Reviewers: felix8a,
Description:
https://code.google.com/p/google-caja/issues/detail?id=1804
lexCss/sanitizeCssSelectors will not handle the following cases
correctly:
"a," or ",a" or "," -- drops comma silently
"bad[" -- throws an internal error rather than invoking
opt_onUntranslatableSelector
Please review this at https://codereview.appspot.com/11507048/
Affected files:
M src/com/google/caja/plugin/sanitizecss.js
M tests/com/google/caja/plugin/CssLexerTest.java
M tests/com/google/caja/plugin/csslexer-test.js
M tests/com/google/caja/plugin/sanitizecss_test.js
Index: src/com/google/caja/plugin/sanitizecss.js
===================================================================
--- src/com/google/caja/plugin/sanitizecss.js (revision 5500)
+++ src/com/google/caja/plugin/sanitizecss.js (working copy)
@@ -472,7 +472,7 @@
} else {
valid = false;
}
- } else if (start < end && selectors[start] === '[') {
+ } else if (start + 1 < end && selectors[start] === '[') {
++start;
var attr = selectors[start++].toLowerCase();
var atype = html4.ATTRIBS[element + '::' + attr];
@@ -560,6 +560,8 @@
} else {
break;
}
+ } else {
+ break; // Unrecognized token.
}
}
if (start !== end) { // Tokens not consumed.
Index: tests/com/google/caja/plugin/CssLexerTest.java
===================================================================
--- tests/com/google/caja/plugin/CssLexerTest.java (revision 5500)
+++ tests/com/google/caja/plugin/CssLexerTest.java (working copy)
@@ -23,7 +23,7 @@
* @author [email protected]
*/
public final class CssLexerTest extends CajaTestCase {
- public final void testHtmlSanitizer() throws Exception {
+ public final void testCssLexer() throws Exception {
RhinoTestBed.runJsUnittestFromHtml(
html(fromResource("csslexer-test.html")));
}
Index: tests/com/google/caja/plugin/csslexer-test.js
===================================================================
--- tests/com/google/caja/plugin/csslexer-test.js (revision 5500)
+++ tests/com/google/caja/plugin/csslexer-test.js (working copy)
@@ -965,3 +965,11 @@
'url("")');
jsunit.pass();
});
+
+jsunitRegister('testIssue1804', function testIssue1804() {
+ assertLexedCss(',', ',');
+ assertLexedCss('a,', 'a', ',');
+ assertLexedCss(',a', ',', 'a');
+ assertLexedCss('bad[ ]', 'bad', '[', ' ', ']');
+ jsunit.pass();
+});
Index: tests/com/google/caja/plugin/sanitizecss_test.js
===================================================================
--- tests/com/google/caja/plugin/sanitizecss_test.js (revision 5500)
+++ tests/com/google/caja/plugin/sanitizecss_test.js (working copy)
@@ -363,3 +363,11 @@
log);
jsunit.pass();
});
+
+jsunitRegister('testIssue1804', function testIssue1804() {
+ assertSelector("a,", "sfx", [[".sfx a"], []]);
+ assertSelector(",a", "sfx", [[".sfx a"], []]);
+ assertSelector(",", "sfx", [[], []]);
+ assertSelector("a[", "sfx", [[], []]);
+ jsunit.pass();
+});
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
