[Caja] [google-caja] r3761 committed - Bug 763 : domita_test.js canonInnerHtml may be subverted...

Sat, 26 Sep 2009 19:01:43 -0700 


Revision: 3761
Author: [email protected]
Date: Sat Sep 26 19:00:34 2009
Log: Bug 763 : domita_test.js canonInnerHtml may be subverted
http://codereview.appspot.com/124053

From http://code.google.com/p/google-caja/issues/detail?id=763 :

   (Originally found by Mike Stay.) The regex in domita_test.js
   canonInnerHtml that says:

      new RegExp('(<\\w+)\\s+([^\\s>][^>]*)>', 'g'),

    does not match the case where there are angle brackets *inside* an
    attribute, as in:

      <div id=">">

    It seems that some browsers may get weird with escaping angle
    brackets (though Firefox 3 does the safe thing); see:

      http://groups.google.com/group/opera.beta/msg/32380d8ca64c3096

    In any case, maybe worth a look to make sure we don't get
    spuriously failing or (worse) succeeding tests when regressing on
    multiple browsers.

[email protected]

http://code.google.com/p/google-caja/source/detail?r=3761

Modified:
 /trunk/tests/com/google/caja/plugin/domita_test_untrusted.html

=======================================
--- /trunk/tests/com/google/caja/plugin/domita_test_untrusted.html Fri Sep 25 16:35:08 2009 +++ /trunk/tests/com/google/caja/plugin/domita_test_untrusted.html Sat Sep 26 19:00:34 2009 
@@ -586,11 +586,12 @@
  */
 function canonInnerHtml(s) {
   // Sort attributes.
-  var htmlAttribute = new RegExp('^\\s*(\\w+)(?:\\s*=\\s*("[^\\"]*"'
-                                 + '|\'[^\\\']*\'|[^\\\'\\"\\s>]+))?');
+  var htmlAttribute = new RegExp(
+      '\\s*(\\w+)(?:\\s*=\\s*("[^\\"]*"|\'[^\\\']*\'|[^\\\'\\"\\s>]+))?');
   var quot = new RegExp('"', 'g');
-  var htmlStartTag = new RegExp('(<\\w+)\\s+([^\\s>][^>]*)>', 'g');
-  var htmlTag = new RegExp('(<\/?)(\\w+)(\\s+[^\\s>][^>]*)?>', 'g');
+  var tagBody = '(?:"[^"]*"|\'[^\']*\'|[^>"\']+)*';
+  var htmlStartTag = new RegExp('(<\\w+)(' + tagBody + ')>', 'g');
+  var htmlTag = new RegExp('(<\/?)(\\w+)(' + tagBody + ')>', 'g');
   var ignorableWhitespace = new RegExp('^[ \\t]*(\\r\\n?|\\n)|\\s+$', 'g');
   var tagEntityOrText = new RegExp(
       '(?:(</?\\w[^>]*>|&[a-zA-Z#]|[^<&>]+)|([<&>]))', 'g');
@@ -598,7 +599,7 @@
       htmlStartTag,
       function (_, tagStart, tagBody) {
         var attrs = [];
-        for (var m; !!tagBody && (m = tagBody.match(htmlAttribute));) {
+        for (var m; tagBody && (m = tagBody.match(htmlAttribute));) {
           var name = m[1];
           var value = m[2];
           var hasValue = value != null;

Reply via email to