From 99c8fb716b1ed55f1656fdafa85bfb7d67a04cf8 Mon Sep 17 00:00:00 2001 From: Luke Warlow Date: Mon, 18 Mar 2024 13:58:33 +0000 Subject: [PATCH] Update IDL for script enforcement - textContent and innerText are now both defined using a union type with setter step algorithms explicitly updated. --- spec/index.bs | 90 ++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 74 insertions(+), 16 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index 9e1e08e..db5bdbe 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -1186,6 +1186,27 @@ partial interface ShadowRoot { ### Enforcement for scripts ### {#enforcement-in-scripts} +This document modifies how {{HTMLScriptElement}} [=child text content=] can be set to allow applications to control dynamically created scripts. It does so by +modifying the {{HTMLElement/innerText}} and {{Node/textContent}} attributes. The behavior of the attributes remains the same +as in their original counterparts, apart from additional behavior similar to that triggered by the {{StringContext}} extended attribute. + +Note: Using these IDL attributes is the recommended way of dynamically setting the URL or a text of a script. Manipulating attribute nodes or text nodes directly will call a default policy on the final value when the script is prepared. + +
+partial interface Node {
+  [CEReactions] attribute (DOMString or TrustedScript)? textContent;
+};
+
+partial interface Node {
+  [CEReactions] attribute ([LegacyNullToEmptyString] DOMString or TrustedScript) innerText;
+};
+
+partial interface HTMLScriptElement {
+ [CEReactions] attribute ScriptURLString src;
+ [CEReactions] attribute ScriptString text;
+};
+
+ #### Slots with trusted values #### {#slots-with-trusted-values} This document modifies {{HTMLScriptElement}}s. Each script has: @@ -1195,27 +1216,64 @@ This document modifies {{HTMLScriptElement}}s. Each script has: through a {{StringContext}} compliant sink. Equivalent to script's [=child text content=]. Initially null. -#### Setting slot values #### {#setting-slot-values} +#### Setting the {{HTMLElement/innerText}} IDL attribute #### {#setting-the-innerText-idl-attribute} -This document modifies how {{HTMLScriptElement}} [=child text content=] can be set to allow applications to control dynamically created scripts. It does so by -adding the {{HTMLElement/innerText}} and {{Node/textContent}} attributes directly on {{HTMLScriptElement}}. The behavior of the attributes remains the same -as in their original counterparts, apart from additional behavior triggered by the {{StringContext}} extended attribute presence. +Update the {{HTMLElement/innerText}} setter steps to: -Note: Using these IDL attributes is the recommended way of dynamically setting URL or a text of a script. Manipulating attribute nodes or text nodes directly will call a default policy on the final value when the script is prepared. +1. If [=this=] is an {{HTMLScriptElement}}, then: + 1. Let |value| be the result of calling [$Get Trusted Type compliant string$] with + {{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `HTMLElement innerText`, + `script` + 1. Set {{HTMLScriptElement/[[ScriptText]]}} internal slot value to |value|. +1. Otherwise, let |value| be the stringified given value. +1. Let |fragment| be the rendered text fragment for |value|the given value given [=this=]'s [=node document=]. +1. [=Replace all=] with |fragment| within [=this=]. -
-partial interface HTMLScriptElement {
- [CEReactions] attribute [LegacyNullToEmptyString] ScriptString innerText;
- [CEReactions] attribute ScriptString? textContent;
- [CEReactions] attribute ScriptURLString src;
- [CEReactions] attribute ScriptString text;
-};
-
+#### Setting the {{Node/textContent}} IDL attribute #### {#setting-the-textContent-idl-attribute} + +Update the {{Node/textContent}} setter steps algorithm as follows. + +

The {{Node/textContent}} setter steps are to, if the given value is null, act as if it was the +empty string instead, and then do as described below, switching on the interface this +implements: + +

+
{{DocumentFragment}} +
{{Element}} +
+
    +
  1. +

    If this is an {{HTMLScriptElement}}, then: +

      +
    1. +

      Let |value| be the result of calling [$Get Trusted Type compliant string$] with + {{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `Node textContent`, + `script` +

    2. Set {{HTMLScriptElement/[[ScriptText]]}} internal slot value to |value|. +

    + +
  2. Otherwise, let |value| be the stringified given value. + +
  3. String replace all with |value|the given value within this. +

+ +
{{Attr}} +

Set an existing attribute value with this and the given value. + +

{{CharacterData}} +

Replace data with node this, offset 0, count this's + length, and data the given value. + +

Otherwise +

Do nothing. +

+ +#### Setting the {{HTMLScriptElement/text}} IDL attribute #### {#setting-the-text-idl-attribute} -On setting the {{HTMLElement/innerText}}, {{Node/textContent}} and {{HTMLScriptElement/text}} IDL attributes execute the following algorithm: +Update the {{HTMLScriptElement/text}} setter steps algorithm as follows. -1. Set {{HTMLScriptElement/[[ScriptText]]}} internal slot value to the stringified attribute value. -1. Perform the usual attribute setter steps. +1. Set {{HTMLScriptElement/[[ScriptText]]}} internal slot value to the given value. +1. [=String replace all=] with the given value within this script element. #### Slot value verification #### {#slot-value-verification}