Context Navigation

Changeset 100588 in webkit

Timestamp:

Nov 17, 2011 2:10:14 AM (12 years ago)

Author:

apavlov@chromium.org

Message:

Web Inspector: inspector follows javascript: hrefs as relative
https://bugs.webkit.org/show_bug.cgi?id=72373

Source/WebCore:

javascript: hrefs should never be linkified for security.

Reviewed by Yury Semikhatsky.

(WebInspector.ElementsTreeElement.prototype._buildAttributeDOM):

(WebInspector.completeURL):

LayoutTests:

Reviewed by Yury Semikhatsky.

Location:

trunk

Files:

-                      r100584
+                      r100588
+-11-16  Alexander Pavlov  <apavlov@chromium.org>
+        Web Inspector: inspector follows javascript: hrefs as relative
+        https://bugs.webkit.org/show_bug.cgi?id=72373
+        Reviewed by Yury Semikhatsky.
+        * inspector/styles/styles-url-linkify-expected.txt:
+        * inspector/styles/styles-url-linkify.html:
 -11-17  Dominic Mazzoni  <dmazzoni@google.com>

-                      r90637
+                      r100588
 Tests that URLs are linked to and completed correctly. Bugs 51663, 53171, 62643
+Tests that URLs are linked to and completed correctly. Bugs 51663, 53171, 62643, 72373
 …
 http://example.com/foo?a=b
 data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEIAAABCAgMAAACeOuh7AAAABGdBTUEAAK/INwWK6QAAAAlQTFRF////AAAA////fu+PTwAAAAF0Uk5TAEDm2GYAAACHSURBVDjLxdLbDYAgDAVQGELn0R3oEHYf2KGdUqtE46OFRCP3oyTng1xCnWsaD5JRRtCkQ2YmkBkHRXqWJBn0j0TICbrsWVoWhRShCdcGyZCtHxMaUnVPRZ9KSbmBJdsX2vJVnwqRD0Rb4rpzgIbE/AI5NTnWAMvy5l0dXrfuLh5OCe5BmmYGXhTUxlQ5xJ8AAAAASUVORK5CYII=
+javascript:alert('foo');
+null
 Link for a URI from CSS document:
 webkit-html-resource-link inspector/styles/resources/fromcss.png

-                      r90567
+                      r100588
     const dataURL = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEIAAABCAgMAAACeOuh7AAAABGdBTUEAAK/INwWK6QAAAAlQTFRF////AAAA////fu+PTwAAAAF0Uk5TAEDm2GYAAACHSURBVDjLxdLbDYAgDAVQGELn0R3oEHYf2KGdUqtE46OFRCP3oyTng1xCnWsaD5JRRtCkQ2YmkBkHRXqWJBn0j0TICbrsWVoWhRShCdcGyZCtHxMaUnVPRZ9KSbmBJdsX2vJVnwqRD0Rb4rpzgIbE/AI5NTnWAMvy5l0dXrfuLh5OCe5BmmYGXhTUxlQ5xJ8AAAAASUVORK5CYII=";
     completeURL("https://example.com/foo", dataURL);
+    completeURL("http://example.com/foo", "javascript:alert('foo');");
+    InspectorTest.addResult(WebInspector.resourceURLForRelatedNode(null, " javascript:alert('foo'); "));
     function dumpHref(dumpLinkClass)
 …
 <body onload="runAfterIframeIsLoaded()">
 <p>
 Tests that URLs are linked to and completed correctly. Bugs <a href="http://bugs.webkit.org/show_bug.cgi?id=51663">51663</a>, <a href="http://bugs.webkit.org/show_bug.cgi?id=53171">53171</a>, <a href="http://bugs.webkit.org/show_bug.cgi?id=62643">62643</a>
+Tests that URLs are linked to and completed correctly. Bugs <a href="http://bugs.webkit.org/show_bug.cgi?id=51663">51663</a>, <a href="http://bugs.webkit.org/show_bug.cgi?id=53171">53171</a>, <a href="http://bugs.webkit.org/show_bug.cgi?id=62643">62643</a>, <a href="http://bugs.webkit.org/show_bug.cgi?id=72373">72373</a>
 </p>
 <div id="local"></div>

-                      r100586
+                      r100588
+-11-16  Alexander Pavlov  <apavlov@chromium.org>
+        Web Inspector: inspector follows javascript: hrefs as relative
+        https://bugs.webkit.org/show_bug.cgi?id=72373
+        javascript: hrefs should never be linkified for security.
+        Reviewed by Yury Semikhatsky.
+        * inspector/front-end/ElementsTreeOutline.js:
+        (WebInspector.ElementsTreeElement.prototype._buildAttributeDOM):
+        * inspector/front-end/ResourceUtils.js:
+        (WebInspector.completeURL):
 -11-17  Nikolas Zimmermann  <nzimmermann@rim.com>

-                      r99401
+                      r100588
             var rewrittenHref = WebInspector.resourceURLForRelatedNode(node, value);
             value = value.replace(/([\/;:\)\]\}])/g, "$1\u200B");
+            attrSpanElement.appendChild(linkify(rewrittenHref, value, "webkit-html-attribute-value", node.nodeName().toLowerCase() === "a"));
+            if (rewrittenHref === null) {
+                var attrValueElement = attrSpanElement.createChild("span", "webkit-html-attribute-value");
+                attrValueElement.textContent = value;
+            } else
+                attrSpanElement.appendChild(linkify(rewrittenHref, value, "webkit-html-attribute-value", node.nodeName().toLowerCase() === "a"));
         } else {
             value = value.replace(/([\/;:\)\]\}])/g, "$1\u200B");

-                      r99849
+                      r100588
+}
+/**
+ * @return {?string} null if the specified resource MUST NOT have a URL (e.g. "javascript:...")
+ */
 WebInspector.resourceURLForRelatedNode = function(node, url)
+{
     if (!url || url.indexOf("://") > 0)
         return url;
+    if (url.trim().indexOf("javascript:") === 0)
+        return null; // Do not provide a resource URL for security.
     for (var frameOwnerCandidate = node; frameOwnerCandidate; frameOwnerCandidate = frameOwnerCandidate.parentNode) {
 …
         // Return absolute URLs as-is.
         var parsedHref = href.asParsedURL();
+        if ((parsedHref && parsedHref.scheme) || href.indexOf("data:") === 0)
+        if (parsedHref && parsedHref.scheme)
+            return href;
+        // Return special URLs as-is.
+        var trimmedHref = href.trim();
+        if (trimmedHref.indexOf("data:") === 0 || trimmedHref.indexOf("javascript:") === 0)
             return href;
+    }

Note: See TracChangeset for help on using the changeset viewer.