more like untrustedtypes

2025-05-13 14:30:02 -04:00 · 2024-07-14 19:51:28 -04:00 · 2024-07-14 19:51:28 -04:00 · 6eb9b6f12c
commit 6eb9b6f12c
parent 92651ed66b
5 changed files with 48 additions and 45 deletions
--- a/src/client/element.ts
+++ b/src/client/element.ts
@ -51,11 +51,6 @@ for (const attr of attrs) {
 				if (/nonce|integrity|csp/.test(attr)) {
 					return;
 				} else if (/src|href|data|action|formaction/.test(attr)) {
-					// @ts-expect-error
-					if (value instanceof TrustedScriptURL) {
-						return;
-					}
-
 					value = encodeUrl(value);
 				} else if (attr === "srcdoc") {
 					value = rewriteHtml(value);
@ -115,17 +110,12 @@ const innerHTML = Object.getOwnPropertyDescriptor(

 Object.defineProperty(Element.prototype, "innerHTML", {
 	set(value) {
-		// @ts-expect-error
 		if (
-			this instanceof HTMLScriptElement &&
-			!(value instanceof TrustedScript)
+			this instanceof HTMLScriptElement
 		) {
 			value = rewriteJs(value);
 		} else if (this instanceof HTMLStyleElement) {
 			value = rewriteCss(value);
-			// @ts-expect-error
-		} else if (!(value instanceof TrustedHTML)) {
-			value = rewriteHtml(value);
 		}

 		return innerHTML.set.call(this, value);
--- a/src/client/trustedTypes.ts
+++ b/src/client/trustedTypes.ts
@ -1,32 +1,40 @@
-import { rewriteHtml, rewriteJs, encodeUrl } from "./shared";
+// import { rewriteHtml, rewriteJs, encodeUrl } from "./shared";

-// @ts-expect-error
-trustedTypes.createPolicy = new Proxy(trustedTypes.createPolicy, {
-	apply(target, thisArg, argArray) {
-		if (argArray[1].createHTML) {
-			argArray[1].createHTML = new Proxy(argArray[1].createHTML, {
-				apply(target1, thisArg1, argArray1) {
-					return rewriteHtml(target1(...argArray1));
-				},
-			});
-		}
+// trustedTypes.createPolicy = new Proxy(trustedTypes.createPolicy, {
+// 	apply(target, thisArg, argArray) {
+// 		if (argArray[1].createHTML) {
+// 			argArray[1].createHTML = new Proxy(argArray[1].createHTML, {
+// 				apply(target1, thisArg1, argArray1) {
+// 					return rewriteHtml(target1(...argArray1));
+// 				},
+// 			});
+// 		}
+//
+// 		if (argArray[1].createScript) {
+// 			argArray[1].createScript = new Proxy(argArray[1].createScript, {
+// 				apply(target1, thisArg1, argArray1) {
+// 					return rewriteJs(target1(...argArray1));
+// 				},
+// 			});
+// 		}
+//
+// 		if (argArray[1].createScriptURL) {
+// 			argArray[1].createScriptURL = new Proxy(argArray[1].createScriptURL, {
+// 				apply(target1, thisArg1, argArray1) {
+// 					return encodeUrl(target1(...argArray1));
+// 				},
+// 			});
+// 		}
+//
+// 		return Reflect.apply(target, thisArg, argArray);
+// 	},
+// });

-		if (argArray[1].createScript) {
-			argArray[1].createScript = new Proxy(argArray[1].createScript, {
-				apply(target1, thisArg1, argArray1) {
-					return rewriteJs(target1(...argArray1));
-				},
-			});
-		}
+//@ts-nocheck
+delete window.TrustedHTML;
+delete window.TrustedScript;
+delete window.TrustedScriptURL;
+delete window.TrustedTypePolicy;
+delete window.TrustedTypePolicyFactory;
+delete window.trustedTypes;

-		if (argArray[1].createScriptURL) {
-			argArray[1].createScriptURL = new Proxy(argArray[1].createScriptURL, {
-				apply(target1, thisArg1, argArray1) {
-					return encodeUrl(target1(...argArray1));
-				},
-			});
-		}
-
-		return Reflect.apply(target, thisArg, argArray);
-	},
-});
--- a/src/shared/rewriters/html.ts
+++ b/src/shared/rewriters/html.ts
@ -37,7 +37,7 @@ function traverseParsedHtml(node, origin?: URL) {
 	}

 	/* url attributes */
-	for (const urlAttr of ["src", "href", "data", "action", "formaction"]) {
+	for (const urlAttr of ["src", "href", "action", "formaction"]) {
 		if (hasAttrib(node, urlAttr) && !isScramjetFile(node.attribs[urlAttr])) {
 			const value = node.attribs[urlAttr];
 			node.attribs[`data-${urlAttr}`] = value;
@ -67,8 +67,12 @@ function traverseParsedHtml(node, origin?: URL) {
 			node.attribs.type
 		) &&
 		node.children[0] !== undefined
-	)
-		node.children[0].data = rewriteJs(node.children[0].data, origin);
+	) {
+		let js = node.children[0].data
+		const htmlcomment = /<!--[\s\S]*?-->/g;
+		js = js.replace(htmlcomment, "");
+		node.children[0].data = rewriteJs(js, origin);
+	}
 	if (node.name === "meta" && hasAttrib(node, "http-equiv")) {
 		if (node.attribs["http-equiv"] === "content-security-policy") {
 			node = {};
--- a/src/shared/rewriters/js.ts
+++ b/src/shared/rewriters/js.ts
@ -17,8 +17,6 @@ import * as ESTree from "estree";
 // parent

 export function rewriteJs(js: string, origin?: URL) {
-	const htmlcomment = /<!--[\s\S]*?-->/g;
-	js = js.replace(htmlcomment, "");
 	try {
 		const ast = parseModule(js, {
 			module: true,
--- a/src/shared/rewriters/url.ts
+++ b/src/shared/rewriters/url.ts
@ -27,6 +27,9 @@ export function encodeUrl(url: string | URL, origin?: URL) {
 		);
 	}

+	// is this the correct behavior?
+	if (!url) url = origin.href;
+
 	if (url.startsWith("javascript:")) {
 		return "javascript:" + rewriteJs(url.slice("javascript:".length));
 	} else if (/^(#|mailto|about|data)/.test(url)) {