[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.2.2-27-g91dab87
Gustavo Noronha Silva
gns at gnome.org
Thu Jul 15 21:13:20 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 66dfd9a32971d61e00b766ab6774c455aa30c488
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Apr 15 03:11:31 2010 +0000
2010-04-14 Justin Schuh <jschuh at chromium.org>
Reviewed by Adam Barth.
Javascript URL can be set as iframe.src via multiple DOM aliases
https://bugs.webkit.org/show_bug.cgi?id=37031
Moved frame/iframe checks from Attr to Node on inherited members.
Node child manipulation methods now return NOT_SUPPORTED_ERR if used
on a frame/iframe src attribute.
NamedNodeMap set methods now perform frame/iframe src checks.
Moved allowSettingSrcToJavascriptURL static helper function from
JSElementCustom.cpp to exported function in JSDOMBinding.h.
* bindings/js/JSAttrCustom.cpp:
(WebCore::JSAttr::setValue):
* bindings/js/JSDOMBinding.cpp:
(WebCore::allowSettingSrcToJavascriptURL):
* bindings/js/JSDOMBinding.h:
* bindings/js/JSElementCustom.cpp:
* bindings/js/JSNamedNodeMapCustom.cpp:
(WebCore::JSNamedNodeMap::setNamedItem):
(WebCore::JSNamedNodeMap::setNamedItemNS):
* bindings/js/JSNodeCustom.cpp:
(WebCore::isAttrFrameSrc):
(WebCore::JSNode::setNodeValue):
(WebCore::JSNode::setTextContent):
(WebCore::JSNode::insertBefore):
(WebCore::JSNode::replaceChild):
(WebCore::JSNode::removeChild):
(WebCore::JSNode::appendChild):
* bindings/v8/custom/V8AttrCustom.cpp:
* bindings/v8/custom/V8NamedNodeMapCustom.cpp:
(WebCore::V8NamedNodeMap::setNamedItemNSCallback):
(WebCore::V8NamedNodeMap::setNamedItemCallback):
(WebCore::toV8):
* bindings/v8/custom/V8NodeCustom.cpp:
(WebCore::isFrameSrc):
(WebCore::V8Node::textContentAccessorSetter):
(WebCore::V8Node::nodeValueAccessorSetter):
(WebCore::V8Node::insertBeforeCallback):
(WebCore::V8Node::replaceChildCallback):
(WebCore::V8Node::removeChildCallback):
(WebCore::V8Node::appendChildCallback):
* dom/Attr.idl:
* dom/NamedNodeMap.idl:
* dom/Node.idl:
2010-04-14 Justin Schuh <jschuh at chromium.org>
Reviewed by Adam Barth.
Fix frame/iframe src setting for JavaScript URLs
https://bugs.webkit.org/show_bug.cgi?id=37031
* http/tests/security/xss-DENIED-iframe-src-alias-expected.txt:
* http/tests/security/xss-DENIED-iframe-src-alias.html:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@57627 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f90bdd6..87b32c5 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-04-14 Justin Schuh <jschuh at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Fix frame/iframe src setting for JavaScript URLs
+ https://bugs.webkit.org/show_bug.cgi?id=37031
+
+ * http/tests/security/xss-DENIED-iframe-src-alias-expected.txt:
+ * http/tests/security/xss-DENIED-iframe-src-alias.html:
+
2010-03-26 Justin Schuh <jschuh at chromium.org>
Reviewed by Adam Barth.
diff --git a/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias-expected.txt
index f2e8a1a..eb2f50a 100644
--- a/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias-expected.txt
+++ b/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias-expected.txt
@@ -10,7 +10,21 @@ CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http
CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
-This script tests if iframe.src can be set to a JavaScript URL via an alias (such as Attr.textContent or Attr.nodeValue). The test is successful if no alerts appear and the page finishes loading.
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+This script tests if iframe.src can be set to a JavaScript URL via alternate DOM interfaces (such as Node.textContent or NamedNode.setNamedItem). The test is successful if no alerts appear and the page finishes loading.
+
+
+
+
+
+
+
+
diff --git a/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias.html b/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias.html
index 3a07b93..dfd6b15 100644
--- a/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias.html
+++ b/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias.html
@@ -7,15 +7,68 @@ window.onload = function()
layoutTestController.dumpAsText();
}
- var alert = 'javascript:alert("FAIL")';
- // Test different ways of aliasing iframe.src
+ function alertMsg(msg) {
+ return "javascript:alert(\"FAIL: " + msg +
+ "\");document.body.innerHTML=\"<p style='font-weight:bold;color:red'>Failure testing " + msg + "</p>\";//";
+ }
+ // Test different ways of setting iframe.src
var aliasTests = [
- function(iFrame) { iFrame.attributes['src'].textContent = alert;},
- function(iFrame) { iFrame.attributes['src'].nodeValue = alert;},
- function(iFrame) { iFrame.attributes[0].textContent = alert;},
- function(iFrame) { iFrame.attributes[0].nodeValue = alert;},
- function(iFrame) { iFrame.attributes.item(0).textContent = alert;},
- function(iFrame) { iFrame.attributes.item(0).nodeValue = alert;}
+ // Attr/Node attributes
+ function(iFrame) { iFrame.attributes['src'].value = alertMsg("value"); iFrame.src = iFrame.src;},
+ function(iFrame) { iFrame.attributes['src'].textContent = alertMsg("textContent");},
+ function(iFrame) { iFrame.attributes['src'].nodeValue = alertMsg("nodeValue");},
+ // Node attribute manipulation functions
+ function(iFrame) { iFrame.setAttribute("src", alertMsg("setAttribute"));},
+ function(iFrame) { iFrame.setAttributeNS(null, "src", alertMsg("setAttributeNS"));},
+ function(iFrame) {
+ var a = document.createAttribute('src');
+ a.nodeValue = alertMsg("setAttributeNode");
+ iFrame.setAttributeNode(a);
+ },
+ function(iFrame) {
+ var a = document.createAttribute('src');
+ a.nodeValue = alertMsg("setAttributeNodeNS");
+ iFrame.setAttributeNodeNS(a);
+ },
+ // Child manipulation methods
+ function(iFrame) {
+ var src = iFrame.attributes['src'];
+ src.appendChild(document.createTextNode(alertMsg("appendChild() + removeChild()")));
+ src.removeChild(src.firstChild);
+ },
+ function(iFrame) {
+ var src = iFrame.attributes['src'];
+ src.replaceChild(document.createTextNode(alertMsg("replaceChild()")), src.firstChild);
+ },
+ function(iFrame) {
+ var src = iFrame.attributes['src'];
+ while (src.firstChild)
+ src.removeChild(src.firstChild);
+ src.appendChild(document.createTextNode(alertMsg("removeChild() + appendChild()")));
+ },
+ function(iFrame) {
+ var src = iFrame.attributes['src'];
+ while (src.firstChild)
+ src.removeChild(src.firstChild);
+ var msg = alertMsg("removeChild() + appendChild() + appendChild()");
+ src.appendChild(document.createTextNode(msg.slice(0,4)));
+ src.appendChild(document.createTextNode(msg.slice(4)));
+ },
+ function(iFrame) {
+ var src = iFrame.attributes['src'];
+ src.insertBefore(document.createTextNode(alertMsg("insertBefore()")), src.firstChild);
+ },
+ // NamedNodeMap
+ function(iFrame) {
+ var a = document.createAttribute('src');
+ a.nodeValue = alertMsg("setNamedItem()");
+ iFrame.attributes.setNamedItem(a);
+ },
+ function(iFrame) {
+ var a = document.createAttribute('src');
+ a.nodeValue = alertMsg("setNamedItemNS()");
+ iFrame.attributes.setNamedItemNS(a);
+ }
];
function makeOnloadHandler (idx, tgtFrame) {
@@ -32,6 +85,7 @@ window.onload = function()
aFrame.src = 'http://localhost:8080/security/resources/innocent-victim.html';
aFrame.onload = makeOnloadHandler(i, aFrame);
aFrame.width = 700;
+ aFrame.height = 40;
document.body.appendChild(aFrame);
document.body.appendChild(document.createElement('br'));
}
@@ -40,8 +94,8 @@ window.onload = function()
</script>
</head>
<body>
-<p>This script tests if iframe.src can be set to a JavaScript URL via an alias
- (such as Attr.textContent or Attr.nodeValue). The test is successful if no
- alerts appear and the page finishes loading.</p>
+<p>This script tests if iframe.src can be set to a JavaScript URL via alternate
+ DOM interfaces (such as Node.textContent or NamedNode.setNamedItem).
+ The test is successful if no alerts appear and the page finishes loading.</p>
</body>
</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 08793aa..53d6e82 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,51 @@
+2010-04-14 Justin Schuh <jschuh at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Javascript URL can be set as iframe.src via multiple DOM aliases
+ https://bugs.webkit.org/show_bug.cgi?id=37031
+
+ Moved frame/iframe checks from Attr to Node on inherited members.
+ Node child manipulation methods now return NOT_SUPPORTED_ERR if used
+ on a frame/iframe src attribute.
+ NamedNodeMap set methods now perform frame/iframe src checks.
+ Moved allowSettingSrcToJavascriptURL static helper function from
+ JSElementCustom.cpp to exported function in JSDOMBinding.h.
+
+ * bindings/js/JSAttrCustom.cpp:
+ (WebCore::JSAttr::setValue):
+ * bindings/js/JSDOMBinding.cpp:
+ (WebCore::allowSettingSrcToJavascriptURL):
+ * bindings/js/JSDOMBinding.h:
+ * bindings/js/JSElementCustom.cpp:
+ * bindings/js/JSNamedNodeMapCustom.cpp:
+ (WebCore::JSNamedNodeMap::setNamedItem):
+ (WebCore::JSNamedNodeMap::setNamedItemNS):
+ * bindings/js/JSNodeCustom.cpp:
+ (WebCore::isAttrFrameSrc):
+ (WebCore::JSNode::setNodeValue):
+ (WebCore::JSNode::setTextContent):
+ (WebCore::JSNode::insertBefore):
+ (WebCore::JSNode::replaceChild):
+ (WebCore::JSNode::removeChild):
+ (WebCore::JSNode::appendChild):
+ * bindings/v8/custom/V8AttrCustom.cpp:
+ * bindings/v8/custom/V8NamedNodeMapCustom.cpp:
+ (WebCore::V8NamedNodeMap::setNamedItemNSCallback):
+ (WebCore::V8NamedNodeMap::setNamedItemCallback):
+ (WebCore::toV8):
+ * bindings/v8/custom/V8NodeCustom.cpp:
+ (WebCore::isFrameSrc):
+ (WebCore::V8Node::textContentAccessorSetter):
+ (WebCore::V8Node::nodeValueAccessorSetter):
+ (WebCore::V8Node::insertBeforeCallback):
+ (WebCore::V8Node::replaceChildCallback):
+ (WebCore::V8Node::removeChildCallback):
+ (WebCore::V8Node::appendChildCallback):
+ * dom/Attr.idl:
+ * dom/NamedNodeMap.idl:
+ * dom/Node.idl:
+
2010-03-26 Justin Schuh <jschuh at chromium.org>
Reviewed by Adam Barth.
diff --git a/WebCore/bindings/js/JSAttrCustom.cpp b/WebCore/bindings/js/JSAttrCustom.cpp
index 4e5b2de..4cd40ac 100644
--- a/WebCore/bindings/js/JSAttrCustom.cpp
+++ b/WebCore/bindings/js/JSAttrCustom.cpp
@@ -33,6 +33,7 @@
#include "Document.h"
#include "HTMLFrameElementBase.h"
#include "HTMLNames.h"
+#include "JSDOMBinding.h"
using namespace JSC;
@@ -46,40 +47,14 @@ void JSAttr::setValue(ExecState* exec, JSValue value)
String attrValue = valueToStringWithNullCheck(exec, value);
Element* ownerElement = imp->ownerElement();
- if (ownerElement && (ownerElement->hasTagName(iframeTag) || ownerElement->hasTagName(frameTag))) {
- if (equalIgnoringCase(imp->name(), "src") && protocolIsJavaScript(deprecatedParseURL(attrValue))) {
- Document* contentDocument = static_cast<HTMLFrameElementBase*>(ownerElement)->contentDocument();
- if (contentDocument && !checkNodeSecurity(exec, contentDocument))
- return;
- }
- }
+ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->name(), attrValue))
+ return;
ExceptionCode ec = 0;
imp->setValue(attrValue, ec);
setDOMException(exec, ec);
}
-JSC::JSValue JSAttr::nodeValue(JSC::ExecState* exec) const
-{
- Attr* imp = this->impl();
- return jsStringOrNull(exec, imp->value());
-}
-
-void JSAttr::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)
-{
- setValue(exec, value);
-}
-
-JSC::JSValue JSAttr::textContent(JSC::ExecState* exec) const
-{
- return nodeValue(exec);
-}
-
-void JSAttr::setTextContent(JSC::ExecState* exec, JSC::JSValue value)
-{
- setValue(exec, value);
-}
-
void JSAttr::markChildren(MarkStack& markStack)
{
Base::markChildren(markStack);
diff --git a/WebCore/bindings/js/JSDOMBinding.cpp b/WebCore/bindings/js/JSDOMBinding.cpp
index f294dad..393c1ee 100644
--- a/WebCore/bindings/js/JSDOMBinding.cpp
+++ b/WebCore/bindings/js/JSDOMBinding.cpp
@@ -24,6 +24,7 @@
#include "debugger/DebuggerCallFrame.h"
#include "ActiveDOMObject.h"
+#include "CSSHelper.h"
#include "DOMCoreException.h"
#include "DOMObjectHashTableMap.h"
#include "Document.h"
@@ -33,6 +34,7 @@
#include "Frame.h"
#include "HTMLAudioElement.h"
#include "HTMLCanvasElement.h"
+#include "HTMLFrameElementBase.h"
#include "HTMLImageElement.h"
#include "HTMLNames.h"
#include "HTMLScriptElement.h"
@@ -630,6 +632,16 @@ bool shouldAllowNavigation(ExecState* exec, Frame* frame)
return lexicalFrame && lexicalFrame->loader()->shouldAllowNavigation(frame);
}
+bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
+{
+ if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
+ Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
+ if (contentDocument && !checkNodeSecurity(exec, contentDocument))
+ return false;
+ }
+ return true;
+}
+
void printErrorMessageForFrame(Frame* frame, const String& message)
{
if (!frame)
diff --git a/WebCore/bindings/js/JSDOMBinding.h b/WebCore/bindings/js/JSDOMBinding.h
index 219472b..40f7e40 100644
--- a/WebCore/bindings/js/JSDOMBinding.h
+++ b/WebCore/bindings/js/JSDOMBinding.h
@@ -301,6 +301,8 @@ namespace WebCore {
bool allowsAccessFromFrame(JSC::ExecState*, Frame*);
bool allowsAccessFromFrame(JSC::ExecState*, Frame*, String& message);
bool shouldAllowNavigation(JSC::ExecState*, Frame*);
+ bool allowSettingSrcToJavascriptURL(JSC::ExecState*, Element*, const String&, const String&);
+
void printErrorMessageForFrame(Frame*, const String& message);
JSC::JSValue objectToStringFunctionGetter(JSC::ExecState*, JSC::JSValue, const JSC::Identifier& propertyName);
diff --git a/WebCore/bindings/js/JSElementCustom.cpp b/WebCore/bindings/js/JSElementCustom.cpp
index c725290..94012fd 100644
--- a/WebCore/bindings/js/JSElementCustom.cpp
+++ b/WebCore/bindings/js/JSElementCustom.cpp
@@ -36,6 +36,7 @@
#include "HTMLFrameElementBase.h"
#include "HTMLNames.h"
#include "JSAttr.h"
+#include "JSDOMBinding.h"
#include "JSHTMLElementWrapperFactory.h"
#include "JSNodeList.h"
#include "NodeList.h"
@@ -63,16 +64,6 @@ void JSElement::markChildren(MarkStack& markStack)
markDOMObjectWrapper(markStack, globalData, static_cast<StyledElement*>(element)->inlineStyleDecl());
}
-static inline bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
-{
- if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
- Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
- if (contentDocument && !checkNodeSecurity(exec, contentDocument))
- return false;
- }
- return true;
-}
-
JSValue JSElement::setAttribute(ExecState* exec, const ArgList& args)
{
ExceptionCode ec = 0;
diff --git a/WebCore/bindings/js/JSNamedNodeMapCustom.cpp b/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
index 13f3628..965498a 100644
--- a/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
+++ b/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
@@ -35,6 +35,38 @@ using namespace JSC;
namespace WebCore {
+JSValue JSNamedNodeMap::setNamedItem(ExecState* exec, const ArgList& args)
+{
+ NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
+ ExceptionCode ec = 0;
+ Node* newNode = toNode(args.at(0));
+
+ if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+ if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
+ return jsNull();
+ }
+
+ JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItem(newNode, ec)));
+ setDOMException(exec, ec);
+ return result;
+}
+
+JSValue JSNamedNodeMap::setNamedItemNS(ExecState* exec, const ArgList& args)
+{
+ NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
+ ExceptionCode ec = 0;
+ Node* newNode = toNode(args.at(0));
+
+ if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+ if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
+ return jsNull();
+ }
+
+ JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItemNS(newNode, ec)));
+ setDOMException(exec, ec);
+ return result;
+}
+
bool JSNamedNodeMap::canGetItemsForName(ExecState*, NamedNodeMap* impl, const Identifier& propertyName)
{
return impl->getNamedItem(propertyName);
diff --git a/WebCore/bindings/js/JSNodeCustom.cpp b/WebCore/bindings/js/JSNodeCustom.cpp
index 39bdf0c..06022a2 100644
--- a/WebCore/bindings/js/JSNodeCustom.cpp
+++ b/WebCore/bindings/js/JSNodeCustom.cpp
@@ -38,6 +38,7 @@
#include "JSAttr.h"
#include "JSCDATASection.h"
#include "JSComment.h"
+#include "JSDOMBinding.h"
#include "JSDocument.h"
#include "JSDocumentFragment.h"
#include "JSDocumentType.h"
@@ -66,12 +67,53 @@ using namespace JSC;
namespace WebCore {
-typedef int ExpectionCode;
+static inline bool isAttrFrameSrc(Element *element, const String& name)
+{
+ return element && (element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src");
+}
+
+void JSNode::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)
+{
+ Node* imp = static_cast<Node*>(impl());
+ String nodeValue = valueToStringWithNullCheck(exec, value);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+ Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
+ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
+ return;
+ }
+
+ ExceptionCode ec = 0;
+ imp->setNodeValue(nodeValue, ec);
+ setDOMException(exec, ec);
+}
+
+void JSNode::setTextContent(JSC::ExecState* exec, JSC::JSValue value)
+{
+ Node* imp = static_cast<Node*>(impl());
+ String nodeValue = valueToStringWithNullCheck(exec, value);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+ Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
+ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
+ return;
+ }
+
+ ExceptionCode ec = 0;
+ imp->setTextContent(nodeValue, ec);
+ setDOMException(exec, ec);
+}
JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+ bool ok = imp->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
setDOMException(exec, ec);
if (ok)
return args.at(0);
@@ -80,8 +122,14 @@ JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args)
JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+ bool ok = imp->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
setDOMException(exec, ec);
if (ok)
return args.at(1);
@@ -90,8 +138,14 @@ JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args)
JSValue JSNode::removeChild(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->removeChild(toNode(args.at(0)), ec);
+ bool ok = imp->removeChild(toNode(args.at(0)), ec);
setDOMException(exec, ec);
if (ok)
return args.at(0);
@@ -100,8 +154,14 @@ JSValue JSNode::removeChild(ExecState* exec, const ArgList& args)
JSValue JSNode::appendChild(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->appendChild(toNode(args.at(0)), ec, true);
+ bool ok = imp->appendChild(toNode(args.at(0)), ec, true);
setDOMException(exec, ec);
if (ok)
return args.at(0);
diff --git a/WebCore/bindings/v8/custom/V8AttrCustom.cpp b/WebCore/bindings/v8/custom/V8AttrCustom.cpp
index 76e9df8..0da4ae4 100644
--- a/WebCore/bindings/v8/custom/V8AttrCustom.cpp
+++ b/WebCore/bindings/v8/custom/V8AttrCustom.cpp
@@ -55,24 +55,4 @@ void V8Attr::valueAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value
throwError(ec);
}
-void V8Attr::nodeValueAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
-{
- valueAccessorSetter(name, value, info);
-}
-v8::Handle<v8::Value> V8Attr::nodeValueAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
-{
- Attr* imp = V8Attr::toNative(info.Holder());
- return v8StringOrNull(imp->value());
-}
-
-void V8Attr::textContentAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
-{
- valueAccessorSetter(name, value, info);
-}
-
-v8::Handle<v8::Value> V8Attr::textContentAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
-{
- return nodeValueAccessorGetter(name, info);
-}
-
} // namespace WebCore
diff --git a/WebCore/bindings/v8/custom/V8NamedNodeMapCustom.cpp b/WebCore/bindings/v8/custom/V8NamedNodeMapCustom.cpp
index 611ab94..e733767 100644
--- a/WebCore/bindings/v8/custom/V8NamedNodeMapCustom.cpp
+++ b/WebCore/bindings/v8/custom/V8NamedNodeMapCustom.cpp
@@ -32,7 +32,9 @@
#include "V8NamedNodeMap.h"
#include "NamedNodeMap.h"
+#include "V8Attr.h"
#include "V8Binding.h"
+#include "V8BindingState.h"
#include "V8Element.h"
#include "V8Node.h"
#include "V8Proxy.h"
@@ -73,6 +75,48 @@ v8::Handle<v8::Value> V8NamedNodeMap::namedPropertyGetter(v8::Local<v8::String>
return toV8(result.release());
}
+v8::Handle<v8::Value> V8NamedNodeMap::setNamedItemNSCallback(const v8::Arguments& args)
+{
+ INC_STATS("DOM.NamedNodeMap.setNamedItemNS");
+ NamedNodeMap* imp = V8NamedNodeMap::toNative(args.Holder());
+ Node* newNode = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
+
+ if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+ if (!V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), imp->element(), newNode->nodeName(), newNode->nodeValue()))
+ return v8::Handle<v8::Value>();
+ }
+
+ ExceptionCode ec = 0;
+ RefPtr<Node> result = imp->setNamedItemNS(newNode, ec);
+ if (UNLIKELY(!ec)) {
+ throwError(ec);
+ return v8::Handle<v8::Value>();
+ }
+
+ return toV8(result.release());
+}
+
+v8::Handle<v8::Value> V8NamedNodeMap::setNamedItemCallback(const v8::Arguments & args)
+{
+ INC_STATS("DOM.NamedNodeMap.setNamedItem");
+ NamedNodeMap* imp = V8NamedNodeMap::toNative(args.Holder());
+ Node* newNode = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
+
+ if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+ if (!V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), imp->element(), newNode->nodeName(), newNode->nodeValue()))
+ return v8::Handle<v8::Value>();
+ }
+
+ ExceptionCode ec = 0;
+ RefPtr<Node> result = imp->setNamedItem(newNode, ec);
+ if (UNLIKELY(!ec)) {
+ throwError(ec);
+ return v8::Handle<v8::Value>();
+ }
+
+ return toV8(result.release());
+}
+
v8::Handle<v8::Value> toV8(NamedNodeMap* impl)
{
if (!impl)
diff --git a/WebCore/bindings/v8/custom/V8NodeCustom.cpp b/WebCore/bindings/v8/custom/V8NodeCustom.cpp
index b5b2385..0a7198a 100644
--- a/WebCore/bindings/v8/custom/V8NodeCustom.cpp
+++ b/WebCore/bindings/v8/custom/V8NodeCustom.cpp
@@ -37,6 +37,7 @@
#include "V8AbstractEventListener.h"
#include "V8Attr.h"
#include "V8Binding.h"
+#include "V8BindingState.h"
#include "V8CDATASection.h"
#include "V8Comment.h"
#include "V8CustomEventListener.h"
@@ -56,12 +57,57 @@
namespace WebCore {
+static inline bool isFrameSrc(Element *element, const String& name)
+{
+ return element && (element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src");
+}
+
+void V8Node::textContentAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
+{
+ Node* imp = V8Node::toNative(info.Holder());
+ String nodeValue = toWebCoreStringWithNullCheck(value);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+ Element * ownerElement = V8Attr::toNative(info.Holder())->ownerElement();
+ if (ownerElement && !V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), ownerElement, imp->nodeName(), nodeValue))
+ return;
+ }
+
+ ExceptionCode ec = 0;
+ imp->setTextContent(nodeValue, ec);
+ if (ec)
+ throwError(ec);
+}
+
+void V8Node::nodeValueAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
+{
+ Node* imp = V8Node::toNative(info.Holder());
+ String nodeValue = toWebCoreStringWithNullCheck(value);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+ Element * ownerElement = V8Attr::toNative(info.Holder())->ownerElement();
+ if (ownerElement && !V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), ownerElement, imp->nodeName(), nodeValue))
+ return;
+ }
+
+ ExceptionCode ec = 0;
+ imp->setNodeValue(nodeValue, ec);
+ if (ec)
+ throwError(ec);
+}
+
// This function is customized to take advantage of the optional 4th argument: shouldLazyAttach
v8::Handle<v8::Value> V8Node::insertBeforeCallback(const v8::Arguments& args)
{
INC_STATS("DOM.Node.insertBefore");
v8::Handle<v8::Object> holder = args.Holder();
Node* imp = V8Node::toNative(holder);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) {
+ V8Proxy::setDOMException(NOT_SUPPORTED_ERR);
+ return v8::Handle<v8::Value>();
+ }
+
ExceptionCode ec = 0;
Node* newChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
Node* refChild = V8Node::HasInstance(args[1]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[1])) : 0;
@@ -81,6 +127,12 @@ v8::Handle<v8::Value> V8Node::replaceChildCallback(const v8::Arguments& args)
INC_STATS("DOM.Node.replaceChild");
v8::Handle<v8::Object> holder = args.Holder();
Node* imp = V8Node::toNative(holder);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) {
+ V8Proxy::setDOMException(NOT_SUPPORTED_ERR);
+ return v8::Handle<v8::Value>();
+ }
+
ExceptionCode ec = 0;
Node* newChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
Node* oldChild = V8Node::HasInstance(args[1]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[1])) : 0;
@@ -99,6 +151,12 @@ v8::Handle<v8::Value> V8Node::removeChildCallback(const v8::Arguments& args)
INC_STATS("DOM.Node.removeChild");
v8::Handle<v8::Object> holder = args.Holder();
Node* imp = V8Node::toNative(holder);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) {
+ V8Proxy::setDOMException(NOT_SUPPORTED_ERR);
+ return v8::Handle<v8::Value>();
+ }
+
ExceptionCode ec = 0;
Node* oldChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
bool success = imp->removeChild(oldChild, ec);
@@ -117,6 +175,12 @@ v8::Handle<v8::Value> V8Node::appendChildCallback(const v8::Arguments& args)
INC_STATS("DOM.Node.appendChild");
v8::Handle<v8::Object> holder = args.Holder();
Node* imp = V8Node::toNative(holder);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) {
+ V8Proxy::setDOMException(NOT_SUPPORTED_ERR);
+ return v8::Handle<v8::Value>();
+ }
+
ExceptionCode ec = 0;
Node* newChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
bool success = imp->appendChild(newChild, ec, true );
diff --git a/WebCore/dom/Attr.idl b/WebCore/dom/Attr.idl
index a29c613..3c73bc0 100644
--- a/WebCore/dom/Attr.idl
+++ b/WebCore/dom/Attr.idl
@@ -34,11 +34,6 @@ module core {
attribute [ConvertNullStringTo=Null, ConvertNullToNullString, CustomSetter] DOMString value
setter raises(DOMException);
-#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT // Used for JavaScript iFrame src check.
- attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString nodeValue
- setter raises(DOMException);
-#endif
-
// DOM Level 2
readonly attribute Element ownerElement;
@@ -47,11 +42,6 @@ module core {
readonly attribute boolean isId;
-#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT // Used for JavaScript iFrame src check.
- attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString textContent
- setter raises(DOMException);
-#endif
-
// extensions
readonly attribute CSSStyleDeclaration style;
};
diff --git a/WebCore/dom/NamedNodeMap.idl b/WebCore/dom/NamedNodeMap.idl
index 4d36577..7bfbf23 100644
--- a/WebCore/dom/NamedNodeMap.idl
+++ b/WebCore/dom/NamedNodeMap.idl
@@ -28,7 +28,7 @@ module core {
Node getNamedItem(in DOMString name);
- Node setNamedItem(in Node node)
+ [Custom] Node setNamedItem(in Node node)
raises(DOMException);
Node removeNamedItem(in DOMString name)
@@ -46,7 +46,7 @@ module core {
// FIXME: the implementation does take an exceptioncode parameter.
/*raises(DOMException)*/;
- Node setNamedItemNS(in Node node)
+ [Custom] Node setNamedItemNS(in Node node)
raises(DOMException);
[OldStyleObjC] Node removeNamedItemNS(in [ConvertNullToNullString] DOMString namespaceURI,
diff --git a/WebCore/dom/Node.idl b/WebCore/dom/Node.idl
index 0489316..22d9a85 100644
--- a/WebCore/dom/Node.idl
+++ b/WebCore/dom/Node.idl
@@ -51,7 +51,7 @@ module core {
readonly attribute [ConvertNullStringTo=Null] DOMString nodeName;
// FIXME: the spec says this can also raise on retrieval.
- attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue
+ attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue
setter raises(DOMException);
readonly attribute unsigned short nodeType;
@@ -96,7 +96,7 @@ module core {
readonly attribute [ConvertNullStringTo=Null] DOMString baseURI;
// FIXME: the spec says this can also raise on retrieval.
- attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent
+ attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent
setter raises(DOMException);
boolean isSameNode(in Node other);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list