[webkit-changes] [101898] trunk

Fri, 02 Dec 2011 20:06:54 -0800

Title: [101898] trunk
Revision
101898
Author
[email protected]
Date
2011-12-02 20:06:42 -0800 (Fri, 02 Dec 2011)

Log Message

XSSAuditor includes more terminating characters when truncating
attribute values.
https://bugs.webkit.org/show_bug.cgi?id=73684

Reviewed by Daniel Bates.

Source/WebCore:

* html/parser/XSSAuditor.cpp:
(WebCore::isTerminatingCharacter):
(WebCore::XSSAuditor::eraseDangerousAttributesIfInjected):

LayoutTests:

* http/tests/security/xssAuditor/property-escape-comment-expected.txt:
* http/tests/security/xssAuditor/property-escape-comment.html:

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (101897 => 101898)


--- trunk/LayoutTests/ChangeLog	2011-12-03 03:50:24 UTC (rev 101897)
+++ trunk/LayoutTests/ChangeLog	2011-12-03 04:06:42 UTC (rev 101898)
@@ -1,3 +1,14 @@
+2011-12-02  Tom Sepez  <[email protected]>
+
+        XSSAuditor includes more terminating characters when truncating
+        attribute values.
+        https://bugs.webkit.org/show_bug.cgi?id=73684
+
+        Reviewed by Daniel Bates.
+
+        * http/tests/security/xssAuditor/property-escape-comment-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-comment.html:
+
 2011-12-02  Tony Chang  <[email protected]>
 
         Need to implement flex-flow: column-reverse

Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-expected.txt (101897 => 101898)


--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-expected.txt	2011-12-03 03:50:24 UTC (rev 101897)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-expected.txt	2011-12-03 04:06:42 UTC (rev 101898)
@@ -2,4 +2,6 @@
 
 CONSOLE MESSAGE: line 1: Refused to execute a _javascript_ script. Source code of script found within request.
 
- 
+CONSOLE MESSAGE: line 1: Refused to execute a _javascript_ script. Source code of script found within request.
+
+

Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment.html (101897 => 101898)


--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment.html	2011-12-03 03:50:24 UTC (rev 101897)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment.html	2011-12-03 04:06:42 UTC (rev 101898)
@@ -13,5 +13,7 @@
 </iframe>
 <iframe src=""
 </iframe>
+<iframe src=""
+</iframe>
 </body>
 </html>

Modified: trunk/Source/WebCore/ChangeLog (101897 => 101898)


--- trunk/Source/WebCore/ChangeLog	2011-12-03 03:50:24 UTC (rev 101897)
+++ trunk/Source/WebCore/ChangeLog	2011-12-03 04:06:42 UTC (rev 101898)
@@ -1,3 +1,15 @@
+2011-12-02  Tom Sepez  <[email protected]>
+
+        XSSAuditor includes more terminating characters when truncating
+        attribute values.
+        https://bugs.webkit.org/show_bug.cgi?id=73684
+
+        Reviewed by Daniel Bates.
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::isTerminatingCharacter):
+        (WebCore::XSSAuditor::eraseDangerousAttributesIfInjected):
+
 2011-12-02  Tony Chang  <[email protected]>
 
         Need to implement flex-flow: column-reverse

Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (101897 => 101898)


--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp	2011-12-03 03:50:24 UTC (rev 101897)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp	2011-12-03 04:06:42 UTC (rev 101898)
@@ -73,7 +73,7 @@
 
 static bool isTerminatingCharacter(UChar c) 
 {
-    return (c == '&' || c == '/' || c == '"' || c == '\'');
+    return (c == '&' || c == '/' || c == '"' || c == '\'' || c == '<');
 }
 
 static bool isHTMLQuote(UChar c)
@@ -487,12 +487,13 @@
         // by enclosing them in a string literal terminated later by the page's own
         // closing punctuation. Since the snippet has not been parsed, the vector
         // may also try to introduce these via entities. As a result, we'd like to
-        // stop before the first "//", the first entity, or the first quote not
-        // immediately following the first equals sign (taking whitespace into
-        // consideration). To keep things simpler, we don't try to distinguish
+        // stop before the first "//", the first <!--, the first entity, or the first
+        // quote not immediately following the first equals sign (taking whitespace
+        // into consideration). To keep things simpler, we don't try to distinguish
         // between entity-introducing amperands vs. other uses, nor do we bother to
-        // check for a second slash for a comment, stoping instead on any ampersand
-        // or slash.
+        // check for a second slash for a comment, nor do we bother to check for
+        // !-- following a less-than sign. We stop instead on any ampersand
+        // slash, or less-than sign.
         String decodedSnippet = decodedSnippetForAttribute(token, attribute);
         size_t position;
         if ((position = decodedSnippet.find("=")) != notFound

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to