[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
abarth at webkit.org
abarth at webkit.org
Mon Feb 21 00:18:37 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit 62d3c6c1d01c723ff8d88a6a15e55a0f4a37754d
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sat Jan 29 09:17:55 2011 +0000
2011-01-29 Adam Barth <abarth at webkit.org>
Reviewed by Daniel Bates.
XSSFilter should pass 16 of the xssAuditor/script-tag* tests
https://bugs.webkit.org/show_bug.cgi?id=53362
Turns out we need to replace the src attribute of script tags with
about:blank to avoid loading the main document URL as a script. Also,
move misplaced return statement that was triggering the console message
too often.
* html/parser/HTMLToken.h:
(WebCore::HTMLToken::appendToAttributeValue):
* html/parser/XSSFilter.cpp:
(WebCore::XSSFilter::filterScriptToken):
(WebCore::XSSFilter::eraseAttributeIfInjected):
* html/parser/XSSFilter.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77057 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 7e4096d..f2930eb 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2011-01-29 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Daniel Bates.
+
+ XSSFilter should pass 16 of the xssAuditor/script-tag* tests
+ https://bugs.webkit.org/show_bug.cgi?id=53362
+
+ Turns out we need to replace the src attribute of script tags with
+ about:blank to avoid loading the main document URL as a script. Also,
+ move misplaced return statement that was triggering the console message
+ too often.
+
+ * html/parser/HTMLToken.h:
+ (WebCore::HTMLToken::appendToAttributeValue):
+ * html/parser/XSSFilter.cpp:
+ (WebCore::XSSFilter::filterScriptToken):
+ (WebCore::XSSFilter::eraseAttributeIfInjected):
+ * html/parser/XSSFilter.h:
+
2011-01-28 Jon Honeycutt <jhoneycutt at apple.com>
Downloads in WK2 on Windows should write resume data to bundle
diff --git a/Source/WebCore/html/parser/HTMLToken.h b/Source/WebCore/html/parser/HTMLToken.h
index ccbcdfd..aa16ab2 100644
--- a/Source/WebCore/html/parser/HTMLToken.h
+++ b/Source/WebCore/html/parser/HTMLToken.h
@@ -220,6 +220,13 @@ public:
m_currentAttribute->m_value.append(character);
}
+ void appendToAttributeValue(size_t i, const String& value)
+ {
+ ASSERT(!value.isEmpty());
+ ASSERT(m_type == StartTag || m_type == EndTag);
+ m_attributes[i].m_value.append(value.characters(), value.length());
+ }
+
Type type() const { return m_type; }
bool selfClosing() const
diff --git a/Source/WebCore/html/parser/XSSFilter.cpp b/Source/WebCore/html/parser/XSSFilter.cpp
index b2771a0..f43cf0e 100644
--- a/Source/WebCore/html/parser/XSSFilter.cpp
+++ b/Source/WebCore/html/parser/XSSFilter.cpp
@@ -179,7 +179,7 @@ bool XSSFilter::filterScriptToken(HTMLToken& token)
ASSERT(token.type() == HTMLToken::StartTag);
ASSERT(hasName(token, scriptTag));
- if (eraseAttributeIfInjected(token, srcAttr))
+ if (eraseAttributeIfInjected(token, srcAttr, blankURL().string()))
return true;
m_state = AfterScriptStartTag;
@@ -263,14 +263,17 @@ bool XSSFilter::eraseInlineEventHandlersIfInjected(HTMLToken& token)
return didBlockScript;
}
-bool XSSFilter::eraseAttributeIfInjected(HTMLToken& token, const QualifiedName& attributeName)
+bool XSSFilter::eraseAttributeIfInjected(HTMLToken& token, const QualifiedName& attributeName, const String& replacementValue)
{
size_t indexOfAttribute;
if (findAttributeWithName(token, attributeName, indexOfAttribute)) {
const HTMLToken::Attribute& attribute = token.attributes().at(indexOfAttribute);
- if (isContainedInRequest(snippetForAttribute(token, attribute)))
+ if (isContainedInRequest(snippetForAttribute(token, attribute))) {
token.eraseValueOfAttribute(indexOfAttribute);
- return true;
+ if (!replacementValue.isEmpty())
+ token.appendToAttributeValue(indexOfAttribute, replacementValue);
+ return true;
+ }
}
return false;
}
diff --git a/Source/WebCore/html/parser/XSSFilter.h b/Source/WebCore/html/parser/XSSFilter.h
index 23e04b3..b7fb4df 100644
--- a/Source/WebCore/html/parser/XSSFilter.h
+++ b/Source/WebCore/html/parser/XSSFilter.h
@@ -56,7 +56,7 @@ private:
bool filterBaseToken(HTMLToken&);
bool eraseInlineEventHandlersIfInjected(HTMLToken&);
- bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&);
+ bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&, const String& replacementValue = String());
String snippetForRange(const HTMLToken&, int start, int end);
String snippetForAttribute(const HTMLToken&, const HTMLToken::Attribute&);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list