From 0ea50d44bfd5c635ddcdffbb5be6519bcc00e42e Mon Sep 17 00:00:00 2001
From: Luke <luke.wilde@live.co.uk>
Date: Mon, 5 Jul 2021 03:59:47 +0100
Subject: LibWeb: Check if scripting is disabled before running script

This is not a full check, it's just enough to prevent script execution
in DOMParser.
---
 Userland/Libraries/LibWeb/DOM/Node.cpp               | 7 +++++++
 Userland/Libraries/LibWeb/DOM/Node.h                 | 2 ++
 Userland/Libraries/LibWeb/HTML/HTMLScriptElement.cpp | 5 ++++-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibWeb/DOM/Node.cpp b/Userland/Libraries/LibWeb/DOM/Node.cpp
index 099fe11e66..8ec7179a40 100644
--- a/Userland/Libraries/LibWeb/DOM/Node.cpp
+++ b/Userland/Libraries/LibWeb/DOM/Node.cpp
@@ -637,4 +637,11 @@ void Node::serialize_tree_as_json(JsonObjectSerializer<StringBuilder>& object) c
     }
 }
 
+// https://html.spec.whatwg.org/multipage/webappapis.html#concept-n-noscript
+bool Node::is_scripting_disabled() const
+{
+    // FIXME: or when scripting is disabled for its relevant settings object.
+    return !document().browsing_context();
+}
+
 }
diff --git a/Userland/Libraries/LibWeb/DOM/Node.h b/Userland/Libraries/LibWeb/DOM/Node.h
index 06c1e59b1c..63d9b122b6 100644
--- a/Userland/Libraries/LibWeb/DOM/Node.h
+++ b/Userland/Libraries/LibWeb/DOM/Node.h
@@ -163,6 +163,8 @@ public:
 
     bool is_host_including_inclusive_ancestor_of(const Node&) const;
 
+    bool is_scripting_disabled() const;
+
     // Used for dumping the DOM Tree
     void serialize_tree_as_json(JsonObjectSerializer<StringBuilder>&) const;
 
diff --git a/Userland/Libraries/LibWeb/HTML/HTMLScriptElement.cpp b/Userland/Libraries/LibWeb/HTML/HTMLScriptElement.cpp
index 4d79f0a8b2..78d2ede8ce 100644
--- a/Userland/Libraries/LibWeb/HTML/HTMLScriptElement.cpp
+++ b/Userland/Libraries/LibWeb/HTML/HTMLScriptElement.cpp
@@ -153,7 +153,10 @@ void HTMLScriptElement::prepare_script()
         return;
     }
 
-    // FIXME: Check if scripting is disabled, if so return
+    if (is_scripting_disabled()) {
+        dbgln("HTMLScriptElement: Refusing to run script because scripting is disabled.");
+        return;
+    }
 
     if (m_script_type == ScriptType::Classic && has_attribute(HTML::AttributeNames::nomodule)) {
         dbgln("HTMLScriptElement: Refusing to run classic script because it has the nomodule attribute.");
-- 
cgit v1.2.3