[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
enrica at apple.com
enrica at apple.com
Thu Apr 8 01:13:56 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit a0a063124fc20d2000b37fc83f9df25f70587b05
Author: enrica at apple.com <enrica at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Jan 19 01:07:49 2010 +0000
Script attributes are copied and pasted, making cross-domain attacks possible (30019)
<rdar://problem/6008809>
https://bugs.webkit.org/show_bug.cgi?id=30019
Reviewed by Darin Adler.
WebCore:
When we create the document fragment from a markup string,
either to perform a paste operation or a drag and drop, we
want to remove all the event handlers and any attribute that contain
a value that leads to code execution.
The HTMLParser class is now aware of the needs of stripping these attributes.
I've modified the call to createMarkupString for every platform.
Test: editing/pasteboard/paste-noscript.html
* WebCore.base.exp:
* dom/Element.cpp:
(WebCore::isEventHandlerAttribute):
(WebCore::Element::setAttributeMap):
* dom/Element.h:
* dom/MappedAttributeEntry.h:
(WebCore::):
* editing/markup.cpp:
(WebCore::createFragmentFromMarkup):
* editing/markup.h:
* html/HTMLElement.cpp:
(WebCore::HTMLElement::createContextualFragment):
* html/HTMLElement.h:
* html/HTMLParser.cpp:
(WebCore::HTMLParser::HTMLParser):
(WebCore::HTMLParser::parseToken):
* html/HTMLParser.h:
* html/HTMLTokenizer.cpp:
(WebCore::HTMLTokenizer::HTMLTokenizer):
(WebCore::parseHTMLDocumentFragment):
* html/HTMLTokenizer.h:
* platform/chromium/DragDataChromium.cpp:
(WebCore::DragData::asFragment):
* platform/chromium/PasteboardChromium.cpp:
(WebCore::Pasteboard::documentFragment):
* platform/gtk/PasteboardGtk.cpp:
(WebCore::Pasteboard::documentFragment):
* platform/mac/PasteboardMac.mm:
(WebCore::Pasteboard::documentFragment):
* platform/qt/DragDataQt.cpp:
(WebCore::DragData::asFragment):
* platform/qt/PasteboardQt.cpp:
(WebCore::Pasteboard::documentFragment):
* platform/win/ClipboardUtilitiesWin.cpp:
(WebCore::fragmentFromCF_HTML):
(WebCore::fragmentFromHTML):
WebKit/mac:
* WebView/WebFrame.mm:
(-[WebFrame _documentFragmentWithMarkupString:baseURLString:]): Modified the call to createMarkupString.
LayoutTests:
* editing/pasteboard/paste-noscript-expected.txt: Added.
* editing/pasteboard/paste-noscript.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53442 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index be26389..482d7fb 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2010-01-18 Enrica Casucci <enrica at apple.com>
+
+ Reviewed by Darin Adler.
+
+ Script attributes are copied and pasted, making cross-domain attacks possible (30019)
+ <rdar://problem/6008809>
+ https://bugs.webkit.org/show_bug.cgi?id=30019
+
+ * editing/pasteboard/paste-noscript-expected.txt: Added.
+ * editing/pasteboard/paste-noscript.html: Added.
+
2010-01-18 Alexey Proskuryakov <ap at apple.com>
Reviewed by Darin Adler.
diff --git a/LayoutTests/editing/pasteboard/paste-noscript-expected.txt b/LayoutTests/editing/pasteboard/paste-noscript-expected.txt
new file mode 100644
index 0000000..ea488c0
--- /dev/null
+++ b/LayoutTests/editing/pasteboard/paste-noscript-expected.txt
@@ -0,0 +1,20 @@
+CONSOLE MESSAGE: line 1: ReferenceError: Can't find variable: sayHello
+This test copies all the elements containing event handlers and javascript urls, pastes them in an editable area and verifies that no script, handlers or javascript urls are copied.
+Hello
+CNN Hello
+This is a form
+
+Hello
+CNN Hello
+This is a form
+
+<button id="button1" onclick="sayHello()" ondblclick="sayHello()" style="width: 100px;">Hello</button>
+<button id="button1" style="width: 100px; ">Hello</button>
+<a id="anchor1" href="http://www.cnn.com">CNN</a>
+<a id="anchor1" href="http://www.cnn.com">CNN</a>
+<a id="anchor2" href="javascript:sayHello()">Hello</a>
+<a id="anchor2" href="">Hello</a>
+<iframe id="iframe1" src="javascript:sayHello()" style="width: 200px; height: 100px; background-color:#cee;"></iframe>
+<iframe id="iframe1" src="" style="width: 200px; height: 100px; background-color: rgb(204, 238, 238); "></iframe>
+<form id="form1" action="javascript:sayHello()" style="width: 200px; height: 150px; background-color:#cee;">This is a form<br><img src="../resources/abe.png"></form>
+<form id="form1" action="" style="width: 200px; height: 150px; background-color: rgb(204, 238, 238); ">This is a form<br><img src="../resources/abe.png"></form>
diff --git a/LayoutTests/editing/pasteboard/paste-noscript.html b/LayoutTests/editing/pasteboard/paste-noscript.html
new file mode 100644
index 0000000..7082c96
--- /dev/null
+++ b/LayoutTests/editing/pasteboard/paste-noscript.html
@@ -0,0 +1,55 @@
+<script>
+function sayHello()
+{
+ alert("Hello");
+}
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<div id="description">
+This test copies all the elements containing event handlers and javascript urls, pastes them
+in an editable area and verifies that no script, handlers or javascript urls are copied.
+</div>
+<div id="test" >
+<button id="button1" onclick="sayHello()" ondblclick="sayHello()" style="width: 100px;">Hello</button>
+<br>
+<a id="anchor1" href="http://www.cnn.com">CNN</a>
+<a id="anchor2" href="javascript:sayHello()">Hello</a>
+<iframe id="iframe1" src="javascript:sayHello()" style="width: 200px; height: 100px; background-color:#cee;"></iframe>
+<form id="form1" action="javascript:sayHello()" style="width: 200px; height: 150px; background-color:#cee;">This is a form<br><img src="../resources/abe.png"></img></form>
+</div>
+<div id="pastehere" contenteditable="true">
+</div>
+<ul id="console"></ul>
+<script>
+var s = window.getSelection();
+var p1 = document.getElementById("test");
+s.setPosition(p1, 0);
+s.setBaseAndExtent(p1, 0, p1, 12);
+document.execCommand("Copy");
+p1 = document.getElementById("pastehere");
+s.setPosition(p1, 0);
+document.execCommand("Paste");
+
+log(document.getElementById("button1").outerHTML);
+log(document.getElementById("pastehere").childNodes(0).outerHTML);
+
+log(document.getElementById("anchor1").outerHTML);
+log(document.getElementById("pastehere").childNodes(3).outerHTML);
+
+log(document.getElementById("anchor2").outerHTML);
+log(document.getElementById("pastehere").childNodes(5).outerHTML);
+
+log(document.getElementById("iframe1").outerHTML);
+log(document.getElementById("pastehere").childNodes(7).outerHTML);
+
+log(document.getElementById("form1").outerHTML);
+log(document.getElementById("pastehere").childNodes(8).outerHTML);
+
+function log(str) {
+ var li = document.createElement("li");
+ li.appendChild(document.createTextNode(str));
+ var console = document.getElementById("console");
+ console.appendChild(li);
+}
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 91864fa..6f1418c 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,57 @@
+2010-01-18 Enrica Casucci <enrica at apple.com>
+
+ Reviewed by Darin Adler.
+
+ Script attributes are copied and pasted, making cross-domain attacks possible (30019)
+ <rdar://problem/6008809>
+ https://bugs.webkit.org/show_bug.cgi?id=30019
+
+ When we create the document fragment from a markup string,
+ either to perform a paste operation or a drag and drop, we
+ want to remove all the event handlers and any attribute that contain
+ a value that leads to code execution.
+ The HTMLParser class is now aware of the needs of stripping these attributes.
+ I've modified the call to createMarkupString for every platform.
+
+ Test: editing/pasteboard/paste-noscript.html
+
+ * WebCore.base.exp:
+ * dom/Element.cpp:
+ (WebCore::isEventHandlerAttribute):
+ (WebCore::Element::setAttributeMap):
+ * dom/Element.h:
+ * dom/MappedAttributeEntry.h:
+ (WebCore::):
+ * editing/markup.cpp:
+ (WebCore::createFragmentFromMarkup):
+ * editing/markup.h:
+ * html/HTMLElement.cpp:
+ (WebCore::HTMLElement::createContextualFragment):
+ * html/HTMLElement.h:
+ * html/HTMLParser.cpp:
+ (WebCore::HTMLParser::HTMLParser):
+ (WebCore::HTMLParser::parseToken):
+ * html/HTMLParser.h:
+ * html/HTMLTokenizer.cpp:
+ (WebCore::HTMLTokenizer::HTMLTokenizer):
+ (WebCore::parseHTMLDocumentFragment):
+ * html/HTMLTokenizer.h:
+ * platform/chromium/DragDataChromium.cpp:
+ (WebCore::DragData::asFragment):
+ * platform/chromium/PasteboardChromium.cpp:
+ (WebCore::Pasteboard::documentFragment):
+ * platform/gtk/PasteboardGtk.cpp:
+ (WebCore::Pasteboard::documentFragment):
+ * platform/mac/PasteboardMac.mm:
+ (WebCore::Pasteboard::documentFragment):
+ * platform/qt/DragDataQt.cpp:
+ (WebCore::DragData::asFragment):
+ * platform/qt/PasteboardQt.cpp:
+ (WebCore::Pasteboard::documentFragment):
+ * platform/win/ClipboardUtilitiesWin.cpp:
+ (WebCore::fragmentFromCF_HTML):
+ (WebCore::fragmentFromHTML):
+
2010-01-18 Steve Falkenburg <sfalken at apple.com>
Reviewed by Sam Weinig.
diff --git a/WebCore/WebCore.base.exp b/WebCore/WebCore.base.exp
index 694e175..e16c5f9 100644
--- a/WebCore/WebCore.base.exp
+++ b/WebCore/WebCore.base.exp
@@ -441,7 +441,7 @@ __ZN7WebCore23ApplicationCacheStorage5emptyEv
__ZN7WebCore23ReplaceSelectionCommandC1EPNS_8DocumentEN3WTF10PassRefPtrINS_16DocumentFragmentEEEbbbbbNS_10EditActionE
__ZN7WebCore23createFragmentFromNodesEPNS_8DocumentERKN3WTF6VectorIPNS_4NodeELm0EEE
__ZN7WebCore24BinaryPropertyListWriter17writePropertyListEv
-__ZN7WebCore24createFragmentFromMarkupEPNS_8DocumentERKNS_6StringES4_
+__ZN7WebCore24createFragmentFromMarkupEPNS_8DocumentERKNS_6StringES4_NS_27FragmentScriptingPermissionE
__ZN7WebCore24decodeURLEscapeSequencesERKNS_6StringE
__ZN7WebCore24notifyHistoryItemChangedE
__ZN7WebCore24rangeCompliantEquivalentERKNS_8PositionE
diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp
index ddc0e09..f115ff6 100644
--- a/WebCore/dom/Element.cpp
+++ b/WebCore/dom/Element.cpp
@@ -617,8 +617,18 @@ void Element::recalcStyleIfNeededAfterAttributeChanged(Attribute* attr)
if (document()->attached() && document()->styleSelector()->hasSelectorForAttribute(attr->name().localName()))
setNeedsStyleRecalc();
}
-
-void Element::setAttributeMap(PassRefPtr<NamedNodeMap> list)
+
+// Returns true is the given attribute is an event handler.
+// We consider an event handler any attribute that begins with "on".
+// It is a simple solution that has the advantage of not requiring any
+// code or configuration change if a new event handler is defined.
+
+static bool isEventHandlerAttribute(const QualifiedName& name)
+{
+ return name.namespaceURI().isNull() && name.localName().startsWith("on");
+}
+
+void Element::setAttributeMap(PassRefPtr<NamedNodeMap> list, FragmentScriptingPermission scriptingPermission)
{
document()->incDOMTreeVersion();
@@ -638,6 +648,21 @@ void Element::setAttributeMap(PassRefPtr<NamedNodeMap> list)
if (namedAttrMap) {
namedAttrMap->m_element = this;
+ // If the element is created as result of a paste or drag-n-drop operation
+ // we want to remove all the script and event handlers.
+ if (scriptingPermission == FragmentScriptingNotAllowed) {
+ unsigned i = 0;
+ while (i < namedAttrMap->length()) {
+ const QualifiedName& attributeName = namedAttrMap->m_attributes[i]->name();
+ if (isEventHandlerAttribute(attributeName)) {
+ namedAttrMap->m_attributes.remove(i);
+ continue;
+ }
+ if ((attributeName == hrefAttr || attributeName == srcAttr || attributeName == actionAttr) && protocolIsJavaScript(deprecatedParseURL(namedAttrMap->m_attributes[i]->value())))
+ namedAttrMap->m_attributes[i]->setValue(nullAtom);
+ i++;
+ }
+ }
unsigned len = namedAttrMap->length();
for (unsigned i = 0; i < len; i++)
attributeChanged(namedAttrMap->m_attributes[i].get());
diff --git a/WebCore/dom/Element.h b/WebCore/dom/Element.h
index 1fb2211..9670eb1 100644
--- a/WebCore/dom/Element.h
+++ b/WebCore/dom/Element.h
@@ -27,6 +27,7 @@
#include "ContainerNode.h"
#include "HTMLNames.h"
+#include "MappedAttributeEntry.h"
#include "QualifiedName.h"
#include "ScrollTypes.h"
@@ -186,7 +187,7 @@ public:
virtual void attributeChanged(Attribute*, bool preserveDecls = false);
// not part of the DOM
- void setAttributeMap(PassRefPtr<NamedNodeMap>);
+ void setAttributeMap(PassRefPtr<NamedNodeMap>, FragmentScriptingPermission = FragmentScriptingAllowed);
NamedNodeMap* attributeMap() const { return namedAttrMap.get(); }
virtual void copyNonAttributeProperties(const Element* /*source*/) { }
diff --git a/WebCore/dom/MappedAttributeEntry.h b/WebCore/dom/MappedAttributeEntry.h
index 842e7a8..ce2464e 100644
--- a/WebCore/dom/MappedAttributeEntry.h
+++ b/WebCore/dom/MappedAttributeEntry.h
@@ -47,7 +47,9 @@ enum MappedAttributeEntry {
// When adding new entries, make sure to keep eLastEntry at the end of the list.
, eLastEntry
};
-
+
+enum FragmentScriptingPermission { FragmentScriptingAllowed, FragmentScriptingNotAllowed };
+
}
#endif
diff --git a/WebCore/editing/markup.cpp b/WebCore/editing/markup.cpp
index b555981..714909f 100644
--- a/WebCore/editing/markup.cpp
+++ b/WebCore/editing/markup.cpp
@@ -1050,13 +1050,13 @@ String createMarkup(const Range* range, Vector<Node*>* nodes, EAnnotateForInterc
return joinMarkups(preMarkups, markups);
}
-PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document* document, const String& markup, const String& baseURL)
+PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document* document, const String& markup, const String& baseURL, FragmentScriptingPermission scriptingPermission)
{
ASSERT(document->documentElement()->isHTMLElement());
// FIXME: What if the document element is not an HTML element?
HTMLElement *element = static_cast<HTMLElement*>(document->documentElement());
- RefPtr<DocumentFragment> fragment = element->createContextualFragment(markup);
+ RefPtr<DocumentFragment> fragment = element->createContextualFragment(markup, scriptingPermission);
if (fragment && !baseURL.isEmpty() && baseURL != blankURL() && baseURL != document->baseURL())
completeURLs(fragment.get(), baseURL);
diff --git a/WebCore/editing/markup.h b/WebCore/editing/markup.h
index 6b7333c..61dc3dc 100644
--- a/WebCore/editing/markup.h
+++ b/WebCore/editing/markup.h
@@ -27,6 +27,7 @@
#define markup_h
#include "HTMLInterchange.h"
+#include "MappedAttributeEntry.h"
#include <wtf/Forward.h>
#include <wtf/Vector.h>
@@ -41,7 +42,7 @@ namespace WebCore {
enum EChildrenOnly { IncludeNode, ChildrenOnly };
PassRefPtr<DocumentFragment> createFragmentFromText(Range* context, const String& text);
- PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document*, const String& markup, const String& baseURL);
+ PassRefPtr<DocumentFragment> createFragmentFromMarkup(Document*, const String& markup, const String& baseURL, FragmentScriptingPermission = FragmentScriptingAllowed);
PassRefPtr<DocumentFragment> createFragmentFromNodes(Document*, const Vector<Node*>&);
String createMarkup(const Range*,
diff --git a/WebCore/html/HTMLElement.cpp b/WebCore/html/HTMLElement.cpp
index 431d72a..fa28c95 100644
--- a/WebCore/html/HTMLElement.cpp
+++ b/WebCore/html/HTMLElement.cpp
@@ -270,7 +270,7 @@ String HTMLElement::outerHTML() const
return createMarkup(this);
}
-PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String &html)
+PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String &html, FragmentScriptingPermission scriptingPermission)
{
// the following is in accordance with the definition as used by IE
if (endTagRequirement() == TagStatusForbidden)
@@ -283,7 +283,7 @@ PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String
RefPtr<DocumentFragment> fragment = DocumentFragment::create(document());
if (document()->isHTMLDocument())
- parseHTMLDocumentFragment(html, fragment.get());
+ parseHTMLDocumentFragment(html, fragment.get(), scriptingPermission);
else {
if (!parseXMLDocumentFragment(html, fragment.get(), this))
// FIXME: We should propagate a syntax error exception out here.
diff --git a/WebCore/html/HTMLElement.h b/WebCore/html/HTMLElement.h
index 8c82686..ccc9aa3 100644
--- a/WebCore/html/HTMLElement.h
+++ b/WebCore/html/HTMLElement.h
@@ -46,7 +46,7 @@ public:
String innerHTML() const;
String outerHTML() const;
- PassRefPtr<DocumentFragment> createContextualFragment(const String&);
+ PassRefPtr<DocumentFragment> createContextualFragment(const String&, FragmentScriptingPermission = FragmentScriptingAllowed);
void setInnerHTML(const String&, ExceptionCode&);
void setOuterHTML(const String&, ExceptionCode&);
void setInnerText(const String&, ExceptionCode&);
diff --git a/WebCore/html/HTMLParser.cpp b/WebCore/html/HTMLParser.cpp
index 06c65c4..f4ae6c2 100644
--- a/WebCore/html/HTMLParser.cpp
+++ b/WebCore/html/HTMLParser.cpp
@@ -138,11 +138,12 @@ HTMLParser::HTMLParser(HTMLDocument* doc, bool reportErrors)
, m_reportErrors(reportErrors)
, m_handlingResidualStyleAcrossBlocks(false)
, m_inStrayTableContent(0)
+ , m_scriptingPermission(FragmentScriptingAllowed)
, m_parserQuirks(m_document->page() ? m_document->page()->chrome()->client()->createHTMLParserQuirks() : 0)
{
}
-HTMLParser::HTMLParser(DocumentFragment* frag)
+HTMLParser::HTMLParser(DocumentFragment* frag, FragmentScriptingPermission scriptingPermission)
: m_document(frag->document())
, m_current(frag)
, m_didRefCurrent(true)
@@ -156,6 +157,7 @@ HTMLParser::HTMLParser(DocumentFragment* frag)
, m_reportErrors(false)
, m_handlingResidualStyleAcrossBlocks(false)
, m_inStrayTableContent(0)
+ , m_scriptingPermission(scriptingPermission)
, m_parserQuirks(m_document->page() ? m_document->page()->chrome()->client()->createHTMLParserQuirks() : 0)
{
if (frag)
@@ -275,7 +277,7 @@ PassRefPtr<Node> HTMLParser::parseToken(Token* t)
// set attributes
if (n->isHTMLElement()) {
HTMLElement* e = static_cast<HTMLElement*>(n.get());
- e->setAttributeMap(t->attrs.get());
+ e->setAttributeMap(t->attrs.get(), m_scriptingPermission);
// take care of optional close tags
if (e->endTagRequirement() == TagStatusOptional)
diff --git a/WebCore/html/HTMLParser.h b/WebCore/html/HTMLParser.h
index e667248..acb6a6f 100644
--- a/WebCore/html/HTMLParser.h
+++ b/WebCore/html/HTMLParser.h
@@ -29,6 +29,7 @@
#include <wtf/OwnPtr.h>
#include <wtf/RefPtr.h>
#include "HTMLParserErrorCodes.h"
+#include "MappedAttributeEntry.h"
namespace WebCore {
@@ -52,7 +53,7 @@ struct Token;
class HTMLParser : public Noncopyable {
public:
HTMLParser(HTMLDocument*, bool reportErrors);
- HTMLParser(DocumentFragment*);
+ HTMLParser(DocumentFragment*, FragmentScriptingPermission = FragmentScriptingAllowed);
virtual ~HTMLParser();
/**
@@ -188,6 +189,7 @@ private:
bool m_reportErrors;
bool m_handlingResidualStyleAcrossBlocks;
int m_inStrayTableContent;
+ FragmentScriptingPermission m_scriptingPermission;
OwnPtr<HTMLParserQuirks> m_parserQuirks;
};
diff --git a/WebCore/html/HTMLTokenizer.cpp b/WebCore/html/HTMLTokenizer.cpp
index f05b318..0aa3a35 100644
--- a/WebCore/html/HTMLTokenizer.cpp
+++ b/WebCore/html/HTMLTokenizer.cpp
@@ -196,7 +196,7 @@ HTMLTokenizer::HTMLTokenizer(HTMLViewSourceDocument* doc)
begin();
}
-HTMLTokenizer::HTMLTokenizer(DocumentFragment* frag)
+HTMLTokenizer::HTMLTokenizer(DocumentFragment* frag, FragmentScriptingPermission scriptingPermission)
: m_buffer(0)
, m_scriptCode(0)
, m_scriptCodeSize(0)
@@ -208,7 +208,7 @@ HTMLTokenizer::HTMLTokenizer(DocumentFragment* frag)
, m_timer(this, &HTMLTokenizer::timerFired)
, m_externalScriptsTimer(this, &HTMLTokenizer::executeExternalScriptsTimerFired)
, m_doc(frag->document())
- , m_parser(new HTMLParser(frag))
+ , m_parser(new HTMLParser(frag, scriptingPermission))
, m_inWrite(false)
, m_fragment(true)
{
@@ -2131,9 +2131,9 @@ void HTMLTokenizer::setSrc(const SegmentedString& source)
m_src = source;
}
-void parseHTMLDocumentFragment(const String& source, DocumentFragment* fragment)
+void parseHTMLDocumentFragment(const String& source, DocumentFragment* fragment, FragmentScriptingPermission scriptingPermission)
{
- HTMLTokenizer tok(fragment);
+ HTMLTokenizer tok(fragment, scriptingPermission);
tok.setForceSynchronous(true);
tok.write(source, true);
tok.finish();
diff --git a/WebCore/html/HTMLTokenizer.h b/WebCore/html/HTMLTokenizer.h
index 2516eda..863095a 100644
--- a/WebCore/html/HTMLTokenizer.h
+++ b/WebCore/html/HTMLTokenizer.h
@@ -27,6 +27,7 @@
#include "CachedResourceClient.h"
#include "CachedResourceHandle.h"
#include "NamedMappedAttrMap.h"
+#include "MappedAttributeEntry.h"
#include "SegmentedString.h"
#include "Timer.h"
#include "Tokenizer.h"
@@ -135,7 +136,7 @@ class HTMLTokenizer : public Tokenizer, public CachedResourceClient {
public:
HTMLTokenizer(HTMLDocument*, bool reportErrors);
HTMLTokenizer(HTMLViewSourceDocument*);
- HTMLTokenizer(DocumentFragment*);
+ HTMLTokenizer(DocumentFragment*, FragmentScriptingPermission = FragmentScriptingAllowed);
virtual ~HTMLTokenizer();
virtual void write(const SegmentedString&, bool appendData);
@@ -424,7 +425,7 @@ private:
OwnPtr<PreloadScanner> m_preloadScanner;
};
-void parseHTMLDocumentFragment(const String&, DocumentFragment*);
+void parseHTMLDocumentFragment(const String&, DocumentFragment*, FragmentScriptingPermission = FragmentScriptingAllowed);
UChar decodeNamedEntity(const char*);
diff --git a/WebCore/platform/chromium/DragDataChromium.cpp b/WebCore/platform/chromium/DragDataChromium.cpp
index 133ba24..9b67fc0 100644
--- a/WebCore/platform/chromium/DragDataChromium.cpp
+++ b/WebCore/platform/chromium/DragDataChromium.cpp
@@ -147,7 +147,7 @@ PassRefPtr<DocumentFragment> DragData::asFragment(Document* doc) const
if (!m_platformDragData->textHtml.isEmpty()) {
RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(doc,
- m_platformDragData->textHtml, m_platformDragData->htmlBaseUrl);
+ m_platformDragData->textHtml, m_platformDragData->htmlBaseUrl, FragmentScriptingNotAllowed);
return fragment.release();
}
diff --git a/WebCore/platform/chromium/PasteboardChromium.cpp b/WebCore/platform/chromium/PasteboardChromium.cpp
index 9213718..3b3aea6 100644
--- a/WebCore/platform/chromium/PasteboardChromium.cpp
+++ b/WebCore/platform/chromium/PasteboardChromium.cpp
@@ -177,7 +177,7 @@ PassRefPtr<DocumentFragment> Pasteboard::documentFragment(Frame* frame, PassRefP
#endif
RefPtr<DocumentFragment> fragment =
- createFragmentFromMarkup(frame->document(), markup, srcURL);
+ createFragmentFromMarkup(frame->document(), markup, srcURL, FragmentScriptingNotAllowed);
if (fragment)
return fragment.release();
}
diff --git a/WebCore/platform/gtk/PasteboardGtk.cpp b/WebCore/platform/gtk/PasteboardGtk.cpp
index ee95a38..0b4d356 100644
--- a/WebCore/platform/gtk/PasteboardGtk.cpp
+++ b/WebCore/platform/gtk/PasteboardGtk.cpp
@@ -171,7 +171,7 @@ PassRefPtr<DocumentFragment> Pasteboard::documentFragment(Frame* frame, PassRefP
gtk_selection_data_free(data);
if (!html.isEmpty()) {
- RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, "");
+ RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, "", FragmentScriptingNotAllowed);
if (fragment)
return fragment.release();
}
diff --git a/WebCore/platform/mac/PasteboardMac.mm b/WebCore/platform/mac/PasteboardMac.mm
index f048791..ff5fe10 100644
--- a/WebCore/platform/mac/PasteboardMac.mm
+++ b/WebCore/platform/mac/PasteboardMac.mm
@@ -372,7 +372,7 @@ PassRefPtr<DocumentFragment> Pasteboard::documentFragment(Frame* frame, PassRefP
}
}
if ([HTMLString length] != 0) {
- RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), HTMLString, "");
+ RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), HTMLString, "", FragmentScriptingNotAllowed);
if (fragment)
return fragment.release();
}
diff --git a/WebCore/platform/qt/DragDataQt.cpp b/WebCore/platform/qt/DragDataQt.cpp
index b0611e6..09a797f 100644
--- a/WebCore/platform/qt/DragDataQt.cpp
+++ b/WebCore/platform/qt/DragDataQt.cpp
@@ -134,7 +134,7 @@ String DragData::asURL(String*) const
PassRefPtr<DocumentFragment> DragData::asFragment(Document* doc) const
{
if (m_platformDragData && m_platformDragData->hasHtml())
- return createFragmentFromMarkup(doc, m_platformDragData->html(), "");
+ return createFragmentFromMarkup(doc, m_platformDragData->html(), "", FragmentScriptingNotAllowed);
return 0;
}
diff --git a/WebCore/platform/qt/PasteboardQt.cpp b/WebCore/platform/qt/PasteboardQt.cpp
index 209a573..44c9eec 100644
--- a/WebCore/platform/qt/PasteboardQt.cpp
+++ b/WebCore/platform/qt/PasteboardQt.cpp
@@ -103,7 +103,7 @@ PassRefPtr<DocumentFragment> Pasteboard::documentFragment(Frame* frame, PassRefP
if (mimeData->hasHtml()) {
QString html = mimeData->html();
if (!html.isEmpty()) {
- RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, "");
+ RefPtr<DocumentFragment> fragment = createFragmentFromMarkup(frame->document(), html, "", FragmentScriptingNotAllowed);
if (fragment)
return fragment.release();
}
diff --git a/WebCore/platform/win/ClipboardUtilitiesWin.cpp b/WebCore/platform/win/ClipboardUtilitiesWin.cpp
index 0358b7a..f22fcdc 100644
--- a/WebCore/platform/win/ClipboardUtilitiesWin.cpp
+++ b/WebCore/platform/win/ClipboardUtilitiesWin.cpp
@@ -415,7 +415,7 @@ PassRefPtr<DocumentFragment> fragmentFromCF_HTML(Document* doc, const String& cf
unsigned fragmentEnd = cf_html.reverseFind('<', tagEnd);
String markup = cf_html.substring(fragmentStart, fragmentEnd - fragmentStart).stripWhiteSpace();
- return createFragmentFromMarkup(doc, markup, srcURL);
+ return createFragmentFromMarkup(doc, markup, srcURL, FragmentScriptingNotAllowed);
}
@@ -443,7 +443,7 @@ PassRefPtr<DocumentFragment> fragmentFromHTML(Document* doc, IDataObject* data)
html = String(data);
GlobalUnlock(store.hGlobal);
ReleaseStgMedium(&store);
- return createFragmentFromMarkup(doc, html, srcURL);
+ return createFragmentFromMarkup(doc, html, srcURL, FragmentScriptingNotAllowed);
}
return 0;
diff --git a/WebKit/mac/ChangeLog b/WebKit/mac/ChangeLog
index a5c2e45..32300a6 100644
--- a/WebKit/mac/ChangeLog
+++ b/WebKit/mac/ChangeLog
@@ -1,3 +1,14 @@
+2010-01-18 Enrica Casucci <enrica at apple.com>
+
+ Reviewed by Darin Adler.
+
+ Script attributes are copied and pasted, making cross-domain attacks possible (30019)
+ <rdar://problem/6008809>
+ https://bugs.webkit.org/show_bug.cgi?id=30019
+
+ * WebView/WebFrame.mm:
+ (-[WebFrame _documentFragmentWithMarkupString:baseURLString:]): Modified the call to createMarkupString.
+
2010-01-18 Steve Falkenburg <sfalken at apple.com>
Rubber-stamped by Sam Weinig.
diff --git a/WebKit/mac/WebView/WebFrame.mm b/WebKit/mac/WebView/WebFrame.mm
index 7289d96..5f012a6 100644
--- a/WebKit/mac/WebView/WebFrame.mm
+++ b/WebKit/mac/WebView/WebFrame.mm
@@ -848,7 +848,7 @@ static inline WebDataSource *dataSource(DocumentLoader* loader)
if (!_private->coreFrame || !_private->coreFrame->document())
return nil;
- return kit(createFragmentFromMarkup(_private->coreFrame->document(), markupString, baseURLString).get());
+ return kit(createFragmentFromMarkup(_private->coreFrame->document(), markupString, baseURLString, FragmentScriptingNotAllowed).get());
}
- (DOMDocumentFragment *)_documentFragmentWithNodesAsParagraphs:(NSArray *)nodes
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list