[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.2.2-27-g91dab87
Gustavo Noronha Silva
gns at gnome.org
Thu Jul 15 21:13:32 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 938eb8dc5d4d55ed27d8c8a043a0b35e51625ee7
Author: darin at apple.com <darin at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed May 12 18:13:00 2010 +0000
2010-05-12 Abhishek Arya <inferno at chromium.org>
Reviewed by Darin Adler.
HTML Entity Escape the contents of a textarea node when accessed via the innerHTML and outerHTML node properties.
https://bugs.webkit.org/show_bug.cgi?id=38922
Test: fast/encoding/textnode-XSS.html
* editing/markup.cpp:
(WebCore::appendStartMarkup):
2010-05-12 Abhishek Arya <inferno at chromium.org>
Reviewed by Darin Adler.
Tests that accessing the innerHTML property of a text node encodes
entities properly. Update existing test to fix the innerHTML result.
https://bugs.webkit.org/show_bug.cgi?id=38922
* fast/innerHTML/innerHTML-special-elements-expected.txt: Added.
* fast/innerHTML/innerHTML-special-elements.html: Added.
* fast/parser/comment-in-textarea-expected.txt: Update test expectation.
* fast/parser/script-tests/comment-in-textarea.js: Update test by
replacing with html entities of <, > chars in textarea innerHTML result.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59241 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index cabb024..8f4f1d7 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2010-05-12 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Darin Adler.
+
+ Tests that accessing the innerHTML property of a text node encodes
+ entities properly. Update existing test to fix the innerHTML result.
+ https://bugs.webkit.org/show_bug.cgi?id=38922
+
+ * fast/innerHTML/innerHTML-special-elements-expected.txt: Added.
+ * fast/innerHTML/innerHTML-special-elements.html: Added.
+
+ * fast/parser/comment-in-textarea-expected.txt: Update test expectation.
+ * fast/parser/script-tests/comment-in-textarea.js: Update test by
+ replacing with html entities of <, > chars in textarea innerHTML result.
+
2010-04-28 Julien Chaffraix <jchaffraix at webkit.org>
Reviewed by Alexey Proskuryakov.
diff --git a/LayoutTests/fast/innerHTML/innerHTML-special-elements-expected.txt b/LayoutTests/fast/innerHTML/innerHTML-special-elements-expected.txt
new file mode 100644
index 0000000..455fbbd
--- /dev/null
+++ b/LayoutTests/fast/innerHTML/innerHTML-special-elements-expected.txt
@@ -0,0 +1,17 @@
+Tests that accessing the innerHTML property of a text node encodes harmful entities which can result in cross site scripting.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS innerHTML("script") is "/*"'&<> "'&<> \"'&<> */"
+PASS innerHTML("style") is "/*"'&<> "'&<> \"'&<> */"
+PASS innerHTML("textarea") is "/*\"'&<> \"'&<> \"'&<> */"
+PASS innerHTML("xmp") is "/*"'&<> "'&<> \"'&<> */"
+PASS outerHTML("script") is "<script id=\"script\">/*"'&<> "'&<> \"'&<> */</script>"
+PASS outerHTML("style") is "<style id=\"style\">/*"'&<> "'&<> \"'&<> */</style>"
+PASS outerHTML("textarea") is "<textarea id=\"textarea\">/*\"'&<> \"'&<> \"'&<> */</textarea>"
+PASS outerHTML("xmp") is "<xmp id=\"xmp\">/*"'&<> "'&<> \"'&<> */</xmp>"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/innerHTML/innerHTML-special-elements.html b/LayoutTests/fast/innerHTML/innerHTML-special-elements.html
new file mode 100644
index 0000000..a359be4
--- /dev/null
+++ b/LayoutTests/fast/innerHTML/innerHTML-special-elements.html
@@ -0,0 +1,45 @@
+<html>
+<head>
+<link rel="stylesheet" href="../js/resources/js-test-style.css">
+<script src="../js/resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<div id="hidden" style="visibility: hidden">
+<script id="script">/*"'&<> "'&<> "'&<> */</script>
+<style id="style">/*"'&<> "'&<> "'&<> */</style>
+<textarea id="textarea">/*"'&<> "'&<> "'&<> */</textarea>
+<xmp id="xmp">/*"'&<> "'&<> "'&<> */</xmp>
+</div>
+<script>
+description("Tests that accessing the innerHTML property of a text node encodes harmful entities which can result in cross site scripting.");
+
+var tests = [ ['innerHTML("script")' , '"/*"'&<> "'&<> \\"\'&<> */"'],
+ ['innerHTML("style")' , '"/*"'&<> "'&<> \\"\'&<> */"'],
+ ['innerHTML("textarea")', '"/*\\"\'&<> \\"\'&<> \\"\'&<> */"'],
+ ['innerHTML("xmp")' , '"/*"'&<> "'&<> \\"\'&<> */"'],
+ ['outerHTML("script")' , '"<script id=\\"script\\">/*"'&<> "'&<> \\"\'&<> */<\/script>"'],
+ ['outerHTML("style")' , '"<style id=\\"style\\">/*"'&<> "'&<> \\"\'&<> */<\/style>"'],
+ ['outerHTML("textarea")', '"<textarea id=\\"textarea\\">/*\\"\'&<> \\"\'&<> \\"\'&<> */<\/textarea>"'],
+ ['outerHTML("xmp")' , '"<xmp id=\\"xmp\\">/*"'&<> "'&<> \\"\'&<> */<\/xmp>"'],
+ ];
+
+function innerHTML(textnode) {
+ return document.getElementById(textnode).innerHTML;
+}
+
+function outerHTML(textnode) {
+ return document.getElementById(textnode).outerHTML;
+}
+
+for (var i in tests) {
+ shouldBe(tests[i][0], tests[i][1]);
+}
+
+successfullyParsed = true;
+
+</script>
+<script src="../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/parser/comment-in-textarea-expected.txt b/LayoutTests/fast/parser/comment-in-textarea-expected.txt
index e1f01ff..b2a0dfc 100644
--- a/LayoutTests/fast/parser/comment-in-textarea-expected.txt
+++ b/LayoutTests/fast/parser/comment-in-textarea-expected.txt
@@ -4,7 +4,7 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
PASS textAreas.length is 1
-PASS textAreas[0].innerHTML is "<!-- </textarea> --> This should be part of the textarea"
+PASS textAreas[0].innerHTML is "<!-- </textarea> --> This should be part of the textarea"
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/fast/parser/script-tests/comment-in-textarea.js b/LayoutTests/fast/parser/script-tests/comment-in-textarea.js
index bc80e73..b8e60e9 100644
--- a/LayoutTests/fast/parser/script-tests/comment-in-textarea.js
+++ b/LayoutTests/fast/parser/script-tests/comment-in-textarea.js
@@ -6,6 +6,6 @@ document.body.appendChild(element);
var textAreas = document.getElementsByTagName("textarea");
shouldBe("textAreas.length", "1");
-shouldBeEqualToString("textAreas[0].innerHTML", "<!-- </textarea> --> This should be part of the textarea");
+shouldBeEqualToString("textAreas[0].innerHTML", "<!-- </textarea> --> This should be part of the textarea");
var successfullyParsed = true;
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 62dafd2..1e3dd40 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2010-05-12 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Darin Adler.
+
+ HTML Entity Escape the contents of a textarea node when accessed via the innerHTML and outerHTML node properties.
+ https://bugs.webkit.org/show_bug.cgi?id=38922
+
+ Test: fast/encoding/textnode-XSS.html
+
+ * editing/markup.cpp:
+ (WebCore::appendStartMarkup):
+
2010-05-12 James Robinson <jamesr at chromium.org>
Patch by Dan Bernstein.
diff --git a/WebCore/editing/markup.cpp b/WebCore/editing/markup.cpp
index 787dad9..7e90107 100644
--- a/WebCore/editing/markup.cpp
+++ b/WebCore/editing/markup.cpp
@@ -404,10 +404,12 @@ static void appendStartMarkup(Vector<UChar>& result, const Node* node, const Ran
if (Node* parent = node->parentNode()) {
if (parent->hasTagName(scriptTag)
|| parent->hasTagName(styleTag)
- || parent->hasTagName(textareaTag)
|| parent->hasTagName(xmpTag)) {
appendUCharRange(result, ucharRange(node, range));
break;
+ } else if (parent->hasTagName(textareaTag)) {
+ appendEscapedContent(result, ucharRange(node, range), documentIsHTML);
+ break;
}
}
if (!annotate) {
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list