[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75
dbates at webkit.org
dbates at webkit.org
Thu Oct 29 20:36:34 UTC 2009
The following commit has been merged in the webkit-1.1 branch:
commit 59ac2d393f8baa555f944010da1cd2da2e13376d
Author: dbates at webkit.org <dbates at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Sep 29 23:20:17 2009 +0000
2009-09-29 Daniel Bates <dbates at webkit.org>
Reviewed by Adam Barth.
https://bugs.webkit.org/show_bug.cgi?id=29837
More tests for the XSSAuditor.
* http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt: Added.
* http/tests/security/xssAuditor/embed-tag-javascript-url.html: Added.
* http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt: Added.
* http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url.html: Added.
* http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt: Added.
* http/tests/security/xssAuditor/object-tag-javascript-url.html: Added.
* http/tests/security/xssAuditor/property-escape-noquotes-expected.txt: Added.
* http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt: Added.
* http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html: Added.
* http/tests/security/xssAuditor/property-escape-noquotes.html: Added.
* http/tests/security/xssAuditor/property-inject-expected.txt: Added.
* http/tests/security/xssAuditor/property-inject.html: Added.
* http/tests/security/xssAuditor/resources/echo-head.pl: Added.
* http/tests/security/xssAuditor/resources/echo-inner-tag.pl: Added.
* http/tests/security/xssAuditor/resources/echo-property-noquotes.pl: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48911 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 1a57a45..64d6a67 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,27 @@
+2009-09-29 Daniel Bates <dbates at webkit.org>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=29837
+
+ More tests for the XSSAuditor.
+
+ * http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt: Added.
+ * http/tests/security/xssAuditor/embed-tag-javascript-url.html: Added.
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt: Added.
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url.html: Added.
+ * http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt: Added.
+ * http/tests/security/xssAuditor/object-tag-javascript-url.html: Added.
+ * http/tests/security/xssAuditor/property-escape-noquotes-expected.txt: Added.
+ * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt: Added.
+ * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html: Added.
+ * http/tests/security/xssAuditor/property-escape-noquotes.html: Added.
+ * http/tests/security/xssAuditor/property-inject-expected.txt: Added.
+ * http/tests/security/xssAuditor/property-inject.html: Added.
+ * http/tests/security/xssAuditor/resources/echo-head.pl: Added.
+ * http/tests/security/xssAuditor/resources/echo-inner-tag.pl: Added.
+ * http/tests/security/xssAuditor/resources/echo-property-noquotes.pl: Added.
+
2009-09-29 Enrica Casucci <enrica at apple.com>
Reviewed by Adele Peterson.
diff --git a/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt b/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt
new file mode 100644
index 0000000..fd2ef77
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url.html b/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url.html
new file mode 100644
index 0000000..1cac1c5
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=<embed src='javascript:alert(document.domain)'></embed>">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt b/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
copy to LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt
diff --git a/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url.html b/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url.html
new file mode 100644
index 0000000..5247dfd
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+ layoutTestController.waitUntilDone();
+ window.setTimeout(done, 2000);
+}
+
+function done()
+{
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3B+url%3Djavascript%3Aalert%28document.domain%29%22%3E">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt b/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt
new file mode 100644
index 0000000..fd2ef77
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url.html b/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url.html
new file mode 100644
index 0000000..399566a
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=<object data='javascript:alert(document.domain)'></object>">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
copy to LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt
diff --git a/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
copy to LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt
diff --git a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html
new file mode 100644
index 0000000..8c36899
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property-noquotes.pl?q=dummy%09/onload=alert(/XSS/)&dummy=dummy">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html
new file mode 100644
index 0000000..ec2a702
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property-noquotes.pl?q=1%20onload=alert(/XSS/)">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt b/LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
copy to LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt
diff --git a/LayoutTests/http/tests/security/xssAuditor/property-inject.html b/LayoutTests/http/tests/security/xssAuditor/property-inject.html
new file mode 100644
index 0000000..2955d9b
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/property-inject.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-inner-tag.pl?q=onload=alert(/XSS/)">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/echo-head.pl b/LayoutTests/http/tests/security/xssAuditor/resources/echo-head.pl
new file mode 100755
index 0000000..65319db
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/echo-head.pl
@@ -0,0 +1,16 @@
+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+
+my $cgi = new CGI;
+
+print "Content-Type: text/html; charset=UTF-8\n\n";
+
+print "<!DOCTYPE html>\n";
+print "<html>\n";
+print "<head>\n";
+print $cgi->param('q');
+print "</head>\n";
+print "<body>\n";
+print "</body>\n";
+print "</html>\n";
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/echo-inner-tag.pl b/LayoutTests/http/tests/security/xssAuditor/resources/echo-inner-tag.pl
new file mode 100755
index 0000000..da1fc9a
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/echo-inner-tag.pl
@@ -0,0 +1,15 @@
+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+
+my $cgi = new CGI;
+
+print "Content-Type: text/html; charset=UTF-8\n\n";
+
+print "<!DOCTYPE html>\n";
+print "<html>\n";
+print "<body ";
+print $cgi->param('q');
+print ">\n";
+print "</body>\n";
+print "</html>\n";
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/echo-property-noquotes.pl b/LayoutTests/http/tests/security/xssAuditor/resources/echo-property-noquotes.pl
new file mode 100755
index 0000000..bdaf540
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/echo-property-noquotes.pl
@@ -0,0 +1,15 @@
+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+
+my $cgi = new CGI;
+
+print "Content-Type: text/html; charset=UTF-8\n\n";
+
+print "<!DOCTYPE html>\n";
+print "<html>\n";
+print "<body foo=";
+print $cgi->param('q');
+print ">\n";
+print "</body>\n";
+print "</html>\n";
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list