusted_script,
+                          ExceptionState& exception_state) {
+  String value =
+      string_or_trusted_script.IsString()
+          ? string_or_trusted_script.GetAsString()
+          : string_or_trusted_script.IsTrustedScript()
+                ? string_or_trusted_script.GetAsTrustedScript()->toString()
+                : g_empty_string;
+  setTextContent(value);
+}
+void Node::textContent(StringOrTrustedScript& result) {
+  String value = textContent();
+  if (!value.IsNull())
+    result.SetString(value);
+}
 void Node::setTextContent(const String& text) {
  switch (getNodeType()) {
    case kAttributeNode:

--- a/third_party/blink/renderer/core/dom/node.h
+++ b/third_party/blink/renderer/core/dom/node.h
@@ -74,6 +74,7 @@ class ShadowRoot;
 template <typename NodeType>
 class StaticNodeTypeList;
 using StaticNodeList = StaticNodeTypeList<Node>;
+class StringOrTrustedScript;
 class StyleChangeReasonForTracing;
 class V8ScrollStateCallback;
 class WebPluginContainerImpl;
@@ -256,6 +257,8 @@ class CORE_EXPORT Node : public EventTarget {
  String textContent(bool convert_brs_to_newlines = false) const;
  void setTextContent(const String&);
+  void textContent(StringOrTrustedScript& result);
+  virtual void setTextContent(const StringOrTrustedScript&, ExceptionState&);
  bool SupportsAltText();

--- a/third_party/blink/renderer/core/dom/node.idl
+++ b/third_party/blink/renderer/core/dom/node.idl
@@ -56,7 +56,7 @@ interface Node : EventTarget {
    [Affects=Nothing, CEReactions, CustomElementCallbacks] attribute DOMString? nodeValue;
-    [Affects=Nothing, CEReactions, CustomElementCallbacks] attribute DOMString? textContent;
+    [Affects=Nothing, CEReactions, CustomElementCallbacks, RaisesException=Setter] attribute ScriptString? textContent;
    [CEReactions, CustomElementCallbacks] void normalize();
    [NewObject, DoNotTestNewObject, CEReactions, CustomElementCallbacks, RaisesException] Node cloneNode(optional boolean deep = false);

--- a/third_party/blink/renderer/core/html/html_element.cc
+++ b/third_party/blink/renderer/core/html/html_element.cc
@@ -27,6 +27,8 @@
 #include "base/stl_util.h"
 #include "third_party/blink/renderer/bindings/core/v8/script_event_listener.h"
+#include "third_party/blink/renderer/bindings/core/v8/string_or_trusted_script.h"
+#include "third_party/blink/renderer/bindings/core/v8/string_treat_null_as_empty_string_or_trusted_script.h"
 #include "third_party/blink/renderer/core/css/css_color_value.h"
 #include "third_party/blink/renderer/core/css/css_markup.h"
 #include "third_party/blink/renderer/core/css/css_property_value_set.h"
@@ -64,6 +66,7 @@
 #include "third_party/blink/renderer/core/mathml_names.h"
 #include "third_party/blink/renderer/core/page/spatial_navigation.h"
 #include "third_party/blink/renderer/core/svg/svg_svg_element.h"
+#include "third_party/blink/renderer/core/trustedtypes/trusted_script.h"
 #include "third_party/blink/renderer/core/xml_names.h"
 #include "third_party/blink/renderer/platform/bindings/exception_state.h"
 #include "third_party/blink/renderer/platform/language.h"
@@ -672,6 +675,41 @@ DocumentFragment* HTMLElement::TextToFragment(const String& text,
  return fragment;
 }
+void HTMLElement::setInnerText(
+    const StringOrTrustedScript& string_or_trusted_script,
+    ExceptionState& exception_state) {
+  String value;
+  if (string_or_trusted_script.IsString())
+    value = string_or_trusted_script.GetAsString();
+  else if (string_or_trusted_script.IsTrustedScript())
+    value = string_or_trusted_script.GetAsTrustedScript()->toString();
+  setInnerText(value, exception_state);
+}
+void HTMLElement::setInnerText(
+    const StringTreatNullAsEmptyStringOrTrustedScript& string_or_trusted_script,
+    ExceptionState& exception_state) {
+  StringOrTrustedScript tmp;
+  if (string_or_trusted_script.IsString())
+    tmp.SetString(string_or_trusted_script.GetAsString());
+  else if (string_or_trusted_script.IsTrustedScript())
+    tmp.SetTrustedScript(string_or_trusted_script.GetAsTrustedScript());
+  setInnerText(tmp, exception_state);
+}
+void HTMLElement::innerText(
+    StringTreatNullAsEmptyStringOrTrustedScript& result) {
+  result.SetString(innerText());
+}
+void HTMLElement::innerText(StringOrTrustedScript& result) {
+  result.SetString(innerText());
+}
+String HTMLElement::innerText() {
+  return Element::innerText();
+}
 void HTMLElement::setInnerText(const String& text,
                               ExceptionState& exception_state) {
  // FIXME: This doesn't take whitespace collapsing into account at all.

--- a/third_party/blink/renderer/core/html/html_element.h
+++ b/third_party/blink/renderer/core/html/html_element.h
@@ -36,6 +36,8 @@ class ExceptionState;
 class FormAssociated;
 class HTMLFormElement;
 class KeyboardEvent;
+class StringOrTrustedScript;
+class StringTreatNullAsEmptyStringOrTrustedScript;
 enum TranslateAttributeMode {
  kTranslateAttributeYes,
@@ -57,6 +59,12 @@ class CORE_EXPORT HTMLElement : public Element {
  int tabIndex() const override;
  void setInnerText(const String&, ExceptionState&);
+  virtual void setInnerText(const StringOrTrustedScript&, ExceptionState&);
+  virtual void setInnerText(const StringTreatNullAsEmptyStringOrTrustedScript&,
+                            ExceptionState&);
+  String innerText();
+  void innerText(StringOrTrustedScript& result);
+  void innerText(StringTreatNullAsEmptyStringOrTrustedScript& result);
  void setOuterText(const String&, ExceptionState&);
  virtual bool HasCustomFocusLogic() const;

--- a/third_party/blink/renderer/core/html/html_element.idl
+++ b/third_party/blink/renderer/core/html/html_element.idl
@@ -59,7 +59,7 @@ interface HTMLElement : Element {
    [Affects=Nothing, SameObject, PerWorldBindings, PutForwards=cssText] readonly attribute CSSStyleDeclaration style;
    // Non-standard APIs
-    [Affects=Nothing, CEReactions, CustomElementCallbacks, RaisesException=Setter, MeasureAs=HTMLElementInnerText] attribute [TreatNullAs=EmptyString] DOMString innerText;
+    [Affects=Nothing, CEReactions, CustomElementCallbacks, RaisesException=Setter, MeasureAs=HTMLElementInnerText] attribute ([TreatNullAs=EmptyString] DOMString or TrustedScript) innerText;
    [Affects=Nothing, CEReactions, CustomElementCallbacks, RaisesException=Setter, MeasureAs=HTMLElementOuterText] attribute [TreatNullAs=EmptyString] DOMString outerText;
 };

--- a/third_party/blink/renderer/core/html/html_script_element.cc
+++ b/third_party/blink/renderer/core/html/html_script_element.cc
@@ -26,6 +26,7 @@
 #include "third_party/blink/public/mojom/script/script_type.mojom-blink.h"
 #include "third_party/blink/renderer/bindings/core/v8/html_script_element_or_svg_script_element.h"
 #include "third_party/blink/renderer/bindings/core/v8/script_event_listener.h"
+#include "third_party/blink/renderer/bindings/core/v8/string_or_trusted_script.h"
 #include "third_party/blink/renderer/core/dom/attribute.h"
 #include "third_party/blink/renderer/core/dom/document.h"
 #include "third_party/blink/renderer/core/dom/events/event.h"
@@ -35,6 +36,8 @@
 #include "third_party/blink/renderer/core/html_names.h"
 #include "third_party/blink/renderer/core/script/script_loader.h"
 #include "third_party/blink/renderer/core/script/script_runner.h"
+#include "third_party/blink/renderer/core/trustedtypes/trusted_script.h"
+#include "third_party/blink/renderer/core/trustedtypes/trusted_types_util.h"
 #include "third_party/blink/renderer/platform/bindings/exception_state.h"
 namespace blink {
@@ -114,8 +117,34 @@ void HTMLScriptElement::DidNotifySubtreeInsertionsToDocument() {
  loader_->DidNotifySubtreeInsertionsToDocument();
 }
-void HTMLScriptElement::setText(const String& value) {
+void HTMLScriptElement::setText(
-  setTextContent(value);
+    const StringOrTrustedScript& string_or_trusted_script,
+    ExceptionState& exception_state) {
+  setTextContent(string_or_trusted_script, exception_state);
+}
+void HTMLScriptElement::text(StringOrTrustedScript& result) {
+  result.SetString(TextFromChildren());
+}
+void HTMLScriptElement::setInnerText(
+    const StringOrTrustedScript& string_or_trusted_script,
+    ExceptionState& exception_state) {
+  String value = GetStringFromTrustedScript(string_or_trusted_script,
+                                            &GetDocument(), exception_state);
+  if (!exception_state.HadException()) {
+    HTMLElement::setInnerText(value, exception_state);
+  }
+}
+void HTMLScriptElement::setTextContent(
+    const StringOrTrustedScript& string_or_trusted_script,
+    ExceptionState& exception_state) {
+  String value = GetStringFromTrustedScript(string_or_trusted_script,
+                                            &GetDocument(), exception_state);
+  if (!exception_state.HadException()) {
+    Node::setTextContent(value);
+  }
 }
 void HTMLScriptElement::setAsync(bool async) {

--- a/third_party/blink/renderer/core/html/html_script_element.h
+++ b/third_party/blink/renderer/core/html/html_script_element.h
@@ -33,6 +33,9 @@
 namespace blink {
+class StringOrTrustedScript;
+class ExceptionState;
 class CORE_EXPORT HTMLScriptElement final : public HTMLElement,
                                            public ScriptElementBase {
  DEFINE_WRAPPERTYPEINFO();
@@ -46,8 +49,10 @@ class CORE_EXPORT HTMLScriptElement final : public HTMLElement,
  // Returns attributes that should be checked against Trusted Types
  const HashSet<AtomicString>& GetCheckedAttributeNames() const override;
-  String text() { return TextFromChildren(); }
+  void text(StringOrTrustedScript& result);
-  void setText(const String&);
+  void setText(const StringOrTrustedScript&, ExceptionState&);
+  void setInnerText(const StringOrTrustedScript&, ExceptionState&) override;
+  void setTextContent(const StringOrTrustedScript&, ExceptionState&) override;
  KURL Src() const;

--- a/third_party/blink/renderer/core/html/html_script_element.idl
+++ b/third_party/blink/renderer/core/html/html_script_element.idl
@@ -27,7 +27,7 @@ interface HTMLScriptElement : HTMLElement {
    [CEReactions] attribute boolean async;
    [CEReactions, Reflect] attribute boolean defer;
    [CEReactions, Reflect, ReflectOnly=("anonymous","use-credentials"), ReflectEmpty="anonymous", ReflectInvalid="anonymous"] attribute DOMString? crossOrigin;
-    [CEReactions] attribute DOMString text;
+    [CEReactions, RaisesException=Setter] attribute ScriptString text;
    [CEReactions, Reflect, ReflectOnly=("", "no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", "unsafe-url"), ReflectEmpty="", ReflectInvalid=""] attribute DOMString? referrerPolicy;
    // obsolete members

--- a/third_party/blink/renderer/core/trustedtypes/trusted_types_util.cc
+++ b/third_party/blink/renderer/core/trustedtypes/trusted_types_util.cc
@@ -108,17 +108,31 @@ String GetStringFromTrustedScript(
    ExceptionState& exception_state) {
  DCHECK(string_or_trusted_script.IsString() ||
         RuntimeEnabledFeatures::TrustedDOMTypesEnabled());
-  DCHECK(!string_or_trusted_script.IsNull());
+  // To remain compatible with legacy behaviour, HTMLElement uses extended IDL
+  // attributes to allow for nullable union of (DOMString or TrustedScript).
+  // Thus, this method is required to handle the case where
+  // string_or_trusted_script.IsNull(), unlike the various similar methods in
+  // this file.
  bool require_trusted_type = doc && doc->RequireTrustedTypes();
-  if (!require_trusted_type && string_or_trusted_script.IsString()) {
+  if (!require_trusted_type) {
-    return string_or_trusted_script.GetAsString();
+    if (string_or_trusted_script.IsString()) {
+      return string_or_trusted_script.GetAsString();
+    }
+    if (string_or_trusted_script.IsNull()) {
+      return g_empty_string;
+    }
  }
  if (string_or_trusted_script.IsTrustedScript()) {
    return string_or_trusted_script.GetAsTrustedScript()->toString();
  }
+  DCHECK(require_trusted_type);
+  DCHECK(string_or_trusted_script.IsNull() ||
+         string_or_trusted_script.IsString());
  TrustedTypePolicy* default_policy =
      doc->ExecutingWindow()->trustedTypes()->getExposedPolicy("default");
  if (!default_policy) {
@@ -127,8 +141,13 @@ String GetStringFromTrustedScript(
    return g_empty_string;
  }
+  const String& string_value_or_empty =
+      string_or_trusted_script.IsNull()
+          ? g_empty_string
+          : string_or_trusted_script.GetAsString();
  TrustedScript* result = default_policy->CreateScript(
-      ToIsolate(doc), string_or_trusted_script.GetAsString(), exception_state);
+      ToIsolate(doc), string_value_or_empty, exception_state);
+  DCHECK_EQ(!result, exception_state.HadException());
  if (exception_state.HadException()) {
    exception_state.ClearException();
    exception_state.ThrowTypeError(