EncodedJSValue JSC_HOST_CALL jsHTMLElementPrototypeFunctionInsertAdjacentElement(ExecState* exec)
{
JSValue thisValue = exec->hostThisValue();
if (!thisValue.inherits(&JSHTMLElement::s_info))
return throwVMTypeError(exec);
JSHTMLElement* castedThis = static_cast<JSHTMLElement*>(asObject(thisValue));
HTMLElement* imp = static_cast<HTMLElement*>(castedThis->impl());
ExceptionCode ec = 0;
const String& where(ustringToString(exec->argument(0).toString(exec)));
if (exec->hadException())
return JSValue::encode(jsUndefined());
Element* element(toElement(exec->argument(1)));
if (exec->hadException())
return JSValue::encode(jsUndefined());
JSC::JSValue result = toJS(exec, castedThis->globalObject(), WTF::getPtr(imp->insertAdjacentElement(where, element, ec)));
setDOMException(exec, ec);
return JSValue::encode(result);
}
JSValue jsHTMLElementOuterText(ExecState* exec, JSValue slotBase, const Identifier&)
{
JSHTMLElement* castedThis = static_cast<JSHTMLElement*>(asObject(slotBase));
UNUSED_PARAM(exec);
HTMLElement* imp = static_cast<HTMLElement*>(castedThis->impl());
JSValue result = jsString(exec, imp->outerText());
#if defined(JSC_TAINTED)
if (imp->tainted()) {
unsigned int tainted = imp->tainted();
result.setTainted(imp->tainted());
TaintedStructure trace_struct;
trace_struct.taintedno = tainted;
trace_struct.internalfunc = "jsHTMLElementOuterText";
trace_struct.jsfunc = "htmlelement.outerText";
trace_struct.action = "propagate";
trace_struct.value = TaintedUtils::UString2string(result.toString(exec));
TaintedTrace* trace = TaintedTrace::getInstance();
trace->addTaintedTrace(trace_struct);
}
#endif
return result;
}
void setJSHTMLElementSpellcheck(ExecState* exec, JSObject* thisObject, JSValue value)
{
JSHTMLElement* castedThis = static_cast<JSHTMLElement*>(thisObject);
HTMLElement* imp = static_cast<HTMLElement*>(castedThis->impl());
imp->setSpellcheck(value.toBoolean(exec));
}
/*
|-------------------| |----------------| |------------------------------|
| string passing in | --> | is it tainted? | --> Y --> | taint the element / document | (bad approach, need to reset the document taint)
|___________________| |________________| |______________________________|
|
| |-------------------|
| --> Y --> | taint the element | (best approach)
|-------------------|
the ideal implementation is to set the element as tainted only (no need to set the doucment as tainted), and then the js can detect the element is tainted or not.
however, i found that js level detection does not work for the element now, so i tainted the document for reporting.
this method has the side effect, if the element is untatined, then we need to clear the tainted flag of the document.
*/
void setJSHTMLElementInnerHTML(ExecState* exec, JSObject* thisObject, JSValue value)
{
#if defined(JSC_TAINTED)
unsigned int tainted = TaintedUtils::isTainted(exec, value);
#endif
JSHTMLElement* castedThis = static_cast<JSHTMLElement*>(thisObject);
HTMLElement* imp = static_cast<HTMLElement*>(castedThis->impl());
ExceptionCode ec = 0;
imp->setInnerHTML(valueToStringWithNullCheck(exec, value), ec);
setDOMException(exec, ec);
#if defined(JSC_TAINTED)
unsigned int imp_tainted = imp->tainted();
if (tainted) {
// cerr
/*
char cid[50];
JSValue id = jsString(exec, imp->getAttribute(WebCore::HTMLNames::idAttr));
UString sid = id.toString(exec);
snprintf(cid, 50, "%s", sid.utf8(true).data());
cerr << "setJSHTMLElementInnerHTML:SETTING:" << cid << ":" << tainted << ":" << imp_tainted << endl;
*/
// cerr
//
// i dont know why this tainted flag cannot be queried from js level
// seems like the HTML element is persistent, but it is not the right HTML element, so need to loop through and find out
//
imp->setTainted(tainted);
imp->document()->setTainted(tainted);
TaintedStructure trace_struct;
trace_struct.taintedno = tainted;
trace_struct.internalfunc = "setJSHTMLElementInnerHTML";
trace_struct.jsfunc = "HTMLElement.innerHTML";
trace_struct.action = "sink";
trace_struct.value = TaintedUtils::UString2string(value.toString(exec));
TaintedTrace* trace = TaintedTrace::getInstance();
trace->addTaintedTrace(trace_struct);
//
// this condition really difficult to understand.
// wanna to reset the innerHTML of this element if it is tainted and passing in string is not tainted.
// there is a problem in this code, it is silly to do it, as if the imp->setTainted() is supposed to be work, then there is no need to do in this way.
//
} else if (imp_tainted == imp->document()->tainted()
&& imp_tainted != 0
&& !tainted) {
// cerr
/*
char cid[50];
JSValue id = jsString(exec, imp->getAttribute(WebCore::HTMLNames::idAttr));
UString sid = id.toString(exec);
snprintf(cid, 50, "%s", sid.utf8(true).data());
cerr << "setJSHTMLElementInnerHTML:RESETTING:" << cid << endl;
*/
// cerr
TaintedStructure trace_struct;
trace_struct.taintedno = 0;
// trace_struct.taintedno = imp_tainted;
trace_struct.internalfunc = "setJSHTMLElementInnerHTML";
trace_struct.jsfunc = "HTMLElement.innerHTML";
trace_struct.action = "reset";
trace_struct.value = TaintedUtils::UString2string(value.toString(exec));
TaintedTrace* trace = TaintedTrace::getInstance();
trace->addTaintedTrace(trace_struct);
imp->setTainted(0);
}
#endif
}
void setJSHTMLElementHidden(ExecState* exec, JSObject* thisObject, JSValue value)
{
JSHTMLElement* castedThis = static_cast<JSHTMLElement*>(thisObject);
HTMLElement* imp = static_cast<HTMLElement*>(castedThis->impl());
imp->setBooleanAttribute(WebCore::HTMLNames::hiddenAttr, value.toBoolean(exec));
}
void setJSHTMLElementTabIndex(ExecState* exec, JSObject* thisObject, JSValue value)
{
JSHTMLElement* castedThis = static_cast<JSHTMLElement*>(thisObject);
HTMLElement* imp = static_cast<HTMLElement*>(castedThis->impl());
imp->setTabIndex(value.toInt32(exec));
}
void setJSHTMLElementClassName(ExecState* exec, JSObject* thisObject, JSValue value)
{
JSHTMLElement* castedThis = static_cast<JSHTMLElement*>(thisObject);
HTMLElement* imp = static_cast<HTMLElement*>(castedThis->impl());
imp->setAttribute(WebCore::HTMLNames::classAttr, valueToStringWithNullCheck(exec, value));
}
JSValue jsHTMLElementConstructor(ExecState* exec, JSValue slotBase, const Identifier&)
{
JSHTMLElement* domObject = static_cast<JSHTMLElement*>(asObject(slotBase));
return JSHTMLElement::getConstructor(exec, domObject->globalObject());
}
