LibWeb: Enumerate all injection sinks relevant to the TrustedTypes spec

This enables us to more strictly control the available sinks we support.
Author: https://github.com/tete17 Commit: 2083708897 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5828 Reviewed-by: https://github.com/AtkinsSJ Reviewed-by: https://github.com/Lubrsi ✅
2025-09-21 08:48:57 +00:00 · 2025-08-09 02:11:32 +02:00 · 2025-08-09 02:11:32 +02:00 · 2083708897 · 2025-09-01 15:21:11 +00:00
commit 2083708897
parent af933c2721
7 changed files with 60 additions and 12 deletions
--- a/Libraries/LibWeb/CMakeLists.txt
+++ b/Libraries/LibWeb/CMakeLists.txt
@ -921,6 +921,7 @@ set(SOURCES
    SVG/SVGUseElement.cpp
    SVG/SVGViewElement.cpp
    SVG/TagNames.cpp
+    TrustedTypes/InjectionSink.cpp
    TrustedTypes/TrustedHTML.cpp
    TrustedTypes/TrustedScript.cpp
    TrustedTypes/TrustedScriptURL.cpp
--- a/Libraries/LibWeb/DOM/Document.cpp
+++ b/Libraries/LibWeb/DOM/Document.cpp
@ -637,14 +637,14 @@ GC::Ptr<Selection::Selection> Document::get_selection() const
 WebIDL::ExceptionOr<void> Document::write(Vector<String> const& text)
 {
    // The document.write(...text) method steps are to run the document write steps with this, text, false, and "Document write".
-    return run_the_document_write_steps(text, AddLineFeed::No, TrustedTypes::InjectionSink::DocumentWrite);
+    return run_the_document_write_steps(text, AddLineFeed::No, TrustedTypes::InjectionSink::Documentwrite);
 }

 // https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#dom-document-writeln
 WebIDL::ExceptionOr<void> Document::writeln(Vector<String> const& text)
 {
    // The document.writeln(...text) method steps are to run the document write steps with this, text, true, and "Document writeln".
-    return run_the_document_write_steps(text, AddLineFeed::Yes, TrustedTypes::InjectionSink::DocumentWriteln);
+    return run_the_document_write_steps(text, AddLineFeed::Yes, TrustedTypes::InjectionSink::Documentwriteln);
 }

 // https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#document-write-steps
--- a/Libraries/LibWeb/HTML/GlobalEventHandlers.h
+++ b/Libraries/LibWeb/HTML/GlobalEventHandlers.h
@ -7,6 +7,7 @@
 #pragma once

 #include <AK/Forward.h>
+#include <LibGC/Ptr.h>
 #include <LibWeb/Export.h>
 #include <LibWeb/Forward.h>

--- a/Libraries/LibWeb/TrustedTypes/InjectionSink.cpp
+++ b/Libraries/LibWeb/TrustedTypes/InjectionSink.cpp
@ -0,0 +1,26 @@
+/*
+ * Copyright (c) 2025, Miguel Sacristán Izcue <miguel_tete17@hotmail.com>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibWeb/TrustedTypes/InjectionSink.h>
+
+#include <AK/Utf16String.h>
+
+namespace Web::TrustedTypes {
+
+Utf16String to_string(InjectionSink sink)
+{
+    switch (sink) {
+#define __ENUMERATE_INJECTION_SINKS(name, value) \
+    case InjectionSink::name:                    \
+        return value##_utf16;
+        ENUMERATE_INJECTION_SINKS
+#undef __ENUMERATE_INJECTION_SINKS
+    default:
+        VERIFY_NOT_REACHED();
+    }
+}
+
+}
--- a/Libraries/LibWeb/TrustedTypes/InjectionSink.h
+++ b/Libraries/LibWeb/TrustedTypes/InjectionSink.h
@ -6,13 +6,32 @@

 #pragma once

+#include <AK/Utf16String.h>
+#include <LibWeb/HTML/GlobalEventHandlers.h>
+#include <LibWeb/HTML/WindowEventHandlers.h>
+
 namespace Web::TrustedTypes {

+#define EVENT_HANDLERS_INJECTION_SINKS(attribute_name, event_name) \
+    __ENUMERATE_INJECTION_SINKS(Element##attribute_name, "Element " #attribute_name)
+
 // https://w3c.github.io/trusted-types/dist/spec/#injection-sink
+#define ENUMERATE_INJECTION_SINKS                                                    \
+    __ENUMERATE_INJECTION_SINKS(Documentwrite, "Document write")                     \
+    __ENUMERATE_INJECTION_SINKS(Documentwriteln, "Document writeln")                 \
+    __ENUMERATE_INJECTION_SINKS(Function, "Function")                                \
+    __ENUMERATE_INJECTION_SINKS(HTMLIFrameElementsrcdoc, "HTMLIFrameElement srcdoc") \
+    __ENUMERATE_INJECTION_SINKS(HTMLScriptElementsrc, "HTMLScriptElement src")       \
+    __ENUMERATE_INJECTION_SINKS(SVGScriptElementhref, "SVGScriptElement href")       \
+    ENUMERATE_GLOBAL_EVENT_HANDLERS(EVENT_HANDLERS_INJECTION_SINKS)                  \
+    ENUMERATE_WINDOW_EVENT_HANDLERS(EVENT_HANDLERS_INJECTION_SINKS)
+
 enum class InjectionSink {
-    DocumentWrite,
-    DocumentWriteln,
-    Function,
+#define __ENUMERATE_INJECTION_SINKS(name, value) name,
+    ENUMERATE_INJECTION_SINKS
+#undef __ENUMERATE_INJECTION_SINKS
 };

+Utf16String to_string(InjectionSink sink);
+
 }
--- a/Libraries/LibWeb/TrustedTypes/TrustedTypePolicyFactory.cpp
+++ b/Libraries/LibWeb/TrustedTypes/TrustedTypePolicyFactory.cpp
@ -319,7 +319,7 @@ Optional<TrustedTypeData> get_trusted_type_data_for_attribute(Utf16String const&
 #define __ENUMERATE(attribute_name, event_name)                                                                                                      \
    if (attribute == HTML::AttributeNames::attribute_name) {                                                                                         \
        /* 1. Return (Element, null, attribute, TrustedScript, "Element " + attribute). */                                                           \
-        return TrustedTypeData { "Element"_utf16, {}, attribute, TrustedTypeName::TrustedScript, "Element " #attribute_name ""_utf16 }; \
+        return TrustedTypeData { "Element"_utf16, {}, attribute.to_utf8(), TrustedTypeName::TrustedScript, InjectionSink::Element##attribute_name }; \
    }
        ENUMERATE_GLOBAL_EVENT_HANDLERS(__ENUMERATE)
        ENUMERATE_WINDOW_EVENT_HANDLERS(__ENUMERATE)
@ -327,10 +327,10 @@ Optional<TrustedTypeData> get_trusted_type_data_for_attribute(Utf16String const&
    }

    static Vector<TrustedTypeData> const table {
-        { "HTMLIFrameElement"_utf16, {}, "srcdoc"_utf16, TrustedTypeName::TrustedHTML, "HTMLIFrameElement srcdoc"_utf16 },
-        { "HTMLScriptElement"_utf16, {}, "src"_utf16, TrustedTypeName::TrustedScriptURL, "HTMLScriptElement src"_utf16 },
-        { "SVGScriptElement"_utf16, {}, "href"_utf16, TrustedTypeName::TrustedScriptURL, "SVGScriptElement href"_utf16 },
-        { "SVGScriptElement"_utf16, Utf16String::from_utf8(Namespace::XLink), "href"_utf16, TrustedTypeName::TrustedScriptURL, "SVGScriptElement href"_utf16 },
+        { "HTMLIFrameElement"_utf16, {}, HTML::AttributeNames::srcdoc, TrustedTypeName::TrustedHTML, InjectionSink::HTMLIFrameElementsrcdoc },
+        { "HTMLScriptElement"_utf16, {}, HTML::AttributeNames::src, TrustedTypeName::TrustedScriptURL, InjectionSink::HTMLScriptElementsrc },
+        { "SVGScriptElement"_utf16, {}, HTML::AttributeNames::href, TrustedTypeName::TrustedScriptURL, InjectionSink::SVGScriptElementhref },
+        { "SVGScriptElement"_utf16, Utf16String::from_utf8(Namespace::XLink), HTML::AttributeNames::href, TrustedTypeName::TrustedScriptURL, InjectionSink::SVGScriptElementhref },
    };

    // 3. Find the row in the following table, where element is in the first column, attributeNs is in the second column,
--- a/Libraries/LibWeb/TrustedTypes/TrustedTypePolicyFactory.h
+++ b/Libraries/LibWeb/TrustedTypes/TrustedTypePolicyFactory.h
@ -10,6 +10,7 @@
 #include <LibWeb/Bindings/PlatformObject.h>
 #include <LibWeb/Bindings/TrustedTypePolicyFactoryPrototype.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
+#include <LibWeb/TrustedTypes/InjectionSink.h>
 #include <LibWeb/TrustedTypes/TrustedTypePolicy.h>

 namespace Web::TrustedTypes {
@ -63,9 +64,9 @@ private:
 struct TrustedTypeData {
    Utf16String element;
    Optional<Utf16String> attribute_ns;
-    Utf16String attribute_local_name;
+    FlyString attribute_local_name;
    TrustedTypeName trusted_type;
-    Utf16String sink;
+    InjectionSink sink;
 };

 Optional<TrustedTypeData> get_trusted_type_data_for_attribute(Utf16String const&, Utf16String const&, Optional<Utf16String> const&);