chore: fix: Avoid elements created through the createElementNS api fr…

…om escaping the sandbox (#645) Co-authored-by: zhouxiao.shaw <[email protected]>
web-infra-dev · Oct 19, 2023 · be01235 · be01235 · vercel · Oct 19, 2023
1 parent 3116431
commit be01235
Show file tree

Hide file tree

Showing 8 changed files with 132 additions and 118 deletions.
diff --git a/packages/browser-vm/src/dynamicNode/index.ts b/packages/browser-vm/src/dynamicNode/index.ts
@@ -114,7 +114,8 @@ export function makeElInjector(sandboxConfig: SandboxOptions) {
 
   if (typeof window.Element === 'function') {
     // iframe can read html container this can't point to proxyDocument has Illegal invocation error
-    if (sandboxConfig.fixBaseUrl) safeWrapper(() => handleOwnerDocument());
+    if (sandboxConfig.fixBaseUrl || sandboxConfig.fixOwnerDocument)
+      safeWrapper(() => handleOwnerDocument());
     const rewrite = (
       methods: Array<string>,
       builder: typeof injector | typeof injectorRemoveChild,

diff --git a/packages/browser-vm/src/pluginify.ts b/packages/browser-vm/src/pluginify.ts
@@ -130,11 +130,13 @@ function createOptions(Garfish: interfaces.Garfish) {
           fixStaticResourceBaseUrl: Boolean(
             appInfo.sandbox?.fixStaticResourceBaseUrl,
           ),
+          fixOwnerDocument: Boolean(appInfo.sandbox?.fixOwnerDocument),
           disableWith: Boolean(appInfo.sandbox?.disableWith),
           disableElementtiming: Boolean(appInfo.sandbox?.disableElementtiming),
           strictIsolation: Boolean(appInfo.sandbox?.strictIsolation),
           // 缓存模式，不收集副作用
-          disableCollect: appInfo.cache === undefined ? true : Boolean(appInfo.cache),
+          disableCollect:
+            appInfo.cache === undefined ? true : Boolean(appInfo.cache),
           el: () => appInstance.htmlNode,
           styleScopeId: () => appInstance.appContainer.id,
           protectVariable: () => appInfo.protectVariable || [],

diff --git a/packages/browser-vm/src/proxyInterceptor/document.ts b/packages/browser-vm/src/proxyInterceptor/document.ts
@@ -65,6 +65,12 @@ export function createGetter(sandbox: Sandbox) {
           const el = value.call(document, tagName, options);
           return setSandboxRef(el);
         };
+      }
+      if (p === 'createElementNS') {
+        return function (...args) {
+          const el = value.call(document, ...args);
+          return setSandboxRef(el);
+        };
       } else if (p === 'createTextNode') {
         return function (data) {
           const el = value.call(document, data);

diff --git a/packages/browser-vm/src/types.ts b/packages/browser-vm/src/types.ts
@@ -22,6 +22,7 @@ export interface SandboxOptions {
   namespace: string;
   baseUrl?: string;
   fixBaseUrl?: boolean;
+  fixOwnerDocument?: boolean;
   fixStaticResourceBaseUrl?: boolean;
   disableWith?: boolean;
   strictIsolation?: boolean;

diff --git a/packages/core/src/config.ts b/packages/core/src/config.ts
@@ -114,6 +114,7 @@ export const createDefaultOptions = () => {
       disableWith: false,
       strictIsolation: false,
       disableElementtiming: false,
+      fixOwnerDocument: false,
     },
     // global hooks
     beforeLoad: () => {},

diff --git a/packages/core/src/interface.ts b/packages/core/src/interface.ts
@@ -81,6 +81,7 @@ export namespace interfaces {
     disableWith?: boolean;
     strictIsolation?: boolean;
     disableElementtiming?: boolean;
+    fixOwnerDocument?: boolean;
   }
 
   export interface Config {