1 // Copyright 2020 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef THIRD_PARTY_BLINK_RENDERER_MODULES_SANITIZER_API_SANITIZER_H_
6 #define THIRD_PARTY_BLINK_RENDERER_MODULES_SANITIZER_API_SANITIZER_H_
7 
8 #include "third_party/blink/renderer/modules/modules_export.h"
9 #include "third_party/blink/renderer/platform/bindings/script_wrappable.h"
10 #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
11 
12 namespace blink {
13 
14 class Document;
15 class DocumentFragment;
16 class ExceptionState;
17 class SanitizerConfig;
18 class ScriptState;
19 class StringOrDocumentFragmentOrDocument;
20 class StringOrTrustedHTMLOrDocumentFragmentOrDocument;
21 
22 class MODULES_EXPORT Sanitizer final : public ScriptWrappable {
23   DEFINE_WRAPPERTYPEINFO();
24 
25  public:
26   static Sanitizer* Create(const SanitizerConfig*, ExceptionState&);
27   explicit Sanitizer(const SanitizerConfig*);
28   ~Sanitizer() override;
29 
30   String sanitizeToString(ScriptState*,
31                           StringOrDocumentFragmentOrDocument&,
32                           ExceptionState&);
33   DocumentFragment* sanitize(ScriptState*,
34                              StringOrTrustedHTMLOrDocumentFragmentOrDocument&,
35                              ExceptionState&);
36 
37   void Trace(Visitor*) const override;
38 
39  private:
40   void ElementFormatter(HashSet<String>&, const Vector<String>&);
41   void AttrFormatter(HashMap<String, Vector<String>>&,
42                      const Vector<std::pair<String, Vector<String>>>&);
43 
44   DocumentFragment* SanitizeImpl(ScriptState*,
45                                  StringOrDocumentFragmentOrDocument&,
46                                  ExceptionState&);
47 
48   HashSet<String> allow_elements_ = {};
49   HashSet<String> block_elements_ = {};
50   HashSet<String> drop_elements_ = {};
51   HashMap<String, Vector<String>> allow_attributes_ = {};
52   HashMap<String, Vector<String>> drop_attributes_ = {};
53 
54   bool has_allow_elements_ = false;
55   bool has_allow_attributes_ = false;
56 
57   const HashSet<String> default_block_elements_ = {};
58   const HashSet<String> default_drop_elements_ = {"SCRIPT",    "ANNOTATION-XML",
59                                                   "AUDIO",     "COLGROUP",
60                                                   "DESC",      "FOREIGNOBJECT",
61                                                   "HEAD",      "IFRAME",
62                                                   "MATH",      "MI",
63                                                   "MN",        "MO",
64                                                   "MS",        "MTEXT",
65                                                   "NOEMBED",   "NOFRAMES",
66                                                   "PLAINTEXT", "STYLE",
67                                                   "SVG",       "TEMPLATE",
68                                                   "THEAD",     "TITLE",
69                                                   "VIDEO",     "XMP"};
70   const HashMap<String, Vector<String>> default_drop_attributes_ = {
71       {"onclick", Vector<String>({"*"})},
72       {"onsubmit", Vector<String>({"*"})}};
73 };
74 
75 }  // namespace blink
76 
77 #endif  // THIRD_PARTY_BLINK_RENDERER_MODULES_SANITIZER_API_SANITIZER_H_
78