| blob | 707cbe154e9bf6427fa5e696ea020bc3a0ad63f8 |
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* ***** BEGIN LICENSE BLOCK *****
3 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
4 *
5 * The contents of this file are subject to the Mozilla Public License Version
6 * 1.1 (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 * http://www.mozilla.org/MPL/
9 *
10 * Software distributed under the License is distributed on an "AS IS" basis,
11 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
12 * for the specific language governing rights and limitations under the
13 * License.
14 *
15 * The Original Code is mozilla.org HTML Sanitizer code.
16 *
17 * The Initial Developer of the Original Code is
18 * Ben Bucksch <mozilla@bucksch.org>.
19 * Portions created by the Initial Developer are Copyright (C) 2002
20 * the Initial Developer. All Rights Reserved.
21 *
22 * Contributor(s):
23 * Netscape
24 *
25 * Alternatively, the contents of this file may be used under the terms of
26 * either of the GNU General Public License Version 2 or later (the "GPL"),
27 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
28 * in which case the provisions of the GPL or the LGPL are applicable instead
29 * of those above. If you wish to allow use of your version of this file only
30 * under the terms of either the GPL or the LGPL, and not to allow others to
31 * use your version of this file under the terms of the MPL, indicate your
32 * decision by deleting the provisions above and replace them with the notice
33 * and other provisions required by the GPL or the LGPL. If you do not delete
34 * the provisions above, a recipient may use your version of this file under
35 * the terms of any one of the MPL, the GPL or the LGPL.
36 *
37 * ***** END LICENSE BLOCK ***** */
39 /* Cleans up HTML source from unwanted tags/attributes
41 This class implements a content sink, which takes a parsed HTML document
42 and removes all tags and attributes that are not explicitly allowed.
44 This may improve the viewing experience of the user and/or the
45 security/privacy.
47 What is allowed is defined by a string (format described before the
48 implementation of |mozHTMLSanitizer::ParsePrefs()|). The sytnax of the
49 definition is not very rich - you can only (dis)allow certain tags and
50 attributes, but not where they may appear. (This makes the implementation
51 much more simple.) E.g. it is impossible to disallow ordinary text as a
52 direct child of the <head> node or to disallow multiple <head> nodes.
54 We also remove some known bad attribute values like javascript: URLs.
55 Draconian attitude.
57 Currently, the output of this class is unparsed (!) HTML source, which
58 means that each document has to go through the parser twice. Of course,
59 that is a performance killer. There are some reasons for for me doing it
60 that way:
61 * There is, to my knowledge, no interface to hook up such modifiers
62 in the document display data flow. We have a nice interface for doing
63 the modifications (the DOM), but no place to get the DOM and to invoke
64 this code. As I don't want to hack this directly into the html sink,
65 I'd have to create a generic interface first, which is too much work for
66 me at the moment.
67 * It is quite easy to hook up modifiers for the (unparsed) data stream,
68 both in netwerk (for the browser) and esp. in libmime (for Mailnews).
69 * It seems like the safest method - it is easier to debug (you have the
70 HTML source output to check) and is less prone to security-relevant bugs
71 and regressions, because in the case of a bug, it will probably fall back
72 to not outputting, which is safer than erring on the side of letting
73 something slip through (most of the alternative approaches listed below
74 are probably vulnerable to the latter).
75 * It should be possible to later change this class to output a parsed HTML
76 document.
77 So, in other words, I had the choice between better design and better
78 performance. I choose design. Bad performance has an effect on the users
79 of this class only, while bad design has an effect on all users and
80 programmers.
82 That being said, I have some ideas, how do make it much more efficient, but
83 they involve hacking core code.
84 * At some point when we have DOM, but didn't do anything with it yet
85 (in particular, didn't load any external objects or ran any javascript),
86 walk the DOM and delete everything the user doesn't explicitly like.
87 * There's this nice GetPref() in the HTMLContentSink. It isn't used exactly
88 as I would like to, but that should be doable. Bascially, before
89 processing any tag (e.g. in OpenContainer or AddLeaf), ask that
90 function, if the tag is allowed. If not, just return.
91 In any case, there's the problem, how the users of the renderer
92 (e.g. Mailnews) can tell it to use the sanitizer and which tags are
93 allowed (the browser may want to allow more tags than Mailnews).
94 That probably means that I have to hack into the docshell (incl. its
95 interface) or similar, which I would really like to avoid.
96 Any ideas appreciated.
97 */
98 #ifndef _mozISanitizingSerializer_h__
99 #define _mozISanitizingSerializer_h__
107 /* starting interface: nsIContentSerializer */
110 #define MOZ_ISANITIZINGHTMLSERIALIZER_IID \
111 {0xfeca3c34, 0x205e, 0x4ae5, \
112 { 0xbd, 0x1c, 0x03, 0xc6, 0x86, 0xff, 0x01, 0x2b }}
120 PRUint32 aFlags,
122 // This function violates string ownership rules, see impl.
123 };
126 MOZ_ISANITIZINGHTMLSERIALIZER_IID)
128 #endif