def _set_HTML_property(function, new_value, traverser):
if isinstance(new_value, jstypes.JSLiteral):
# TODO: This might be optimizable as get_as_str
literal_value = new_value.get_literal_value(traverser)
if isinstance(literal_value, types.StringTypes):
# Static string assignments
# Test for on* attributes and script tags.
if EVENT_ASSIGNMENT.search(literal_value.lower()):
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="javascript_event_assignment")
elif "<script" in literal_value or JS_URL.search(literal_value):
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="javascript_url")
else:
# Everything checks out, but we still want to pass it through
# the markup validator. Turn off strict mode so we don't get
# warnings about malformed HTML.
from ..markup.markuptester import MarkupParser
parser = MarkupParser(traverser.err, strict=False, debug=True)
parser.process(traverser.filename, literal_value, "xul")
def set_on_event(new_value, traverser):
"""Ensure that on* properties are not assigned string values."""
is_literal = new_value.is_literal()
if is_literal and isinstance(new_value.get_literal_value(),
types.StringTypes):
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="setting_on-event")
elif not is_literal and new_value.has_property("handleEvent"):
traverser.err.error(
err_id=("js", "on*", "handleEvent"),
error="`handleEvent` no longer implemented in Gecko 18.",
description="As of Gecko 18, objects with `handleEvent` methods "
"may no longer be assigned to `on*` properties. Doing "
"so will be equivalent to assigning `null` to the "
"property.",
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context)
def _set_HTML_property(function, new_value, traverser):
if isinstance(new_value, jstypes.JSLiteral):
# TODO: This might be optimizable as get_as_str
literal_value = new_value.get_literal_value()
if isinstance(literal_value, types.StringTypes):
# Static string assignments
# Test for on* attributes and script tags.
if EVENT_ASSIGNMENT.search(literal_value.lower()):
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="javascript_event_assignment")
elif "<script" in literal_value or JS_URL.search(literal_value):
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="javascript_url")
else:
# Everything checks out, but we still want to pass it through
# the markup validator. Turn off strict mode so we don't get
# warnings about malformed HTML.
from ..markup.markuptester import MarkupParser
parser = MarkupParser(traverser.err, strict=False, debug=True)
parser.process(traverser.filename, literal_value, "xul")
def call_wrap(*args, **kwargs):
traverser = kwargs.get("traverser") or args[-1]
from appvalidator.csp import warn
warn(err=traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="script")
def wrap(wrapper, arguments, traverser):
if arguments and not arguments[0].callable:
from appvalidator.csp import warn
warn(err=traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="set*")
def _create_script_tag(traverser):
"""Raises a warning that the dev is creating a script tag"""
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="createElement-script")
def call_wrap(*args, **kwargs):
from appvalidator.csp import warn
warn(err=traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="script")
return False
def call_wrap(*args, **kwargs):
traverser = kwargs.get("traverser") or args[-1]
from appvalidator.csp import warn
warn(err=traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="script")
def wrap(wrapper, arguments, traverser):
if arguments and not arguments[0].callable:
from appvalidator.csp import warn
warn(err=traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="set*")
def _create_script_tag(traverser):
"""Raises a warning that the dev is creating a script tag"""
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="createElement-script")
def _create_variable_element(traverser):
"""Raises a warning that the dev is creating an arbitrary element"""
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="createElement-variable")
def call_wrap(*args, **kwargs):
from appvalidator.csp import warn
warn(err=traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="script")
return False
def _create_variable_element(traverser):
"""Raises a warning that the dev is creating an arbitrary element"""
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="createElement-variable")
def wrap(a, t, e):
if not a or "script" in _get_as_str(t(a[1])).lower():
from appvalidator.csp import warn
warn(err=traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="createElementNS")
return False
def wrap(a, t, e):
if a and a[0]["type"] != "FunctionExpression":
from appvalidator.csp import warn
warn(err=traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="set*")
return False
def wrap(a, t, e):
if a and a[0]["type"] != "FunctionExpression":
from appvalidator.csp import warn
warn(err=traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="set*")
return False
def wrap(a, t, e):
if not a or "script" in _get_as_str(t(a[1])).lower():
from appvalidator.csp import warn
warn(err=traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="createElementNS")
return False
def set_on_event(new_value, traverser):
"""Ensure that on* properties are not assigned string values."""
if (isinstance(new_value, jstypes.JSLiteral) and
isinstance(new_value.get_literal_value(), types.StringTypes)):
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="setting_on-event")
def set_on_event(new_value, traverser):
"""Ensure that on* properties are not assigned string values."""
if (isinstance(new_value, jstypes.JSLiteral) and isinstance(
new_value.get_literal_value(traverser), types.StringTypes)):
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="setting_on-event")
def setAttribute(args, traverser, wrapper):
"""This ensures that setAttribute calls don't set on* attributes"""
if not args:
return
first_as_str = utils.get_as_str(args[0].get_literal_value(traverser))
if first_as_str.lower().startswith("on"):
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="setAttribute-on")
def setAttribute(args, traverser, wrapper):
"""This ensures that setAttribute calls don't set on* attributes"""
if not args:
return
first_as_str = utils.get_as_str(args[0].get_literal_value())
if first_as_str.lower().startswith("on"):
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="setAttribute-on")
def setAttribute(args, traverser, node, wrapper):
"""This ensures that setAttribute calls don't set on* attributes"""
if not args:
return
simple_args = [traverser._traverse_node(a) for a in args]
first_as_str = actions._get_as_str(simple_args[0].get_literal_value())
if first_as_str.lower().startswith("on"):
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="setAttribute-on")
def setAttribute(args, traverser, node, wrapper):
"""This ensures that setAttribute calls don't set on* attributes"""
if not args:
return
simple_args = [traverser._traverse_node(a) for a in args]
first_as_str = actions._get_as_str(simple_args[0].get_literal_value())
if first_as_str.lower().startswith("on"):
warn(traverser.err,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context,
violation_type="setAttribute-on")