[Trusted Types] Get list of event handlers from WebIDL

This change retrieves the list of attributes declared as event handlers from WebIDL and uses that to check for TrustedScript, instead of using the string prefix "on". Bug: 993268, 1084587 Change-Id: Ic15bc0994bcd19d9d7385cbef4af0f01af820ae1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3616765 Reviewed-by: Mason Freed <masonf@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Reviewed-by: Yifan Luo <lyf@chromium.org> Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/main@{#1003034}
web-platform-tests · May 13, 2022 · 559b045 · 559b045
1 parent c95ef3b
commit 559b045
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/trusted-types/trusted-types-event-handlers.tentative.html b/trusted-types/trusted-types-event-handlers.tentative.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
+</head>
+<body>
+<script>
+const element = document.createElement("div");
+
+[
+  "onclick",
+  "onchange",
+  "onfocus",
+  "oNclick",
+  "OnClIcK"
+].forEach(name => {
+  test(t => {
+    assert_throws_js(TypeError,
+        _ => element.setAttribute(name, "2+2"));
+  }, `Event handler ${name} should be blocked.`);
+});
+
+[
+  "one",
+  "oNe",
+  "onIcon",
+  "offIcon",
+  "blubb"
+].forEach(name => {
+  test(t => {
+    element.setAttribute(name, "2+2");
+  }, `Non-event handler ${name} should not be blocked.`);
+});
+
+// We'd like to be sure we're not missing anything. Let's "query" an HTML
+// element about which attributes it knows.
+const div = document.createElement("div");
+for(name in div.__proto__) {
+  const should_be_event_handler = name.startsWith("on");
+  if (should_be_event_handler) {
+    test(t => {
+      assert_throws_js(TypeError,
+          _ => element.setAttribute(name, "2+2"));
+    }, `Event handler div.${name} should be blocked.`);
+  } else {
+    test(t => {
+      element.setAttribute(name, "2+2");
+    }, `Non-event handler div.${name} should not be blocked.`);
+  }
+}
+</script>
+</body>