EncodedJSValue JSC_HOST_CALL jsHTMLDocumentPrototypeFunctionWrite(ExecState* exec)
{
JSValue thisValue = exec->hostThisValue();
if (!thisValue.inherits(&JSHTMLDocument::s_info))
return throwVMTypeError(exec);
JSHTMLDocument* castedThis = static_cast<JSHTMLDocument*>(asObject(thisValue));
#ifdef JSC_TAINTED
/*
if we comment out the following code segement and move the detection to bindings/js/JSHTMLDocumentCustom.cpp
one of the test case like below cannot be detected anymore. need to investigate the reason behind.
document.write("hello"+document.location.href.substring(document.location.href.indexOf("default=")+8));\
the guess is the following code does not cover the primitive string.
*/
JSValue s = exec->argument(0);
if (s.isString() && s.isTainted()) {
HTMLDocument* d1 = static_cast<HTMLDocument*>(castedThis->impl());
d1->setTainted(s.isTainted());
TaintedStructure trace_struct;
trace_struct.taintedno = s.isTainted();
trace_struct.internalfunc = "jsHTMLDocumentPrototypeFunctionWrite";
trace_struct.jsfunc = "document.write";
trace_struct.action = "sink";
char msg[20];
stringstream msgss;
snprintf(msg, 20, "%s", s.toString(exec).utf8(true).data());
msgss << msg;
msgss >> trace_struct.value;
TaintedTrace* trace = TaintedTrace::getInstance();
trace->addTaintedTrace(trace_struct);
}
EncodedJSValue JSC_HOST_CALL jsHTMLDocumentPrototypeFunctionWrite(ExecState* exec)
{
JSValue thisValue = exec->hostThisValue();
if (!thisValue.inherits(&JSHTMLDocument::s_info))
return throwVMTypeError(exec);
JSHTMLDocument* castedThis = static_cast<JSHTMLDocument*>(asObject(thisValue));
#if defined(JSC_TAINTED)
/*
if we comment out the following code segement and move the detection to bindings/js/JSHTMLDocumentCustom.cpp
one of the test case like below cannot be detected anymore. need to investigate the reason behind.
document.write("hello"+document.location.href.substring(document.location.href.indexOf("default=")+8));\
the guess is the following code does not cover the primitive string.
*/
JSValue s = exec->argument(0);
if (s.isString() && s.isTainted()) {
HTMLDocument* d1 = static_cast<HTMLDocument*>(castedThis->impl());
d1->setTainted(s.isTainted());
TaintedStructure trace_struct;
trace_struct.taintedno = s.isTainted();
trace_struct.internalfunc = "jsHTMLDocumentPrototypeFunctionWrite";
trace_struct.jsfunc = "document.write";
trace_struct.action = "sink";
trace_struct.value = TaintedUtils::UString2string(s.toString(exec));
TaintedTrace* trace = TaintedTrace::getInstance();
trace->addTaintedTrace(trace_struct);
}
if (s.inherits(&StringObject::s_info)) {
unsigned int tainted = asStringObject(s)->isTainted();
if (tainted) {
HTMLDocument* d2 = static_cast<HTMLDocument*>(castedThis->impl());
d2->setTainted(tainted);
TaintedStructure trace_struct;
trace_struct.taintedno = tainted;
trace_struct.internalfunc = "jsHTMLDocumentPrototypeFunctionWrite";
trace_struct.jsfunc = "document.write";
trace_struct.action = "sink";
trace_struct.value = TaintedUtils::UString2string(s.toString(exec));
TaintedTrace* trace = TaintedTrace::getInstance();
trace->addTaintedTrace(trace_struct);
}
}
#endif
return JSValue::encode(castedThis->write(exec));
}
EncodedJSValue JSC_HOST_CALL jsHTMLDocumentPrototypeFunctionWriteln(ExecState* exec)
{
JSValue thisValue = exec->hostThisValue();
if (!thisValue.inherits(&JSHTMLDocument::s_info))
return throwVMTypeError(exec);
JSHTMLDocument* castedThis = static_cast<JSHTMLDocument*>(asObject(thisValue));
#if defined(JSC_TAINTED)
JSValue s = exec->argument(0);
if (s.isString() && s.isTainted() > 0) {
HTMLDocument* d1 = static_cast<HTMLDocument*>(castedThis->impl());
d1->setTainted(s.isTainted());
TaintedStructure trace_struct;
trace_struct.taintedno = s.isTainted();
trace_struct.internalfunc = "jsHTMLDocumentPrototypeFunctionWriteln";
trace_struct.jsfunc = "document.writeln";
trace_struct.action = "sink";
trace_struct.value = TaintedUtils::UString2string(s.toString(exec));
TaintedTrace* trace = TaintedTrace::getInstance();
trace->addTaintedTrace(trace_struct);
}
if (s.inherits(&StringObject::s_info)) {
unsigned int tainted = asStringObject(s)->isTainted();
if (tainted) {
HTMLDocument* d2 = static_cast<HTMLDocument*>(castedThis->impl());
d2->setTainted(tainted);
TaintedStructure trace_struct;
trace_struct.taintedno = tainted;
trace_struct.internalfunc = "jsHTMLDocumentPrototypeFunctionWriteln";
trace_struct.jsfunc = "document.writeln";
trace_struct.action = "sink";
trace_struct.value = TaintedUtils::UString2string(s.toString(exec));
TaintedTrace* trace = TaintedTrace::getInstance();
trace->addTaintedTrace(trace_struct);
}
}
#endif
return JSValue::encode(castedThis->writeln(exec));
}
void setJSLocationHash(ExecState* exec, JSObject* thisObject, JSValue value)
{
#ifdef JSC_TAINTED
unsigned int tainted = 0;
if (value.isString() && value.isTainted()) {
tainted = value.isTainted();
}
if (value.inherits(&StringObject::s_info) && asStringObject(value)->isTainted()) {
tainted = asStringObject(value)->isTainted();
}
if (value.isObject()) {
UString s = value.toString(exec);
if (s.isTainted()) {
tainted = s.isTainted();
}
}
if (tainted) {
JSLocation* castedThis = static_cast<JSLocation*>(thisObject);
Location* imp = static_cast<Location*>(castedThis->impl());
imp->frame()->document()->setTainted(tainted);
TaintedStructure trace_struct;
trace_struct.taintedno = tainted;
trace_struct.internalfunc = "setJSLocationHash";
trace_struct.jsfunc = "location.hash";
trace_struct.action = "sink";
char msg[20];
stringstream msgss;
snprintf(msg, 20, "%s", value.toString(exec).utf8(true).data());
msgss << msg;
msgss >> trace_struct.value;
TaintedTrace* trace = TaintedTrace::getInstance();
trace->addTaintedTrace(trace_struct);
}
#endif
static_cast<JSLocation*>(thisObject)->setHash(exec, value);
}