Fixed bug in DOM security checks, fixes bug 37907, 23516. Added security check for htmlelement.innerhtml, fixes 39083. Added location check to BASE HREF=, fixes 35859. r=vidur. Added check to style= tag, fixes 16858, r=pierre.

git-svn-id: svn://10.0.0.236/trunk@70965 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/content/html/document/src/nsHTMLContentSink.cpp

@@ -3374,6 +3374,17 @@ HTMLContentSink::ProcessAREATag(const nsIParserNode& aNode)
 void 
 HTMLContentSink::ProcessBaseHref(const nsString& aBaseHref)
 {
+  //-- Make sure this page is allowed to load this URL
+  nsresult rv;
+  NS_WITH_SERVICE(nsIScriptSecurityManager, securityManager, 
+                  NS_SCRIPTSECURITYMANAGER_PROGID, &rv);
+  if (NS_FAILED(rv)) return;
+  nsCOMPtr<nsIURI> baseHrefURI;
+  rv = NS_NewURI(getter_AddRefs(baseHrefURI), aBaseHref, nsnull);
+  if (NS_FAILED(rv)) return;
+  rv = securityManager->CheckLoadURI(mDocumentBaseURL, baseHrefURI, PR_FALSE);
+  if (NS_FAILED(rv)) return;
+
   if (nsnull == mBody) {  // still in real HEAD
     mHTMLDocument->SetBaseURL(aBaseHref);
     NS_RELEASE(mDocumentBaseURL);