Taint propagation for StringBuffer conversion

[leeN]

No description provided.

[tmbrbr]

I'm not sure that this is the right approach, as we overwrite the taint of the underlying StringBuffer (which may have different taint to the String on top). My preference would be to make sure that taint info is propagated after GetStringBuffer is called.

In other words reimplement the logic here (from the v128.0 tag):

project-foxhound/js/xpconnect/src/XPCString.cpp

Lines 111 to 123 in e0033ca

	if (StringBuffer* buf = readable.GetStringBuffer()) {
	bool shared;
	if (!UCStringBufferToJSVal(cx, buf, length, vp, &shared)) {
	return false;
	}
	if (shared) {
	*sharedBuffer = buf;
	}
	if (readable.isTainted()) {
	JS_SetTaint(cx, vp, readable.Taint());
	}
	return true;
	}

This got lost during the merge unfortunately. What do you think?

[leeN]

Hmmm, I see. So, effectively patch up all call sites of GetStringBuffer()? I can give that a try during some meetings today, sure.

[tmbrbr]

Hmmm, I see. So, effectively patch up all call sites of GetStringBuffer()? I can give that a try during some meetings today, sure.

Exactly, that would be my preference. Would be great if you can look into it!

[leeN]

I assume you meant like this? :)

[leeN]

So, sorry, I understood your concern now and have resolved it. Please squash these commits when merging :)

[tmbrbr]

Looks good! Thanks for the changes!