LibWeb: Check if scripting is disabled before running script

This is not a full check, it's just enough to prevent script execution in DOMParser.
Author: https://github.com/Lubrsi Commit: https://github.com/SerenityOS/serenity/commit/0ea50d44bfd Pull-request: https://github.com/SerenityOS/serenity/pull/8449
2025-01-24 02:03:06 -05:00 · 2021-07-05 03:59:47 +01:00 · 2021-07-05 03:59:47 +01:00 · 0ea50d44bf · 2024-07-18 10:24:40 +09:00
commit 0ea50d44bf
parent ce314c54bd
3 changed files with 13 additions and 1 deletions
--- a/Userland/Libraries/LibWeb/DOM/Node.cpp
+++ b/Userland/Libraries/LibWeb/DOM/Node.cpp
@ -637,4 +637,11 @@ void Node::serialize_tree_as_json(JsonObjectSerializer<StringBuilder>& object) c
    }
 }

+// https://html.spec.whatwg.org/multipage/webappapis.html#concept-n-noscript
+bool Node::is_scripting_disabled() const
+{
+    // FIXME: or when scripting is disabled for its relevant settings object.
+    return !document().browsing_context();
+}
+
 }
--- a/Userland/Libraries/LibWeb/DOM/Node.h
+++ b/Userland/Libraries/LibWeb/DOM/Node.h
@ -163,6 +163,8 @@ public:

    bool is_host_including_inclusive_ancestor_of(const Node&) const;

+    bool is_scripting_disabled() const;
+
    // Used for dumping the DOM Tree
    void serialize_tree_as_json(JsonObjectSerializer<StringBuilder>&) const;

--- a/Userland/Libraries/LibWeb/HTML/HTMLScriptElement.cpp
+++ b/Userland/Libraries/LibWeb/HTML/HTMLScriptElement.cpp
@ -153,7 +153,10 @@ void HTMLScriptElement::prepare_script()
        return;
    }

-    // FIXME: Check if scripting is disabled, if so return
+    if (is_scripting_disabled()) {
+        dbgln("HTMLScriptElement: Refusing to run script because scripting is disabled.");
+        return;
+    }

    if (m_script_type == ScriptType::Classic && has_attribute(HTML::AttributeNames::nomodule)) {
        dbgln("HTMLScriptElement: Refusing to run classic script because it has the nomodule attribute.");