Skip to content

Commit

Permalink
Update IDL for script enforcement
Browse files Browse the repository at this point in the history
- Node/textContent, and Element/innerText are both now shadowed on HTMLScriptElement.

HTMLScriptElement/textContent uses a union type rather than [StringContext] because it uses a nullable type.
  • Loading branch information
lukewarlow committed Apr 3, 2024
1 parent fc82918 commit 2d2077c
Showing 1 changed file with 45 additions and 16 deletions.
61 changes: 45 additions & 16 deletions spec/index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,9 @@ spec:ECMA-262; urlPrefix: https://tc39.github.io/ecma262/
type:dfn; text:current realm record; url: current-realm
spec: HTML; urlPrefix: https://html.spec.whatwg.org/
type: dfn; text: prepare the script element; url: prepare-the-script-element
spec:DOM; urlPrefix: https://dom.spec.whatwg.org/
type: dfn; text: get text content; url: get-text-content
type: dfn; text: set text content; url: set-text-content
</pre>

<pre class="link-defaults">
Expand Down Expand Up @@ -1186,36 +1189,62 @@ partial interface ShadowRoot {

### Enforcement for scripts ### {#enforcement-in-scripts}

#### Slots with trusted values #### {#slots-with-trusted-values}

This document modifies {{HTMLScriptElement}}s. Each script has:

: <dfn for="HTMLScriptElement" lt="[[ScriptText]]" attribute>`[[ScriptText]]`</dfn> internal slot.
:: A string, containing the body of the script to execute that was set
through a {{StringContext}} compliant sink. Equivalent to script's
[=child text content=]. Initially null.

#### Setting slot values #### {#setting-slot-values}

This document modifies how {{HTMLScriptElement}} [=child text content=] can be set to allow applications to control dynamically created scripts. It does so by
adding the {{HTMLElement/innerText}} and {{Node/textContent}} attributes directly on {{HTMLScriptElement}}. The behavior of the attributes remains the same
as in their original counterparts, apart from additional behavior triggered by the {{StringContext}} extended attribute presence.

Note: Using these IDL attributes is the recommended way of dynamically setting URL or a text of a script. Manipulating attribute nodes or text nodes directly will call a default policy on the final value when the script is prepared.
Note: Using these IDL attributes is the recommended way of dynamically setting the URL or a text of a script. Manipulating attribute nodes or text nodes directly will call a default policy on the final value when the script is prepared.

<pre class="idl exclude">
partial interface HTMLScriptElement {
[CEReactions] attribute [LegacyNullToEmptyString] ScriptString innerText;
[CEReactions] attribute ScriptString? textContent;
[CEReactions] attribute (DOMString or TrustedScript)? textContent;
[CEReactions] attribute ScriptURLString src;
[CEReactions] attribute ScriptString text;
};
</pre>

On setting the {{HTMLElement/innerText}}, {{Node/textContent}} and {{HTMLScriptElement/text}} IDL attributes execute the following algorithm:
#### Slots with trusted values #### {#slots-with-trusted-values}

This document modifies {{HTMLScriptElement}}s. Each script has:

: <dfn for="HTMLScriptElement" lt="[[ScriptText]]" attribute>`[[ScriptText]]`</dfn> internal slot.
:: A string, containing the body of the script to execute that was set
through a {{StringContext}} compliant sink. Equivalent to script's
[=child text content=]. Initially null.

#### The {{HTMLScriptElement/innerText}} IDL attribute #### {#the-innerText-idl-attribute}

The {{HTMLScriptElement/innerText}} setter steps are:

1. Set {{HTMLScriptElement/[[ScriptText]]}} internal slot value to |value|.
1. Run the {{HTMLElement/innerText}} setter steps with the given value |value|.

The {{HTMLScriptElement/innerText}} getter steps are:

1. Run the {{HTMLElement/innerText}} getter steps.

#### The {{HTMLScriptElement/textContent}} IDL attribute #### {#the-textContent-idl-attribute}

The {{HTMLScriptElement/textContent}} setter steps are to, if the given value is null, act as if it was the
empty string instead, and then do as described below:

1. Let |value| be the result of calling [$Get Trusted Type compliant string$] with
{{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `HTMLScriptElement textContent`,
`script`.
1. Set {{HTMLScriptElement/[[ScriptText]]}} internal slot value to |value|.
1. Run [=set text content=] with [=this=] and |value|.

The {{HTMLScriptElement/textContent}} getter steps are:

1. Return the result of running [=get text content=] with [=this=].

#### The {{HTMLScriptElement/text}} IDL attribute #### {#the-text-idl-attribute}

Update the {{HTMLScriptElement/text}} setter steps algorithm as follows.

1. Set {{HTMLScriptElement/[[ScriptText]]}} internal slot value to the stringified attribute value.
1. Perform the usual attribute setter steps.
1. <ins>Set {{HTMLScriptElement/[[ScriptText]]}} internal slot value to the given value.</ins>
1. [=String replace all=] with the given value within this <code>script</code> element.

#### Slot value verification #### {#slot-value-verification}

Expand Down

0 comments on commit 2d2077c

Please sign in to comment.