[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

abarth at webkit.org abarth at webkit.org
Mon Feb 21 00:18:37 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit 62d3c6c1d01c723ff8d88a6a15e55a0f4a37754d
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sat Jan 29 09:17:55 2011 +0000

    2011-01-29  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Daniel Bates.
    
            XSSFilter should pass 16 of the xssAuditor/script-tag* tests
            https://bugs.webkit.org/show_bug.cgi?id=53362
    
            Turns out we need to replace the src attribute of script tags with
            about:blank to avoid loading the main document URL as a script.  Also,
            move misplaced return statement that was triggering the console message
            too often.
    
            * html/parser/HTMLToken.h:
            (WebCore::HTMLToken::appendToAttributeValue):
            * html/parser/XSSFilter.cpp:
            (WebCore::XSSFilter::filterScriptToken):
            (WebCore::XSSFilter::eraseAttributeIfInjected):
            * html/parser/XSSFilter.h:
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77057 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 7e4096d..f2930eb 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2011-01-29  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Daniel Bates.
+
+        XSSFilter should pass 16 of the xssAuditor/script-tag* tests
+        https://bugs.webkit.org/show_bug.cgi?id=53362
+
+        Turns out we need to replace the src attribute of script tags with
+        about:blank to avoid loading the main document URL as a script.  Also,
+        move misplaced return statement that was triggering the console message
+        too often.
+
+        * html/parser/HTMLToken.h:
+        (WebCore::HTMLToken::appendToAttributeValue):
+        * html/parser/XSSFilter.cpp:
+        (WebCore::XSSFilter::filterScriptToken):
+        (WebCore::XSSFilter::eraseAttributeIfInjected):
+        * html/parser/XSSFilter.h:
+
 2011-01-28  Jon Honeycutt  <jhoneycutt at apple.com>
 
         Downloads in WK2 on Windows should write resume data to bundle
diff --git a/Source/WebCore/html/parser/HTMLToken.h b/Source/WebCore/html/parser/HTMLToken.h
index ccbcdfd..aa16ab2 100644
--- a/Source/WebCore/html/parser/HTMLToken.h
+++ b/Source/WebCore/html/parser/HTMLToken.h
@@ -220,6 +220,13 @@ public:
         m_currentAttribute->m_value.append(character);
     }
 
+    void appendToAttributeValue(size_t i, const String& value)
+    {
+        ASSERT(!value.isEmpty());
+        ASSERT(m_type == StartTag || m_type == EndTag);
+        m_attributes[i].m_value.append(value.characters(), value.length());
+    }
+
     Type type() const { return m_type; }
 
     bool selfClosing() const
diff --git a/Source/WebCore/html/parser/XSSFilter.cpp b/Source/WebCore/html/parser/XSSFilter.cpp
index b2771a0..f43cf0e 100644
--- a/Source/WebCore/html/parser/XSSFilter.cpp
+++ b/Source/WebCore/html/parser/XSSFilter.cpp
@@ -179,7 +179,7 @@ bool XSSFilter::filterScriptToken(HTMLToken& token)
     ASSERT(token.type() == HTMLToken::StartTag);
     ASSERT(hasName(token, scriptTag));
 
-    if (eraseAttributeIfInjected(token, srcAttr))
+    if (eraseAttributeIfInjected(token, srcAttr, blankURL().string()))
         return true;
 
     m_state = AfterScriptStartTag;
@@ -263,14 +263,17 @@ bool XSSFilter::eraseInlineEventHandlersIfInjected(HTMLToken& token)
     return didBlockScript;
 }
 
-bool XSSFilter::eraseAttributeIfInjected(HTMLToken& token, const QualifiedName& attributeName)
+bool XSSFilter::eraseAttributeIfInjected(HTMLToken& token, const QualifiedName& attributeName, const String& replacementValue)
 {
     size_t indexOfAttribute;
     if (findAttributeWithName(token, attributeName, indexOfAttribute)) {
         const HTMLToken::Attribute& attribute = token.attributes().at(indexOfAttribute);
-        if (isContainedInRequest(snippetForAttribute(token, attribute)))
+        if (isContainedInRequest(snippetForAttribute(token, attribute))) {
             token.eraseValueOfAttribute(indexOfAttribute);
-        return true;
+            if (!replacementValue.isEmpty())
+                token.appendToAttributeValue(indexOfAttribute, replacementValue);
+            return true;
+        }
     }
     return false;
 }
diff --git a/Source/WebCore/html/parser/XSSFilter.h b/Source/WebCore/html/parser/XSSFilter.h
index 23e04b3..b7fb4df 100644
--- a/Source/WebCore/html/parser/XSSFilter.h
+++ b/Source/WebCore/html/parser/XSSFilter.h
@@ -56,7 +56,7 @@ private:
     bool filterBaseToken(HTMLToken&);
 
     bool eraseInlineEventHandlersIfInjected(HTMLToken&);
-    bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&);
+    bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&, const String& replacementValue = String());
 
     String snippetForRange(const HTMLToken&, int start, int end);
     String snippetForAttribute(const HTMLToken&, const HTMLToken::Attribute&);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list