Title: [96440] trunk
- Revision
- 96440
- Author
- isher...@chromium.org
- Date
- 2011-09-30 17:25:09 -0700 (Fri, 30 Sep 2011)
Log Message
Fix assertion failure in XSS Auditor
https://bugs.webkit.org/show_bug.cgi?id=69050
https://code.google.com/p/chromium/issues/detail?id=97346
Reviewed by Daniel Bates.
Source/WebCore:
Test: fast/forms/xss-auditor-doesnt-crash.html
* html/parser/XSSAuditor.cpp:
(WebCore::XSSAuditor::init): Don't try to decode the HTML body if it is empty.
LayoutTests:
* fast/forms/xss-auditor-doesnt-crash-expected.txt: Added.
* fast/forms/xss-auditor-doesnt-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (96439 => 96440)
--- trunk/LayoutTests/ChangeLog 2011-10-01 00:16:48 UTC (rev 96439)
+++ trunk/LayoutTests/ChangeLog 2011-10-01 00:25:09 UTC (rev 96440)
@@ -1,3 +1,14 @@
+2011-09-30 Ilya Sherman <isher...@chromium.org>
+
+ Fix assertion failure in XSS Auditor
+ https://bugs.webkit.org/show_bug.cgi?id=69050
+ https://code.google.com/p/chromium/issues/detail?id=97346
+
+ Reviewed by Daniel Bates.
+
+ * fast/forms/xss-auditor-doesnt-crash-expected.txt: Added.
+ * fast/forms/xss-auditor-doesnt-crash.html: Added.
+
2011-09-30 Sam Weinig <s...@webkit.org>
Add support for eventSender.mouseScrollBy in WTR
Added: trunk/LayoutTests/fast/forms/xss-auditor-doesnt-crash-on-post-submit-expected.txt (0 => 96440)
--- trunk/LayoutTests/fast/forms/xss-auditor-doesnt-crash-on-post-submit-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/xss-auditor-doesnt-crash-on-post-submit-expected.txt 2011-10-01 00:25:09 UTC (rev 96440)
@@ -0,0 +1,4 @@
+This tests that no assertions are thrown when POST submitting a form.
+
+PASS No assertions raised.
+
Added: trunk/LayoutTests/fast/forms/xss-auditor-doesnt-crash-on-post-submit.html (0 => 96440)
--- trunk/LayoutTests/fast/forms/xss-auditor-doesnt-crash-on-post-submit.html (rev 0)
+++ trunk/LayoutTests/fast/forms/xss-auditor-doesnt-crash-on-post-submit.html 2011-10-01 00:25:09 UTC (rev 96440)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src=""
+ <script>
+ function test() {
+ if (document.location.hash !== '#submitted') {
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true)
+ layoutTestController.waitUntilDone();
+ }
+
+ var form = document.getElementById('form');
+ // Shouldn't trigger any assertions.
+ form.submit();
+ } else {
+ testPassed('No assertions raised.');
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+ }
+ </script>
+</head>
+<body _onload_="test()">
+ This tests that no assertions are thrown when POST submitting a form.
+ <form method="post" id="form" action=""
+ <input type="text">
+ </form>
+ <div id="console"></div>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (96439 => 96440)
--- trunk/Source/WebCore/ChangeLog 2011-10-01 00:16:48 UTC (rev 96439)
+++ trunk/Source/WebCore/ChangeLog 2011-10-01 00:25:09 UTC (rev 96440)
@@ -1,3 +1,16 @@
+2011-09-30 Ilya Sherman <isher...@chromium.org>
+
+ Fix assertion failure in XSS Auditor
+ https://bugs.webkit.org/show_bug.cgi?id=69050
+ https://code.google.com/p/chromium/issues/detail?id=97346
+
+ Reviewed by Daniel Bates.
+
+ Test: fast/forms/xss-auditor-doesnt-crash.html
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::init): Don't try to decode the HTML body if it is empty.
+
2011-09-30 Maciej Stachowiak <m...@apple.com>
Loading page on potterybankids causes reproducible assertion failure in debug builds
Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (96439 => 96440)
--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2011-10-01 00:16:48 UTC (rev 96439)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2011-10-01 00:25:09 UTC (rev 96440)
@@ -239,11 +239,13 @@
FormData* httpBody = documentLoader->originalRequest().httpBody();
if (httpBody && !httpBody->isEmpty()) {
String httpBodyAsString = httpBody->flattenToString();
- m_decodedHTTPBody = fullyDecodeString(httpBodyAsString, decoder);
- if (m_decodedHTTPBody.find(isRequiredForInjection, 0) == notFound)
- m_decodedHTTPBody = String();
- if (m_decodedHTTPBody.length() >= miniumLengthForSuffixTree)
- m_decodedHTTPBodySuffixTree = adoptPtr(new SuffixTree<ASCIICodebook>(m_decodedHTTPBody, suffixTreeDepth));
+ if (!httpBodyAsString.isEmpty()) {
+ m_decodedHTTPBody = fullyDecodeString(httpBodyAsString, decoder);
+ if (m_decodedHTTPBody.find(isRequiredForInjection, 0) == notFound)
+ m_decodedHTTPBody = String();
+ if (m_decodedHTTPBody.length() >= miniumLengthForSuffixTree)
+ m_decodedHTTPBodySuffixTree = adoptPtr(new SuffixTree<ASCIICodebook>(m_decodedHTTPBody, suffixTreeDepth));
+ }
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes