LibWeb: Avoid invoking Trusted Types where avoidable

Prevents observably calling Trusted Types, which can run arbitrary JS,
cause crashes due to use of MUST and allow arbitrary JS to modify
internal elements.

Author: Lubrsi

Libraries/LibWeb/ARIA/ARIAMixin.h

@@ -34,7 +34,7 @@ class WEB_API ARIAMixin {
 
 #define __ENUMERATE_ARIA_ATTRIBUTE(name, attribute) \
     virtual Optional<String> name() const = 0;      \
-    virtual WebIDL::ExceptionOr<void> set_##name(Optional<String> const&) = 0;
+    virtual void set_##name(Optional<String> const&) = 0;
     ENUMERATE_ARIA_ATTRIBUTES
 #undef __ENUMERATE_ARIA_ATTRIBUTE
 

Libraries/LibWeb/Bindings/AudioConstructor.cpp

@@ -49,15 +49,15 @@ JS::ThrowCompletionOr<GC::Ref<JS::Object>> AudioConstructor::construct(FunctionO
     auto audio = TRY(Bindings::throw_dom_exception_if_needed(vm, [&]() { return DOM::create_element(document, HTML::TagNames::audio, Namespace::HTML); }));
 
     // 3. Set an attribute value for audio using "preload" and "auto".
-    MUST(audio->set_attribute(HTML::AttributeNames::preload, "auto"_string));
+    audio->set_attribute_value(HTML::AttributeNames::preload, "auto"_string);
 
     auto src_value = vm.argument(0);
 
     // 4. If src is given, then set an attribute value for audio using "src" and src.
     //    (This will cause the user agent to invoke the object's resource selection algorithm before returning.)
     if (!src_value.is_undefined()) {
         auto src = TRY(src_value.to_string(vm));
-        MUST(audio->set_attribute(HTML::AttributeNames::src, move(src)));
+        audio->set_attribute_value(HTML::AttributeNames::src, move(src));
     }
 
     // 5. Return audio.

Libraries/LibWeb/Bindings/ImageConstructor.cpp

@@ -53,13 +53,13 @@ JS::ThrowCompletionOr<GC::Ref<JS::Object>> ImageConstructor::construct(FunctionO
     // 3. If width is given, then set an attribute value for img using "width" and width.
     if (vm.argument_count() > 0) {
         u32 width = TRY(vm.argument(0).to_u32(vm));
-        MUST(image_element->set_attribute(HTML::AttributeNames::width, MUST(String::formatted("{}", width))));
+        image_element->set_attribute_value(HTML::AttributeNames::width, MUST(String::formatted("{}", width)));
     }
 
     // 4. If height is given, then set an attribute value for img using "height" and height.
     if (vm.argument_count() > 1) {
         u32 height = TRY(vm.argument(1).to_u32(vm));
-        MUST(image_element->set_attribute(HTML::AttributeNames::height, MUST(String::formatted("{}", height))));
+        image_element->set_attribute_value(HTML::AttributeNames::height, MUST(String::formatted("{}", height)));
     }
 
     // 5. Return img.

Libraries/LibWeb/Bindings/OptionConstructor.cpp

@@ -69,14 +69,14 @@ JS::ThrowCompletionOr<GC::Ref<JS::Object>> OptionConstructor::construct(Function
     // 4. If value is given, then set an attribute value for option using "value" and value.
     if (!vm.argument(1).is_undefined()) {
         auto value = TRY(vm.argument(1).to_string(vm));
-        MUST(option_element->set_attribute(HTML::AttributeNames::value, value));
+        option_element->set_attribute_value(HTML::AttributeNames::value, value);
     }
 
     // 5. If defaultSelected is true, then set an attribute value for option using "selected" and the empty string.
     if (vm.argument_count() > 2) {
         auto default_selected = vm.argument(2).to_boolean();
         if (default_selected) {
-            MUST(option_element->set_attribute(HTML::AttributeNames::selected, String {}));
+            option_element->set_attribute_value(HTML::AttributeNames::selected, String {});
         }
     }
 

Libraries/LibWeb/CSS/CSSStyleDeclaration.cpp

@@ -48,7 +48,7 @@ void CSSStyleDeclaration::update_style_attribute()
     set_is_updating(true);
 
     // 5. Set an attribute value for owner node using "style" and the result of serializing declaration block.
-    MUST(owner_node()->element().set_attribute(HTML::AttributeNames::style, serialized()));
+    owner_node()->element().set_attribute_value(HTML::AttributeNames::style, serialized());
 
     // 6. Unset declaration block’s updating flag.
     set_is_updating(false);

Libraries/LibWeb/DOM/DOMTokenList.cpp

@@ -258,7 +258,7 @@ void DOMTokenList::set_value(String const& value)
     if (!associated_element)
         return;
 
-    MUST(associated_element->set_attribute(m_associated_attribute, value));
+    associated_element->set_attribute_value(m_associated_attribute, value);
 }
 
 WebIDL::ExceptionOr<void> DOMTokenList::validate_token(StringView token) const
@@ -294,7 +294,7 @@ void DOMTokenList::run_update_steps()
         return;
 
     // 2. Set an attribute value for the associated element using associated attribute’s local name and the result of running the ordered set serializer for token set.
-    MUST(associated_element->set_attribute(m_associated_attribute, serialize_ordered_set()));
+    associated_element->set_attribute_value(m_associated_attribute, serialize_ordered_set());
 }
 
 Optional<JS::Value> DOMTokenList::item_value(size_t index) const

Libraries/LibWeb/DOM/Document.cpp

@@ -3189,7 +3189,7 @@ String Document::fg_color() const
 void Document::set_fg_color(String const& value)
 {
     if (auto* body_element = body(); body_element && !is<HTML::HTMLFrameSetElement>(*body_element))
-        MUST(body_element->set_attribute(HTML::AttributeNames::text, value));
+        body_element->set_attribute_value(HTML::AttributeNames::text, value);
 }
 
 String Document::link_color() const
@@ -3202,7 +3202,7 @@ String Document::link_color() const
 void Document::set_link_color(String const& value)
 {
     if (auto* body_element = body(); body_element && !is<HTML::HTMLFrameSetElement>(*body_element))
-        MUST(body_element->set_attribute(HTML::AttributeNames::link, value));
+        body_element->set_attribute_value(HTML::AttributeNames::link, value);
 }
 
 String Document::vlink_color() const
@@ -3215,7 +3215,7 @@ String Document::vlink_color() const
 void Document::set_vlink_color(String const& value)
 {
     if (auto* body_element = body(); body_element && !is<HTML::HTMLFrameSetElement>(*body_element))
-        MUST(body_element->set_attribute(HTML::AttributeNames::vlink, value));
+        body_element->set_attribute_value(HTML::AttributeNames::vlink, value);
 }
 
 String Document::alink_color() const
@@ -3228,7 +3228,7 @@ String Document::alink_color() const
 void Document::set_alink_color(String const& value)
 {
     if (auto* body_element = body(); body_element && !is<HTML::HTMLFrameSetElement>(*body_element))
-        MUST(body_element->set_attribute(HTML::AttributeNames::alink, value));
+        body_element->set_attribute_value(HTML::AttributeNames::alink, value);
 }
 
 String Document::bg_color() const
@@ -3241,7 +3241,7 @@ String Document::bg_color() const
 void Document::set_bg_color(String const& value)
 {
     if (auto* body_element = body(); body_element && !is<HTML::HTMLFrameSetElement>(*body_element))
-        MUST(body_element->set_attribute(HTML::AttributeNames::bgcolor, value));
+        body_element->set_attribute_value(HTML::AttributeNames::bgcolor, value);
 }
 
 String Document::dump_dom_tree_as_json() const

Libraries/LibWeb/DOM/DocumentLoading.cpp

@@ -296,7 +296,7 @@ static WebIDL::ExceptionOr<GC::Ref<DOM::Document>> load_media_document(HTML::Nav
     };
 
     auto style_element = TRY(DOM::create_element(document, HTML::TagNames::style, Namespace::HTML));
-    MUST(style_element->set_text_content(R"~~~(
+    style_element->string_replace_all(R"~~~(
         :root {
             background-color: #222;
         }
@@ -310,29 +310,29 @@ static WebIDL::ExceptionOr<GC::Ref<DOM::Document>> load_media_document(HTML::Nav
         img {
             background-color: #fff;
         }
-    )~~~"_utf16));
+    )~~~"_utf16);
     TRY(document->head()->append_child(style_element));
 
     auto url_string = document->url_string();
     if (type.is_image()) {
         auto img_element = TRY(DOM::create_element(document, HTML::TagNames::img, Namespace::HTML));
-        TRY(img_element->set_attribute(HTML::AttributeNames::src, url_string));
+        img_element->set_attribute_value(HTML::AttributeNames::src, url_string);
         TRY(document->body()->append_child(img_element));
         TRY(insert_title(document, url_string));
 
     } else if (type.type() == "video"sv) {
         auto video_element = TRY(DOM::create_element(document, HTML::TagNames::video, Namespace::HTML));
-        TRY(video_element->set_attribute(HTML::AttributeNames::src, url_string));
-        TRY(video_element->set_attribute(HTML::AttributeNames::autoplay, String {}));
-        TRY(video_element->set_attribute(HTML::AttributeNames::controls, String {}));
+        video_element->set_attribute_value(HTML::AttributeNames::src, url_string);
+        video_element->set_attribute_value(HTML::AttributeNames::autoplay, String {});
+        video_element->set_attribute_value(HTML::AttributeNames::controls, String {});
         TRY(document->body()->append_child(video_element));
         TRY(insert_title(document, url_string));
 
     } else if (type.type() == "audio"sv) {
         auto audio_element = TRY(DOM::create_element(document, HTML::TagNames::audio, Namespace::HTML));
-        TRY(audio_element->set_attribute(HTML::AttributeNames::src, url_string));
-        TRY(audio_element->set_attribute(HTML::AttributeNames::autoplay, String {}));
-        TRY(audio_element->set_attribute(HTML::AttributeNames::controls, String {}));
+        audio_element->set_attribute_value(HTML::AttributeNames::src, url_string);
+        audio_element->set_attribute_value(HTML::AttributeNames::autoplay, String {});
+        audio_element->set_attribute_value(HTML::AttributeNames::controls, String {});
         TRY(document->body()->append_child(audio_element));
         TRY(insert_title(document, url_string));
 

Libraries/LibWeb/DOM/Element.cpp

@@ -210,7 +210,7 @@ GC::Ptr<Attr> Element::get_attribute_node_ns(Optional<FlyString> const& namespac
 
 // FIXME: Trusted Types integration with DOM is still under review https://github.com/whatwg/dom/pull/1268
 // https://whatpr.org/dom/1268.html#dom-element-setattribute
-WebIDL::ExceptionOr<void> Element::set_attribute(FlyString qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, Utf16String> const& value)
+WebIDL::ExceptionOr<void> Element::set_attribute_for_bindings(FlyString qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, Utf16String> const& value)
 {
     // 1. If qualifiedName is not a valid attribute local name, then throw an "InvalidCharacterError" DOMException.
     if (!is_valid_attribute_local_name(qualified_name))
@@ -245,9 +245,9 @@ WebIDL::ExceptionOr<void> Element::set_attribute(FlyString qualified_name, Varia
 
 // FIXME: Trusted Types integration with DOM is still under review https://github.com/whatwg/dom/pull/1268
 // https://whatpr.org/dom/1268.html#dom-element-setattribute
-WebIDL::ExceptionOr<void> Element::set_attribute(FlyString qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, String> const& value)
+WebIDL::ExceptionOr<void> Element::set_attribute_for_bindings(FlyString qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, String> const& value)
 {
-    return set_attribute(move(qualified_name),
+    return set_attribute_for_bindings(move(qualified_name),
         value.visit(
             [](auto const& trusted_type) -> Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, Utf16String> { return trusted_type; },
             [](String const& string) -> Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, Utf16String> { return Utf16String::from_utf8(string); }));
@@ -365,7 +365,7 @@ WebIDL::ExceptionOr<QualifiedName> validate_and_extract(JS::Realm& realm, Option
 
 // FIXME: Trusted Types integration with DOM is still under review https://github.com/whatwg/dom/pull/1268
 // https://whatpr.org/dom/1268.html#dom-element-setattributens
-WebIDL::ExceptionOr<void> Element::set_attribute_ns(Optional<FlyString> const& namespace_, FlyString const& qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, Utf16String> const& value)
+WebIDL::ExceptionOr<void> Element::set_attribute_ns_for_bindings(Optional<FlyString> const& namespace_, FlyString const& qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, Utf16String> const& value)
 {
     // 1. Let (namespace, prefix, localName) be the result of validating and extracting namespace and qualifiedName given "element".
     auto extracted_qualified_name = TRY(validate_and_extract(realm(), namespace_, qualified_name, ValidationContext::Element));
@@ -421,14 +421,14 @@ void Element::set_attribute_value(FlyString const& local_name, String const& val
 }
 
 // https://dom.spec.whatwg.org/#dom-element-setattributenode
-WebIDL::ExceptionOr<GC::Ptr<Attr>> Element::set_attribute_node(Attr& attr)
+WebIDL::ExceptionOr<GC::Ptr<Attr>> Element::set_attribute_node_for_bindings(Attr& attr)
 {
     // The setAttributeNode(attr) and setAttributeNodeNS(attr) methods steps are to return the result of setting an attribute given attr and this.
     return attributes()->set_attribute(attr);
 }
 
 // https://dom.spec.whatwg.org/#dom-element-setattributenodens
-WebIDL::ExceptionOr<GC::Ptr<Attr>> Element::set_attribute_node_ns(Attr& attr)
+WebIDL::ExceptionOr<GC::Ptr<Attr>> Element::set_attribute_node_ns_for_bindings(Attr& attr)
 {
     // The setAttributeNode(attr) and setAttributeNodeNS(attr) methods steps are to return the result of setting an attribute given attr and this.
     return attributes()->set_attribute(attr);
@@ -1746,7 +1746,7 @@ i32 Element::tab_index() const
 // https://html.spec.whatwg.org/multipage/interaction.html#dom-tabindex
 void Element::set_tab_index(i32 tab_index)
 {
-    MUST(set_attribute(HTML::AttributeNames::tabindex, String::number(tab_index)));
+    set_attribute_value(HTML::AttributeNames::tabindex, String::number(tab_index));
 }
 
 // https://drafts.csswg.org/cssom-view/#potentially-scrollable
@@ -2544,6 +2544,22 @@ ErrorOr<void> Element::scroll_into_view(Optional<Variant<bool, ScrollIntoViewOpt
     return {};
 }
 
+#define __ENUMERATE_ARIA_ATTRIBUTE(name, attribute)                  \
+    Optional<String> Element::name() const                           \
+    {                                                                \
+        return get_attribute(ARIA::AttributeNames::name);            \
+    }                                                                \
+                                                                     \
+    void Element::set_##name(Optional<String> const& value)          \
+    {                                                                \
+        if (value.has_value())                                       \
+            set_attribute_value(ARIA::AttributeNames::name, *value); \
+        else                                                         \
+            remove_attribute(ARIA::AttributeNames::name);            \
+    }
+ENUMERATE_ARIA_ATTRIBUTES
+#undef __ENUMERATE_ARIA_ATTRIBUTE
+
 void Element::invalidate_style_after_attribute_change(FlyString const& attribute_name, Optional<String> const& old_value, Optional<String> const& new_value)
 {
     Vector<CSS::InvalidationSet::Property, 1> changed_properties;

Libraries/LibWeb/DOM/Element.h

@@ -149,13 +149,13 @@ class WEB_API Element
 
     Optional<String> lang() const;
 
-    WebIDL::ExceptionOr<void> set_attribute(FlyString qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, String> const& value);
-    WebIDL::ExceptionOr<void> set_attribute(FlyString qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, Utf16String> const& value);
+    WebIDL::ExceptionOr<void> set_attribute_for_bindings(FlyString qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, Utf16String> const& value);
+    WebIDL::ExceptionOr<void> set_attribute_for_bindings(FlyString qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, String> const& value);
 
-    WebIDL::ExceptionOr<void> set_attribute_ns(Optional<FlyString> const& namespace_, FlyString const& qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, Utf16String> const& value);
+    WebIDL::ExceptionOr<void> set_attribute_ns_for_bindings(Optional<FlyString> const& namespace_, FlyString const& qualified_name, Variant<GC::Root<TrustedTypes::TrustedHTML>, GC::Root<TrustedTypes::TrustedScript>, GC::Root<TrustedTypes::TrustedScriptURL>, Utf16String> const& value);
     void set_attribute_value(FlyString const& local_name, String const& value, Optional<FlyString> const& prefix = {}, Optional<FlyString> const& namespace_ = {});
-    WebIDL::ExceptionOr<GC::Ptr<Attr>> set_attribute_node(Attr&);
-    WebIDL::ExceptionOr<GC::Ptr<Attr>> set_attribute_node_ns(Attr&);
+    WebIDL::ExceptionOr<GC::Ptr<Attr>> set_attribute_node_for_bindings(Attr&);
+    WebIDL::ExceptionOr<GC::Ptr<Attr>> set_attribute_node_ns_for_bindings(Attr&);
 
     void append_attribute(FlyString const& name, String const& value);
     void append_attribute(Attr&);
@@ -336,20 +336,9 @@ class WEB_API Element
     ErrorOr<void> scroll_into_view(Optional<Variant<bool, ScrollIntoViewOptions>> = {});
 
     // https://www.w3.org/TR/wai-aria-1.2/#ARIAMixin
-#define __ENUMERATE_ARIA_ATTRIBUTE(name, attribute)                              \
-    Optional<String> name() const override                                       \
-    {                                                                            \
-        return get_attribute(ARIA::AttributeNames::name);                        \
-    }                                                                            \
-                                                                                 \
-    WebIDL::ExceptionOr<void> set_##name(Optional<String> const& value) override \
-    {                                                                            \
-        if (value.has_value())                                                   \
-            TRY(set_attribute(ARIA::AttributeNames::name, *value));              \
-        else                                                                     \
-            remove_attribute(ARIA::AttributeNames::name);                        \
-        return {};                                                               \
-    }
+#define __ENUMERATE_ARIA_ATTRIBUTE(name, attribute) \
+    virtual Optional<String> name() const override; \
+    virtual void set_##name(Optional<String> const& value) override;
     ENUMERATE_ARIA_ATTRIBUTES
 #undef __ENUMERATE_ARIA_ATTRIBUTE