[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
abarth at webkit.org
abarth at webkit.org
Mon Feb 21 00:15:51 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit f47ab5407b9ec21ac1e81c0a8cf35f4ff2e5aa09
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sat Jan 29 00:53:57 2011 +0000
2011-01-28 Adam Barth <abarth at webkit.org>
Reviewed by Daniel Bates.
Teach the XSSFilter about object and embed tags
https://bugs.webkit.org/show_bug.cgi?id=53336
For <object> and <embed>, we filter out attribute values that either
indicate which piece of media to load or which plugin to load. In a
perfect world, we'd only need to filter out the URLs of the media, but
some plug-ins (like Flash) have lots of fun places you can hide the
URL (e.g., the "movie" <param>).
* html/parser/XSSFilter.cpp:
(WebCore::XSSFilter::filterToken):
(WebCore::XSSFilter::filterScriptToken):
(WebCore::XSSFilter::filterObjectToken):
(WebCore::XSSFilter::filterEmbedToken):
(WebCore::XSSFilter::eraseAttributeIfInjected):
* html/parser/XSSFilter.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77031 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 88dc4c6..b4282b3 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,24 @@
+2011-01-28 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Daniel Bates.
+
+ Teach the XSSFilter about object and embed tags
+ https://bugs.webkit.org/show_bug.cgi?id=53336
+
+ For <object> and <embed>, we filter out attribute values that either
+ indicate which piece of media to load or which plugin to load. In a
+ perfect world, we'd only need to filter out the URLs of the media, but
+ some plug-ins (like Flash) have lots of fun places you can hide the
+ URL (e.g., the "movie" <param>).
+
+ * html/parser/XSSFilter.cpp:
+ (WebCore::XSSFilter::filterToken):
+ (WebCore::XSSFilter::filterScriptToken):
+ (WebCore::XSSFilter::filterObjectToken):
+ (WebCore::XSSFilter::filterEmbedToken):
+ (WebCore::XSSFilter::eraseAttributeIfInjected):
+ * html/parser/XSSFilter.h:
+
2011-01-28 Oliver Hunt <oliver at apple.com>
Fix Qt build.
diff --git a/Source/WebCore/html/parser/XSSFilter.cpp b/Source/WebCore/html/parser/XSSFilter.cpp
index 92ea38a..554554a 100644
--- a/Source/WebCore/html/parser/XSSFilter.cpp
+++ b/Source/WebCore/html/parser/XSSFilter.cpp
@@ -107,10 +107,14 @@ void XSSFilter::filterToken(HTMLToken& token)
if (token.type() != HTMLToken::StartTag)
return;
- if (hasName(token, scriptTag)) {
- filterScriptToken(token);
- return;
- }
+ if (hasName(token, scriptTag))
+ return filterScriptToken(token);
+
+ if (hasName(token, objectTag))
+ return filterObjectToken(token);
+
+ if (hasName(token, embedTag))
+ return filterEmbedToken(token);
for (size_t i = 0; i < token.attributes().size(); ++i) {
const HTMLToken::Attribute& attribute = token.attributes().at(i);
@@ -149,18 +153,46 @@ void XSSFilter::filterScriptToken(HTMLToken& token)
ASSERT(token.type() == HTMLToken::StartTag);
ASSERT(hasName(token, scriptTag));
- size_t indexOfFirstSrcAttribute;
- if (findAttributeWithName(token, srcAttr, indexOfFirstSrcAttribute)) {
- const HTMLToken::Attribute& srcAttribute = token.attributes().at(indexOfFirstSrcAttribute);
- if (isContainedInRequest(snippetForAttribute(token, srcAttribute)))
- token.eraseValueOfAttribute(indexOfFirstSrcAttribute);
+ if (eraseAttributeIfInjected(token, srcAttr))
return;
- }
m_state = AfterScriptStartTag;
m_cachedSnippet = m_parser->sourceForToken(token);
}
+void XSSFilter::filterObjectToken(HTMLToken& token)
+{
+ ASSERT(m_state == Initial);
+ ASSERT(token.type() == HTMLToken::StartTag);
+ ASSERT(hasName(token, objectTag));
+
+ eraseAttributeIfInjected(token, dataAttr);
+ eraseAttributeIfInjected(token, typeAttr);
+ eraseAttributeIfInjected(token, classidAttr);
+}
+
+void XSSFilter::filterEmbedToken(HTMLToken& token)
+{
+ ASSERT(m_state == Initial);
+ ASSERT(token.type() == HTMLToken::StartTag);
+ ASSERT(hasName(token, embedTag));
+
+ eraseAttributeIfInjected(token, srcAttr);
+ eraseAttributeIfInjected(token, typeAttr);
+}
+
+bool XSSFilter::eraseAttributeIfInjected(HTMLToken& token, const QualifiedName& attributeName)
+{
+ size_t indexOfAttribute;
+ if (findAttributeWithName(token, attributeName, indexOfAttribute)) {
+ const HTMLToken::Attribute& attribute = token.attributes().at(indexOfAttribute);
+ if (isContainedInRequest(snippetForAttribute(token, attribute)))
+ token.eraseValueOfAttribute(indexOfAttribute);
+ return true;
+ }
+ return false;
+}
+
String XSSFilter::snippetForRange(const HTMLToken& token, int start, int end)
{
// FIXME: There's an extra allocation here that we could save by
diff --git a/Source/WebCore/html/parser/XSSFilter.h b/Source/WebCore/html/parser/XSSFilter.h
index 89ac95a..24e9674 100644
--- a/Source/WebCore/html/parser/XSSFilter.h
+++ b/Source/WebCore/html/parser/XSSFilter.h
@@ -47,6 +47,10 @@ private:
void filterTokenAfterScriptStartTag(HTMLToken&);
void filterScriptToken(HTMLToken&);
+ void filterObjectToken(HTMLToken&);
+ void filterEmbedToken(HTMLToken&);
+
+ bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&);
String snippetForRange(const HTMLToken&, int start, int end);
String snippetForAttribute(const HTMLToken&, const HTMLToken::Attribute&);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list