fix: prevent iframe leak in untainted prototype and avoid unnecessary iframe creation (#159)

## Summary
- Adopts upstream rrweb
[#1770](rrweb-io/rrweb#1770) and
[#1802](rrweb-io/rrweb#1802)
- **#1770**: Wraps untainted prototype iframe creation in `try/finally`
so the iframe is always removed, even on early return (when
`contentWindow` is null) or exception. Previously these iframes would
leak into the DOM.
- **#1802**: Moves `querySelector`/`querySelectorAll` from
`testableAccessors` to `testableMethods` and switches helpers from
`getUntaintedAccessor` to `getUntaintedMethod`. These are methods, not
property accessors, so the accessor check
(`getOwnPropertyDescriptor(...).get`) always failed, causing a throwaway
iframe to be created every time just to get the untainted prototype.

## Why
Both fixes are in `packages/utils/src/index.ts` and affect the same
`getUntaintedPrototype` code path. #1770 prevents DOM pollution from
leaked iframes. #1802 avoids unnecessary iframe creation on every
querySelector/querySelectorAll call, which is a hot path during
recording.

## Test plan
- [ ] Verify no regressions in recording on pages with patched DOM
prototypes (Angular apps)
- [ ] Inspect DOM during recording to confirm no orphaned iframes from
untainted prototype detection

Author: fasyy612

packages/utils/src/index.ts

@@ -15,14 +15,14 @@ type BasePrototypeCache = {
 const testableAccessors = {
   Node: ['childNodes', 'parentNode', 'parentElement', 'textContent'] as const,
   ShadowRoot: ['host', 'styleSheets'] as const,
-  Element: ['shadowRoot', 'querySelector', 'querySelectorAll'] as const,
+  Element: ['shadowRoot'] as const,
   MutationObserver: [] as const,
 } as const;
 
 const testableMethods = {
   Node: ['contains', 'getRootNode'] as const,
   ShadowRoot: ['getSelection'],
-  Element: [],
+  Element: ['querySelector', 'querySelectorAll'],
   MutationObserver: ['constructor'],
 } as const;
 
@@ -102,23 +102,25 @@ export function getUntaintedPrototype<T extends keyof BasePrototypeCache>(
     return candidate.prototype as BasePrototypeCache[T];
   }
 
+  const iframeEl = document.createElement('iframe');
   try {
-    const iframeEl = document.createElement('iframe');
     document.body.appendChild(iframeEl);
     const win = iframeEl.contentWindow;
     if (!win) return candidate.prototype as BasePrototypeCache[T];
 
     // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-explicit-any
     const untaintedObject = (win as any)[key]
       .prototype as BasePrototypeCache[T];
-    // cleanup
-    document.body.removeChild(iframeEl);
 
     if (!untaintedObject) return defaultPrototype;
 
     return (untaintedBasePrototype[key] = untaintedObject);
   } catch {
     return defaultPrototype;
+  } finally {
+    if (iframeEl.parentNode) {
+      document.body.removeChild(iframeEl);
+    }
   }
 }
 
@@ -225,14 +227,14 @@ export function shadowRoot(n: Node): ShadowRoot | null {
 }
 
 export function querySelector(n: Element, selectors: string): Element | null {
-  return getUntaintedAccessor('Element', n, 'querySelector')(selectors);
+  return getUntaintedMethod('Element', n, 'querySelector')(selectors);
 }
 
 export function querySelectorAll(
   n: Element,
   selectors: string,
 ): NodeListOf<Element> {
-  return getUntaintedAccessor('Element', n, 'querySelectorAll')(selectors);
+  return getUntaintedMethod('Element', n, 'querySelectorAll')(selectors);
 }
 
 export function mutationObserverCtor(): (typeof MutationObserver)['prototype']['constructor'] {