Bug 1342348 part 1 - Don't check fragment url in tree sanitizer. r?hsivonen
MozReview-Commit-ID: 8tIiMtexHxd
--- a/dom/base/nsTreeSanitizer.cpp
+++ b/dom/base/nsTreeSanitizer.cpp
@@ -1276,16 +1276,20 @@ nsTreeSanitizer::SanitizeURL(mozilla::do
{
nsAutoString value;
aElement->GetAttr(aNamespace, aLocalName, value);
// Get value and remove mandatory quotes
static const char* kWhitespace = "\n\r\t\b";
const nsAString& v =
nsContentUtils::TrimCharsInSet(kWhitespace, value);
+ // Fragment-only url cannot be harmful.
+ if (!v.IsEmpty() && v.First() == u'#') {
+ return false;
+ }
nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
uint32_t flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL;
nsCOMPtr<nsIURI> baseURI = aElement->GetBaseURI();
nsCOMPtr<nsIURI> attrURI;
nsresult rv = NS_NewURI(getter_AddRefs(attrURI), v, nullptr, baseURI);
if (NS_SUCCEEDED(rv)) {