Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-07-22 23:03:42 +01:00
Code Issues Projects Releases Packages Wiki Activity

Check CSP for inline event handlers (#36510)

Browse source 
This also ensures that document now reports all violations and we set
the correct directive.

With these changes, all `script-src-attr-elem` WPT tests pass.

Part of #36437 

Requires servo/rust-content-security-policy#3 to land first

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-04-17 23:11:25 +02:00 committed by GitHub
parent 70b3e24816
commit 2a81987590
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
64 changed files with 58 additions and 569 deletions
Download patch file Download diff file Expand all files Collapse all files

4
components/script/dom/htmlelement.rs
View file

@ -1084,14 +1084,14 @@ impl VirtualMethods for HTMLElement {
let element = self.as_element();
match (attr.local_name(), mutation) {
(name, AttributeMutation::Set(_)) if name.starts_with("on") => {
let source = &**attr.value();
let evtarget = self.upcast::<EventTarget>();
let source_line = 1; //TODO(#9604) get current JS execution line
evtarget.set_event_handler_uncompiled(
self.owner_window().get_url(),
source_line,
&name[2..],
// FIXME(ajeffrey): Convert directly from AttrValue to DOMString
DOMString::from(&**attr.value()),
source,
);
},
(&local_name!("form"), mutation) if self.is_form_associated_custom_element() => {