`String.tainted()` overrides prior taint values

[leeN]

If we manually mark a String as tainted, e.g., by calling String.tainted(location.href, "manual"); it overrides the existing taint.

However, in some cases, it would be desirable to add an additional source operation to the taint flow instead of throwing the taint away.

[tmbrbr]

You should be able to use str->taint().overlay(0, str->length(), op); to do this.

I just checked the source code here, which uses the overlay: https://github.com/SAP/project-foxhound/blob/7af586a5bcdcab91711e19a371cb038017adb5c6/js/src/jsapi.cpp#L4911C1-L4919C2

JS_PUBLIC_API void
JS_MarkTaintSource(JSContext* cx, JSString* str, const TaintOperation& op)
{
  if (str->isTainted()) {
    JS_SetStringTaint(cx, str, StringTaint(0, str->length(), op));
  } else {
    str->taint().overlay(0, str->length(), op);
  }
}

Although looking at it, I think the if should be negated, so that if the string is already tainted we do this overlay...

[leeN]

Thanks, I'll refactor the manual source part to use the fixed MarkTaintsource :)