[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
abarth at webkit.org
abarth at webkit.org
Mon Feb 21 00:16:03 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit 0fbacc01fda3a0d2bf959e116a4ad528fdb02f93
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sat Jan 29 00:57:05 2011 +0000
2011-01-28 Adam Barth <abarth at webkit.org>
Reviewed by Daniel Bates.
Teach XSSFilter about <meta> and <base> tags
https://bugs.webkit.org/show_bug.cgi?id=53339
I'm not 100% sure we need to block <meta http-equiv>, but it seems
prudent given how powerful that attribute is. We definitely need to
block injection of <base href> because that can redirect script tags
that use relative URLs.
* html/parser/XSSFilter.cpp:
(WebCore::XSSFilter::filterToken):
(WebCore::XSSFilter::filterMetaToken):
(WebCore::XSSFilter::filterBaseToken):
* html/parser/XSSFilter.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77033 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 50fd2f9..494a7e8 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -2,6 +2,24 @@
Reviewed by Daniel Bates.
+ Teach XSSFilter about <meta> and <base> tags
+ https://bugs.webkit.org/show_bug.cgi?id=53339
+
+ I'm not 100% sure we need to block <meta http-equiv>, but it seems
+ prudent given how powerful that attribute is. We definitely need to
+ block injection of <base href> because that can redirect script tags
+ that use relative URLs.
+
+ * html/parser/XSSFilter.cpp:
+ (WebCore::XSSFilter::filterToken):
+ (WebCore::XSSFilter::filterMetaToken):
+ (WebCore::XSSFilter::filterBaseToken):
+ * html/parser/XSSFilter.h:
+
+2011-01-28 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Daniel Bates.
+
Teach XSSFilter about <applet>
https://bugs.webkit.org/show_bug.cgi?id=53338
diff --git a/Source/WebCore/html/parser/XSSFilter.cpp b/Source/WebCore/html/parser/XSSFilter.cpp
index e4b9b8b..eab5956 100644
--- a/Source/WebCore/html/parser/XSSFilter.cpp
+++ b/Source/WebCore/html/parser/XSSFilter.cpp
@@ -119,6 +119,12 @@ void XSSFilter::filterToken(HTMLToken& token)
if (hasName(token, appletTag))
return filterAppletToken(token);
+ if (hasName(token, metaTag))
+ return filterMetaToken(token);
+
+ if (hasName(token, baseTag))
+ return filterBaseToken(token);
+
for (size_t i = 0; i < token.attributes().size(); ++i) {
const HTMLToken::Attribute& attribute = token.attributes().at(i);
if (!isNameOfScriptCarryingAttribute(attribute.m_name))
@@ -194,6 +200,24 @@ void XSSFilter::filterAppletToken(HTMLToken& token)
eraseAttributeIfInjected(token, objectAttr);
}
+void XSSFilter::filterMetaToken(HTMLToken& token)
+{
+ ASSERT(m_state == Initial);
+ ASSERT(token.type() == HTMLToken::StartTag);
+ ASSERT(hasName(token, metaTag));
+
+ eraseAttributeIfInjected(token, http_equivAttr);
+}
+
+void XSSFilter::filterBaseToken(HTMLToken& token)
+{
+ ASSERT(m_state == Initial);
+ ASSERT(token.type() == HTMLToken::StartTag);
+ ASSERT(hasName(token, baseTag));
+
+ eraseAttributeIfInjected(token, hrefAttr);
+}
+
bool XSSFilter::eraseAttributeIfInjected(HTMLToken& token, const QualifiedName& attributeName)
{
size_t indexOfAttribute;
diff --git a/Source/WebCore/html/parser/XSSFilter.h b/Source/WebCore/html/parser/XSSFilter.h
index 9da17ea..8aa8cd6 100644
--- a/Source/WebCore/html/parser/XSSFilter.h
+++ b/Source/WebCore/html/parser/XSSFilter.h
@@ -50,6 +50,8 @@ private:
void filterObjectToken(HTMLToken&);
void filterEmbedToken(HTMLToken&);
void filterAppletToken(HTMLToken&);
+ void filterMetaToken(HTMLToken&);
+ void filterBaseToken(HTMLToken&);
bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list