Changeset 18843 in webkit

Timestamp:

Jan 14, 2007 2:04:21 AM (17 years ago)

Author:

aroben

Message:

LayoutTests:

Reviewed by Maciej.

• editing/deleting/4845371.html: Removed bogus "Javascript" type.
• editing/selection/4397952.html: Ditto.
• fast/html/script-allowed-types-languages-expected.txt: Added.
• fast/html/script-allowed-types-languages.html: Added. Tests type/language whitelisting.

WebCore:

Reviewed by Maciej.

Make sure our whitelisting of the type and language attributes of the
<script> element is enforced in all HTMLTokenizer/HTMLScriptElement
code paths.

All layout tests pass.

• html/HTMLScriptElement.cpp: (WebCore::HTMLScriptElement::shouldExecuteAsJavaScript): New method to determine whether the script should be executed, given its type and language attributes. (WebCore::HTMLScriptElement::evaluateScript): Check type/language before executing.
• html/HTMLScriptElement.h: Added new declarations.
• html/HTMLTokenizer.cpp: (WebCore::HTMLTokenizer::begin): Made scriptSrc a String. (WebCore::HTMLTokenizer::scriptHandler): Check shouldExecuteAsJavaScript before executing. (WebCore::HTMLTokenizer::notifyFinished): Ditto. (WebCore::HTMLTokenizer::parseTag): Moved type/language checking from here to HTMLScriptElement::shouldExecuteAsJavaScript.
• html/HTMLTokenizer.h: Made scriptSrc a String, and removed the javascript member.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/deleting/4845371.html (modified) (1 diff)
• LayoutTests/editing/selection/4397952.html (modified) (1 diff)
• LayoutTests/fast/html/script-allowed-types-languages-expected.txt (added)
• LayoutTests/fast/html/script-allowed-types-languages.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/html/HTMLScriptElement.cpp (modified) (2 diffs)
• WebCore/html/HTMLScriptElement.h (modified) (2 diffs)
• WebCore/html/HTMLTokenizer.cpp (modified) (9 diffs)
• WebCore/html/HTMLTokenizer.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2007-01-14  Adam Roben  <aroben@apple.com>
+
+        Reviewed by Maciej.
+
+        * editing/deleting/4845371.html: Removed bogus "Javascript" type.
+        * editing/selection/4397952.html: Ditto.
+        * fast/html/script-allowed-types-languages-expected.txt: Added.
+        * fast/html/script-allowed-types-languages.html: Added. Tests
+        type/language whitelisting.
+
 2007-01-14  Mark Rowe  <mrowe@apple.com>
 

trunk/LayoutTests/editing/deleting/4845371.html

@@ -2 +2 @@
 <div id="div" contenteditable="true"><table><tr><td>foo <a href="http://www.google.com/">bar</a></td><td>baz</td></tr></table></div>
 
-<script type="Javascript" src="../editing.js"></script>
+<script src="../editing.js"></script>
 <script>
 runEditingTest();

trunk/LayoutTests/editing/selection/4397952.html

@@ -4 +4 @@
 </div>
 
-<script type="Javascript" src="../editing.js"></script>
+<script src="../editing.js"></script>
 <script>
 runEditingTest();

trunk/WebCore/ChangeLog

@@ +1 @@
+2007-01-14  Adam Roben  <aroben@apple.com>
+
+        Reviewed by Maciej.
+
+        Make sure our whitelisting of the type and language attributes of the
+        <script> element is enforced in all HTMLTokenizer/HTMLScriptElement
+        code paths.
+
+        All layout tests pass.
+
+        * html/HTMLScriptElement.cpp:
+        (WebCore::HTMLScriptElement::shouldExecuteAsJavaScript): New method to
+        determine whether the script should be executed, given its type and
+        language attributes.
+        (WebCore::HTMLScriptElement::evaluateScript): Check type/language
+        before executing.
+        * html/HTMLScriptElement.h: Added new declarations.
+        * html/HTMLTokenizer.cpp:
+        (WebCore::HTMLTokenizer::begin): Made scriptSrc a String. 
+        (WebCore::HTMLTokenizer::scriptHandler): Check
+        shouldExecuteAsJavaScript before executing.
+        (WebCore::HTMLTokenizer::notifyFinished): Ditto.
+        (WebCore::HTMLTokenizer::parseTag): Moved type/language checking from
+        here to HTMLScriptElement::shouldExecuteAsJavaScript.
+        * html/HTMLTokenizer.h: Made scriptSrc a String, and removed the
+        javascript member.
+
 2007-01-14  David Hyatt  <hyatt@apple.com>
 

trunk/WebCore/html/HTMLScriptElement.cpp

@@ -5 +5 @@
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2003 Apple Computer, Inc.
+ * Copyright (C) 2003, 2004, 2005, 2006, 2007 Apple Inc.
  *
  * This library is free software; you can redistribute it and/or
@@ -160 +160 @@
 }
 
+bool HTMLScriptElement::shouldExecuteAsJavaScript()
+{
+    /*
+        Mozilla 1.8 and WinIE 7 both accept text/javascript and text/ecmascript.
+        Mozilla 1.8 accepts application/javascript, application/ecmascript, and application/x-javascript, but WinIE 7 doesn't.
+        WinIE 7 accepts text/javascript1.1 - text/javascript1.3, text/jscript, and text/livescript, but Mozilla 1.8 doesn't.
+        Mozilla 1.8 allows leading and trailing whitespace, but WinIE 7 doesn't.
+        Mozilla 1.8 and WinIE 7 both accept the empty string, but neither accept a whitespace-only string.
+        We want to accept all the values that either of these browsers accept, but not other values.
+     */
+    static const AtomicString validTypes[] = {
+        "text/javascript",
+        "text/ecmascript",
+        "application/javascript",
+        "application/ecmascript",
+        "application/x-javascript",
+        "text/javascript1.1",
+        "text/javascript1.2",
+        "text/javascript1.3",
+        "text/jscript",
+        "text/livescript",
+    };
+    static const unsigned validTypesCount = sizeof(validTypes) / sizeof(validTypes[0]);
+
+    /*
+         Mozilla 1.8 accepts javascript1.0 - javascript1.7, but WinIE 7 accepts only javascript1.1 - javascript1.3.
+         Mozilla 1.8 and WinIE 7
+         WinIE 7 accepts ecmascript and jscript, but Mozilla 1.8 doesn't.
+         Neither Mozilla 1.8 nor WinIE 7 accept leading or trailing whitespace.
+         We want to accept all the values that either of these browsers accept, but not other values.
+     */
+    static const AtomicString validLanguages[] = {
+        "javascript",
+        "javascript1.0",
+        "javascript1.1",
+        "javascript1.2",
+        "javascript1.3",
+        "javascript1.4",
+        "javascript1.5",
+        "javascript1.6",
+        "javascript1.7",
+        "livescript",
+        "ecmascript",
+        "jscript"
+    };
+    static const unsigned validLanguagesCount = sizeof(validLanguages) / sizeof(validLanguages[0]); 
+
+    const AtomicString& type = getAttribute(typeAttr);
+    if (!type.isEmpty()) {
+        String lowerType = type.domString().stripWhiteSpace().lower();
+        for (unsigned i = 0; i < validTypesCount; ++i)
+            if (lowerType == validTypes[i])
+                return true;
+
+        return false;
+    }
+    
+    const AtomicString& language = getAttribute(languageAttr);
+    if (!language.isEmpty()) {
+        String lowerLanguage = language.domString().lower();
+        for (unsigned i = 0; i < validLanguagesCount; ++i)
+            if (lowerLanguage == validLanguages[i])
+                return true;
+
+        return false;
+    }
+
+    // No type or language is specified, so we assume the script to be JavaScript
+    return true;
+}
+
 void HTMLScriptElement::evaluateScript(const String& URL, const String& script)
 {
     if (m_evaluated)
+        return;
+    
+    if (!shouldExecuteAsJavaScript())
         return;
     

trunk/WebCore/html/HTMLScriptElement.h

@@ -4 +4 @@
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
- * Copyright (C) 2003 Apple Computer, Inc.
+ * Copyright (C) 2003, 2004, 2005, 2006, 2007 Apple Inc.
  *
  * This library is free software; you can redistribute it and/or
@@ -54 +54 @@
     virtual void closeRenderer();
 
+    bool shouldExecuteAsJavaScript();
     void evaluateScript(const String &URL, const String &script);
 

trunk/WebCore/html/HTMLTokenizer.cpp

@@ -8 +8 @@
               (C) 1999 Antti Koivisto (koivisto@kde.org)
               (C) 2001 Dirk Mueller (mueller@kde.org)
-    Copyright (C) 2004, 2005, 2006 Apple Computer, Inc.
+    Copyright (C) 2004, 2005, 2006, 2007 Apple Inc.
     Copyright (C) 2005, 2006 Alexey Proskuryakov (ap@nypop.com)
 
@@ -37 +37 @@
 #include "FrameLoader.h"
 #include "FrameView.h"
+#include "HTMLElement.h"
+#include "HTMLNames.h"
+#include "HTMLParser.h"
+#include "HTMLScriptElement.h"
 #include "HTMLViewSourceDocument.h"
-#include "HTMLElement.h"
 #include "SystemTime.h"
 #include "csshelper.h"
-#include "HTMLNames.h"
-#include "HTMLParser.h"
 #include "kjs_proxy.h"
 
@@ -227 +228 @@
     searchCount = 0;
     m_state.setEntityState(NoEntity);
-    scriptSrc = DeprecatedString::null;
+    scriptSrc = String();
     pendingSrc.clear();
     currentPrependingSrc = 0;
@@ -392 +393 @@
             } else
                 scriptNode = 0;
-            scriptSrc=DeprecatedString::null;
+            scriptSrc = String();
         } else {
 #ifdef TOKEN_DEBUG
@@ -399 +400 @@
             kdDebug( 6036 ) << "---END SCRIPT---" << endl;
 #endif
+            // Parse scriptCode containing <script> info
+            doScriptExec = static_cast<HTMLScriptElement*>(scriptNode.get())->shouldExecuteAsJavaScript();
             scriptNode = 0;
-            // Parse scriptCode containing <script> info
-            doScriptExec = true;
         }
     }
@@ -442 +443 @@
             if (!pendingScripts.isEmpty())
                 state.setLoadingExtScript(true);
-        }
-        else if (!m_fragment && doScriptExec && javascript ) {
+        } else if (!m_fragment && doScriptExec) {
             if (!m_executingScript)
                 pendingSrc.prepend(src);
@@ -1148 +1148 @@
             if (currToken.beginTag && currToken.tagName == scriptTag) {
                 Attribute* a = 0;
-                bool foundTypeAttribute = false;
-                scriptSrc = DeprecatedString::null;
+                scriptSrc = String();
                 scriptSrcCharset = String();
                 if (currToken.attrs && !m_fragment && m_doc->frame() && m_doc->frame()->settings()->isJavaScriptEnabled()) {
                     if ((a = currToken.attrs->getAttributeItem(srcAttr)))
-                        scriptSrc = m_doc->completeURL(parseURL(a->value()).deprecatedString());
+                        scriptSrc = m_doc->completeURL(parseURL(a->value()));
                     if ((a = currToken.attrs->getAttributeItem(charsetAttr)))
                         scriptSrcCharset = a->value().domString().stripWhiteSpace();
                     if (scriptSrcCharset.isEmpty())
                         scriptSrcCharset = m_doc->frame()->loader()->encoding();
-                    /* Check type before language, since language is deprecated */
-                    if ((a = currToken.attrs->getAttributeItem(typeAttr)) != 0 && !a->value().isEmpty())
-                        foundTypeAttribute = true;
-                    else
-                        a = currToken.attrs->getAttributeItem(languageAttr);
-                }
-                javascript = true;
-
-                if( foundTypeAttribute ) {
-                    /* 
-                        Mozilla 1.5 accepts application/x-javascript, and some web references claim it is the only
-                        correct variation, but WinIE 6 doesn't accept it.
-                        Neither Mozilla 1.5 nor WinIE 6 accept application/javascript, application/ecmascript, or
-                        application/x-ecmascript.
-                        Mozilla 1.5 doesn't accept the text/javascript1.x formats, but WinIE 6 does.
-                        Mozilla 1.5 doesn't accept text/jscript, text/ecmascript, and text/livescript, but WinIE 6 does.
-                        Mozilla 1.5 allows leading and trailing whitespace, but WinIE 6 doesn't.
-                        Mozilla 1.5 and WinIE 6 both accept the empty string, but neither accept a whitespace-only string.
-                        We want to accept all the values that either of these browsers accept, but not other values.
-                     */
-                    DeprecatedString type = a->value().domString().stripWhiteSpace().lower().deprecatedString();
-                    if( type.compare("application/x-javascript") != 0 &&
-                        type.compare("text/javascript") != 0 &&
-                        type.compare("text/javascript1.0") != 0 &&
-                        type.compare("text/javascript1.1") != 0 &&
-                        type.compare("text/javascript1.2") != 0 &&
-                        type.compare("text/javascript1.3") != 0 &&
-                        type.compare("text/javascript1.4") != 0 &&
-                        type.compare("text/javascript1.5") != 0 &&
-                        type.compare("text/jscript") != 0 &&
-                        type.compare("text/ecmascript") != 0 &&
-                        type.compare("text/livescript") )
-                        javascript = false;
-                } else if( a ) {
-                    /* 
-                     Mozilla 1.5 doesn't accept jscript or ecmascript, but WinIE 6 does.
-                     Mozilla 1.5 accepts javascript1.0, javascript1.4, and javascript1.5, but WinIE 6 accepts only 1.1 - 1.3.
-                     Neither Mozilla 1.5 nor WinIE 6 accept leading or trailing whitespace.
-                     We want to accept all the values that either of these browsers accept, but not other values.
-                     */
-                    String lang = a->value().domString().lower();
-                    if( lang != "" &&
-                        lang != "javascript" &&
-                        lang != "javascript1.0" &&
-                        lang != "javascript1.1" &&
-                        lang != "javascript1.2" &&
-                        lang != "javascript1.3" &&
-                        lang != "javascript1.4" &&
-                        lang != "javascript1.5" &&
-                        lang != "ecmascript" &&
-                        lang != "livescript" &&
-                        lang != "jscript")
-                        javascript = false;
                 }
             }
@@ -1701 +1647 @@
         bool errorOccurred = cs->errorOccurred();
         cs->deref(this);
-        RefPtr<Node> n = scriptNode;
-        scriptNode = 0;
+        RefPtr<Node> n = scriptNode.release();
 
 #ifdef INSTRUMENT_LAYOUT_SCHEDULING
@@ -1712 +1657 @@
             EventTargetNodeCast(n.get())->dispatchHTMLEvent(errorEvent, true, false);
         else {
-            m_state = scriptExecution(scriptSource.deprecatedString(), m_state, cachedScriptUrl);
+            if (static_cast<HTMLScriptElement*>(n.get())->shouldExecuteAsJavaScript())
+                m_state = scriptExecution(scriptSource.deprecatedString(), m_state, cachedScriptUrl);
             EventTargetNodeCast(n.get())->dispatchHTMLEvent(loadEvent, false, false);
         }

trunk/WebCore/html/HTMLTokenizer.h

@@ -297 +297 @@
     bool noMoreData;
     // URL to get source code of script from
-    DeprecatedString scriptSrc;
+    String scriptSrc;
     String scriptSrcCharset;
-    bool javascript;
     // the HTML code we will parse after the external script we are waiting for has loaded
     SegmentedString pendingSrc;