Changeset 141897 in webkit

Timestamp:

Feb 5, 2013 9:55:51 AM (11 years ago)

Author:

tonyg@chromium.org

Message:

Continue making XSSAuditor thread safe: Remove dependency on parser's sourceForToken and TextResourceDecoder
​https://bugs.webkit.org/show_bug.cgi?id=108698

Reviewed by Adam Barth.

We'd like to be able to call filterToken() from the BackgroundHTMLParser where there is no HTMLDocumentParser. So we are removing the dependencies of
filterToken() on the HTMLDocumentParser. This patch brings us one step closer to removing the m_parser member from XSSAuditor by passing in the
TextResourceDecoder and HTMLSourceTracker to filterToken. To keep the number of parameters from blowing up, this introduces a FilterTokenRequest struct
to hold its arguments. We expect to add one more member to this struct.

No new tests because no new functionality.

• html/parser/HTMLDocumentParser.cpp:

(WebCore::HTMLDocumentParser::pumpTokenizer):

• html/parser/HTMLDocumentParser.h:
• html/parser/XSSAuditor.cpp:

(WebCore::XSSAuditor::filterToken):
(WebCore::XSSAuditor::filterStartToken):
(WebCore::XSSAuditor::filterCharacterToken):
(WebCore::XSSAuditor::filterScriptToken):
(WebCore::XSSAuditor::filterObjectToken):
(WebCore::XSSAuditor::filterParamToken):
(WebCore::XSSAuditor::filterEmbedToken):
(WebCore::XSSAuditor::filterAppletToken):
(WebCore::XSSAuditor::filterIframeToken):
(WebCore::XSSAuditor::filterMetaToken):
(WebCore::XSSAuditor::filterBaseToken):
(WebCore::XSSAuditor::filterFormToken):
(WebCore::XSSAuditor::eraseDangerousAttributesIfInjected):
(WebCore::XSSAuditor::eraseAttributeIfInjected):
(WebCore::XSSAuditor::decodedSnippetForName):
(WebCore::XSSAuditor::decodedSnippetForAttribute):
(WebCore::XSSAuditor::decodedSnippetForJavaScript):

• html/parser/XSSAuditor.h:

(WebCore):
(WebCore::FilterTokenRequest::FilterTokenRequest):
(FilterTokenRequest):
(XSSAuditor):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• html/parser/HTMLDocumentParser.cpp (modified) (2 diffs)
• html/parser/HTMLDocumentParser.h (modified) (1 diff)
• html/parser/XSSAuditor.cpp (modified) (12 diffs)
• html/parser/XSSAuditor.h (modified) (3 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-02-05  Tony Gentilcore  <tonyg@chromium.org>
+
+        Continue making XSSAuditor thread safe: Remove dependency on parser's sourceForToken and TextResourceDecoder
+        https://bugs.webkit.org/show_bug.cgi?id=108698
+
+        Reviewed by Adam Barth.
+
+        We'd like to be able to call filterToken() from the BackgroundHTMLParser where there is no HTMLDocumentParser. So we are removing the dependencies of
+        filterToken() on the HTMLDocumentParser. This patch brings us one step closer to removing the m_parser member from XSSAuditor by passing in the
+        TextResourceDecoder and HTMLSourceTracker to filterToken. To keep the number of parameters from blowing up, this introduces a FilterTokenRequest struct
+        to hold its arguments. We expect to add one more member to this struct.
+
+
+        No new tests because no new functionality.
+
+        * html/parser/HTMLDocumentParser.cpp:
+        (WebCore::HTMLDocumentParser::pumpTokenizer):
+        * html/parser/HTMLDocumentParser.h:
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::filterToken):
+        (WebCore::XSSAuditor::filterStartToken):
+        (WebCore::XSSAuditor::filterCharacterToken):
+        (WebCore::XSSAuditor::filterScriptToken):
+        (WebCore::XSSAuditor::filterObjectToken):
+        (WebCore::XSSAuditor::filterParamToken):
+        (WebCore::XSSAuditor::filterEmbedToken):
+        (WebCore::XSSAuditor::filterAppletToken):
+        (WebCore::XSSAuditor::filterIframeToken):
+        (WebCore::XSSAuditor::filterMetaToken):
+        (WebCore::XSSAuditor::filterBaseToken):
+        (WebCore::XSSAuditor::filterFormToken):
+        (WebCore::XSSAuditor::eraseDangerousAttributesIfInjected):
+        (WebCore::XSSAuditor::eraseAttributeIfInjected):
+        (WebCore::XSSAuditor::decodedSnippetForName):
+        (WebCore::XSSAuditor::decodedSnippetForAttribute):
+        (WebCore::XSSAuditor::decodedSnippetForJavaScript):
+        * html/parser/XSSAuditor.h:
+        (WebCore):
+        (WebCore::FilterTokenRequest::FilterTokenRequest):
+        (FilterTokenRequest):
+        (XSSAuditor):
+
 2013-02-05  Jocelyn Turcotte  <jocelyn.turcotte@digia.com>
 

trunk/Source/WebCore/html/parser/HTMLDocumentParser.cpp

@@ -379 +379 @@
             // We do not XSS filter innerHTML, which means we (intentionally) fail
             // http/tests/security/xssAuditor/dom-write-innerHTML.html
-            OwnPtr<DidBlockScriptRequest> request = m_xssAuditor.filterToken(token());
+            OwnPtr<DidBlockScriptRequest> request = m_xssAuditor.filterToken(FilterTokenRequest(token(), m_sourceTracker, document()->decoder()));
             if (request)
                 m_xssAuditorDelegate.didBlockScript(request.release());
@@ -666 +666 @@
 }
 
-String HTMLDocumentParser::sourceForToken(const HTMLToken& token)
-{
-    return m_sourceTracker.sourceForToken(token);
-}
-
 OrdinalNumber HTMLDocumentParser::lineNumber() const
 {

trunk/Source/WebCore/html/parser/HTMLDocumentParser.h

@@ -76 +76 @@
 
     HTMLTokenizer* tokenizer() const { return m_tokenizer.get(); }
-    String sourceForToken(const HTMLToken&);
 
     virtual TextPosition textPosition() const;

trunk/Source/WebCore/html/parser/XSSAuditor.cpp

@@ -279 +279 @@
 }
 
-PassOwnPtr<DidBlockScriptRequest> XSSAuditor::filterToken(HTMLToken& token)
+PassOwnPtr<DidBlockScriptRequest> XSSAuditor::filterToken(const FilterTokenRequest& request)
 {
     ASSERT(m_state == Initialized);
@@ -286 +286 @@
 
     bool didBlockScript = false;
-    if (token.type() == HTMLTokenTypes::StartTag)
-        didBlockScript = filterStartToken(token);
+    if (request.token.type() == HTMLTokenTypes::StartTag)
+        didBlockScript = filterStartToken(request);
     else if (m_scriptTagNestingLevel) {
-        if (token.type() == HTMLTokenTypes::Character)
-            didBlockScript = filterCharacterToken(token);
-        else if (token.type() == HTMLTokenTypes::EndTag)
-            filterEndToken(token);
+        if (request.token.type() == HTMLTokenTypes::Character)
+            didBlockScript = filterCharacterToken(request);
+        else if (request.token.type() == HTMLTokenTypes::EndTag)
+            filterEndToken(request.token);
     }
 
     if (didBlockScript) {
         bool didBlockEntirePage = (m_xssProtection == XSSProtectionBlockEnabled);
-        OwnPtr<DidBlockScriptRequest> request = DidBlockScriptRequest::create(m_reportURL, m_originalURL, m_originalHTTPBody, didBlockEntirePage);
+        OwnPtr<DidBlockScriptRequest> didBlockScriptRequest = DidBlockScriptRequest::create(m_reportURL, m_originalURL, m_originalHTTPBody, didBlockEntirePage);
         if (!m_reportURL.isEmpty()) {
             m_reportURL = KURL();
@@ -303 +303 @@
             m_originalHTTPBody = String();
         }
-        return request.release();
+        return didBlockScriptRequest.release();
     }
     return nullptr;
 }
 
-bool XSSAuditor::filterStartToken(HTMLToken& token)
-{
-    bool didBlockScript = eraseDangerousAttributesIfInjected(token);
-
-    if (hasName(token, scriptTag)) {
-        didBlockScript |= filterScriptToken(token);
+bool XSSAuditor::filterStartToken(const FilterTokenRequest& request)
+{
+    bool didBlockScript = eraseDangerousAttributesIfInjected(request);
+
+    if (hasName(request.token, scriptTag)) {
+        didBlockScript |= filterScriptToken(request);
         ASSERT(m_shouldAllowCDATA || !m_scriptTagNestingLevel);
         m_scriptTagNestingLevel++;
-    } else if (hasName(token, objectTag))
-        didBlockScript |= filterObjectToken(token);
-    else if (hasName(token, paramTag))
-        didBlockScript |= filterParamToken(token);
-    else if (hasName(token, embedTag))
-        didBlockScript |= filterEmbedToken(token);
-    else if (hasName(token, appletTag))
-        didBlockScript |= filterAppletToken(token);
-    else if (hasName(token, iframeTag))
-        didBlockScript |= filterIframeToken(token);
-    else if (hasName(token, metaTag))
-        didBlockScript |= filterMetaToken(token);
-    else if (hasName(token, baseTag))
-        didBlockScript |= filterBaseToken(token);
-    else if (hasName(token, formTag))
-        didBlockScript |= filterFormToken(token);
+    } else if (hasName(request.token, objectTag))
+        didBlockScript |= filterObjectToken(request);
+    else if (hasName(request.token, paramTag))
+        didBlockScript |= filterParamToken(request);
+    else if (hasName(request.token, embedTag))
+        didBlockScript |= filterEmbedToken(request);
+    else if (hasName(request.token, appletTag))
+        didBlockScript |= filterAppletToken(request);
+    else if (hasName(request.token, iframeTag))
+        didBlockScript |= filterIframeToken(request);
+    else if (hasName(request.token, metaTag))
+        didBlockScript |= filterMetaToken(request);
+    else if (hasName(request.token, baseTag))
+        didBlockScript |= filterBaseToken(request);
+    else if (hasName(request.token, formTag))
+        didBlockScript |= filterFormToken(request);
 
     return didBlockScript;
@@ -345 +345 @@
 }
 
-bool XSSAuditor::filterCharacterToken(HTMLToken& token)
+bool XSSAuditor::filterCharacterToken(const FilterTokenRequest& request)
 {
     ASSERT(m_scriptTagNestingLevel);
-    if (isContainedInRequest(m_cachedDecodedSnippet) && isContainedInRequest(decodedSnippetForJavaScript(token))) {
-        token.eraseCharacters();
-        token.appendToCharacter(' '); // Technically, character tokens can't be empty.
+    if (isContainedInRequest(m_cachedDecodedSnippet) && isContainedInRequest(decodedSnippetForJavaScript(request))) {
+        request.token.eraseCharacters();
+        request.token.appendToCharacter(' '); // Technically, character tokens can't be empty.
         return true;
     }
@@ -356 +356 @@
 }
 
-bool XSSAuditor::filterScriptToken(HTMLToken& token)
-{
-    ASSERT(token.type() == HTMLTokenTypes::StartTag);
-    ASSERT(hasName(token, scriptTag));
-
-    m_cachedDecodedSnippet = decodedSnippetForName(token);
+bool XSSAuditor::filterScriptToken(const FilterTokenRequest& request)
+{
+    ASSERT(request.token.type() == HTMLTokenTypes::StartTag);
+    ASSERT(hasName(request.token, scriptTag));
+
+    m_cachedDecodedSnippet = decodedSnippetForName(request);
     m_shouldAllowCDATA = m_parser->tokenizer()->shouldAllowCDATA();
 
     bool didBlockScript = false;
-    if (isContainedInRequest(decodedSnippetForName(token))) {
-        didBlockScript |= eraseAttributeIfInjected(token, srcAttr, blankURL().string(), SrcLikeAttribute);
-        didBlockScript |= eraseAttributeIfInjected(token, XLinkNames::hrefAttr, blankURL().string(), SrcLikeAttribute);
+    if (isContainedInRequest(decodedSnippetForName(request))) {
+        didBlockScript |= eraseAttributeIfInjected(request, srcAttr, blankURL().string(), SrcLikeAttribute);
+        didBlockScript |= eraseAttributeIfInjected(request, XLinkNames::hrefAttr, blankURL().string(), SrcLikeAttribute);
     }
 
@@ -373 +373 @@
 }
 
-bool XSSAuditor::filterObjectToken(HTMLToken& token)
-{
-    ASSERT(token.type() == HTMLTokenTypes::StartTag);
-    ASSERT(hasName(token, objectTag));
+bool XSSAuditor::filterObjectToken(const FilterTokenRequest& request)
+{
+    ASSERT(request.token.type() == HTMLTokenTypes::StartTag);
+    ASSERT(hasName(request.token, objectTag));
 
     bool didBlockScript = false;
-    if (isContainedInRequest(decodedSnippetForName(token))) {
-        didBlockScript |= eraseAttributeIfInjected(token, dataAttr, blankURL().string(), SrcLikeAttribute);
-        didBlockScript |= eraseAttributeIfInjected(token, typeAttr);
-        didBlockScript |= eraseAttributeIfInjected(token, classidAttr);
+    if (isContainedInRequest(decodedSnippetForName(request))) {
+        didBlockScript |= eraseAttributeIfInjected(request, dataAttr, blankURL().string(), SrcLikeAttribute);
+        didBlockScript |= eraseAttributeIfInjected(request, typeAttr);
+        didBlockScript |= eraseAttributeIfInjected(request, classidAttr);
     }
     return didBlockScript;
 }
 
-bool XSSAuditor::filterParamToken(HTMLToken& token)
-{
-    ASSERT(token.type() == HTMLTokenTypes::StartTag);
-    ASSERT(hasName(token, paramTag));
+bool XSSAuditor::filterParamToken(const FilterTokenRequest& request)
+{
+    ASSERT(request.token.type() == HTMLTokenTypes::StartTag);
+    ASSERT(hasName(request.token, paramTag));
 
     size_t indexOfNameAttribute;
-    if (!findAttributeWithName(token, nameAttr, indexOfNameAttribute))
+    if (!findAttributeWithName(request.token, nameAttr, indexOfNameAttribute))
         return false;
 
-    const HTMLToken::Attribute& nameAttribute = token.attributes().at(indexOfNameAttribute);
+    const HTMLToken::Attribute& nameAttribute = request.token.attributes().at(indexOfNameAttribute);
     String name = String(nameAttribute.m_value.data(), nameAttribute.m_value.size());
 
@@ -402 +402 @@
         return false;
 
-    return eraseAttributeIfInjected(token, valueAttr, blankURL().string(), SrcLikeAttribute);
-}
-
-bool XSSAuditor::filterEmbedToken(HTMLToken& token)
-{
-    ASSERT(token.type() == HTMLTokenTypes::StartTag);
-    ASSERT(hasName(token, embedTag));
+    return eraseAttributeIfInjected(request, valueAttr, blankURL().string(), SrcLikeAttribute);
+}
+
+bool XSSAuditor::filterEmbedToken(const FilterTokenRequest& request)
+{
+    ASSERT(request.token.type() == HTMLTokenTypes::StartTag);
+    ASSERT(hasName(request.token, embedTag));
 
     bool didBlockScript = false;
-    if (isContainedInRequest(decodedSnippetForName(token))) {
-        didBlockScript |= eraseAttributeIfInjected(token, codeAttr, String(), SrcLikeAttribute);
-        didBlockScript |= eraseAttributeIfInjected(token, srcAttr, blankURL().string(), SrcLikeAttribute);
-        didBlockScript |= eraseAttributeIfInjected(token, typeAttr);
+    if (isContainedInRequest(decodedSnippetForName(request))) {
+        didBlockScript |= eraseAttributeIfInjected(request, codeAttr, String(), SrcLikeAttribute);
+        didBlockScript |= eraseAttributeIfInjected(request, srcAttr, blankURL().string(), SrcLikeAttribute);
+        didBlockScript |= eraseAttributeIfInjected(request, typeAttr);
     }
     return didBlockScript;
 }
 
-bool XSSAuditor::filterAppletToken(HTMLToken& token)
-{
-    ASSERT(token.type() == HTMLTokenTypes::StartTag);
-    ASSERT(hasName(token, appletTag));
+bool XSSAuditor::filterAppletToken(const FilterTokenRequest& request)
+{
+    ASSERT(request.token.type() == HTMLTokenTypes::StartTag);
+    ASSERT(hasName(request.token, appletTag));
 
     bool didBlockScript = false;
-    if (isContainedInRequest(decodedSnippetForName(token))) {
-        didBlockScript |= eraseAttributeIfInjected(token, codeAttr, String(), SrcLikeAttribute);
-        didBlockScript |= eraseAttributeIfInjected(token, objectAttr);
+    if (isContainedInRequest(decodedSnippetForName(request))) {
+        didBlockScript |= eraseAttributeIfInjected(request, codeAttr, String(), SrcLikeAttribute);
+        didBlockScript |= eraseAttributeIfInjected(request, objectAttr);
     }
     return didBlockScript;
 }
 
-bool XSSAuditor::filterIframeToken(HTMLToken& token)
-{
-    ASSERT(token.type() == HTMLTokenTypes::StartTag);
-    ASSERT(hasName(token, iframeTag));
+bool XSSAuditor::filterIframeToken(const FilterTokenRequest& request)
+{
+    ASSERT(request.token.type() == HTMLTokenTypes::StartTag);
+    ASSERT(hasName(request.token, iframeTag));
 
     bool didBlockScript = false;
-    if (isContainedInRequest(decodedSnippetForName(token))) {
-        didBlockScript |= eraseAttributeIfInjected(token, srcAttr, String(), SrcLikeAttribute);
-        didBlockScript |= eraseAttributeIfInjected(token, srcdocAttr, String(), ScriptLikeAttribute);
+    if (isContainedInRequest(decodedSnippetForName(request))) {
+        didBlockScript |= eraseAttributeIfInjected(request, srcAttr, String(), SrcLikeAttribute);
+        didBlockScript |= eraseAttributeIfInjected(request, srcdocAttr, String(), ScriptLikeAttribute);
     }
     return didBlockScript;
 }
 
-bool XSSAuditor::filterMetaToken(HTMLToken& token)
-{
-    ASSERT(token.type() == HTMLTokenTypes::StartTag);
-    ASSERT(hasName(token, metaTag));
-
-    return eraseAttributeIfInjected(token, http_equivAttr);
-}
-
-bool XSSAuditor::filterBaseToken(HTMLToken& token)
-{
-    ASSERT(token.type() == HTMLTokenTypes::StartTag);
-    ASSERT(hasName(token, baseTag));
-
-    return eraseAttributeIfInjected(token, hrefAttr);
-}
-
-bool XSSAuditor::filterFormToken(HTMLToken& token)
-{
-    ASSERT(token.type() == HTMLTokenTypes::StartTag);
-    ASSERT(hasName(token, formTag));
-
-    return eraseAttributeIfInjected(token, actionAttr, blankURL().string());
-}
-
-bool XSSAuditor::eraseDangerousAttributesIfInjected(HTMLToken& token)
+bool XSSAuditor::filterMetaToken(const FilterTokenRequest& request)
+{
+    ASSERT(request.token.type() == HTMLTokenTypes::StartTag);
+    ASSERT(hasName(request.token, metaTag));
+
+    return eraseAttributeIfInjected(request, http_equivAttr);
+}
+
+bool XSSAuditor::filterBaseToken(const FilterTokenRequest& request)
+{
+    ASSERT(request.token.type() == HTMLTokenTypes::StartTag);
+    ASSERT(hasName(request.token, baseTag));
+
+    return eraseAttributeIfInjected(request, hrefAttr);
+}
+
+bool XSSAuditor::filterFormToken(const FilterTokenRequest& request)
+{
+    ASSERT(request.token.type() == HTMLTokenTypes::StartTag);
+    ASSERT(hasName(request.token, formTag));
+
+    return eraseAttributeIfInjected(request, actionAttr, blankURL().string());
+}
+
+bool XSSAuditor::eraseDangerousAttributesIfInjected(const FilterTokenRequest& request)
 {
     DEFINE_STATIC_LOCAL(String, safeJavaScriptURL, (ASCIILiteral("javascript:void(0)")));
 
     bool didBlockScript = false;
-    for (size_t i = 0; i < token.attributes().size(); ++i) {
-        const HTMLToken::Attribute& attribute = token.attributes().at(i);
+    for (size_t i = 0; i < request.token.attributes().size(); ++i) {
+        const HTMLToken::Attribute& attribute = request.token.attributes().at(i);
         bool isInlineEventHandler = isNameOfInlineEventHandler(attribute.m_name);
         bool valueContainsJavaScriptURL = !isInlineEventHandler && protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(String(attribute.m_value.data(), attribute.m_value.size())));
         if (!isInlineEventHandler && !valueContainsJavaScriptURL)
             continue;
-        if (!isContainedInRequest(decodedSnippetForAttribute(token, attribute, ScriptLikeAttribute)))
+        if (!isContainedInRequest(decodedSnippetForAttribute(request, attribute, ScriptLikeAttribute)))
             continue;
-        token.eraseValueOfAttribute(i);
+        request.token.eraseValueOfAttribute(i);
         if (valueContainsJavaScriptURL)
-            token.appendToAttributeValue(i, safeJavaScriptURL);
+            request.token.appendToAttributeValue(i, safeJavaScriptURL);
         didBlockScript = true;
     }
@@ -490 +490 @@
 }
 
-bool XSSAuditor::eraseAttributeIfInjected(HTMLToken& token, const QualifiedName& attributeName, const String& replacementValue, AttributeKind treatment)
+bool XSSAuditor::eraseAttributeIfInjected(const FilterTokenRequest& request, const QualifiedName& attributeName, const String& replacementValue, AttributeKind treatment)
 {
     size_t indexOfAttribute = 0;
-    if (findAttributeWithName(token, attributeName, indexOfAttribute)) {
-        const HTMLToken::Attribute& attribute = token.attributes().at(indexOfAttribute);
-        if (isContainedInRequest(decodedSnippetForAttribute(token, attribute, treatment))) {
+    if (findAttributeWithName(request.token, attributeName, indexOfAttribute)) {
+        const HTMLToken::Attribute& attribute = request.token.attributes().at(indexOfAttribute);
+        if (isContainedInRequest(decodedSnippetForAttribute(request, attribute, treatment))) {
             if (threadSafeMatch(attributeName, srcAttr) && isLikelySafeResource(String(attribute.m_value.data(), attribute.m_value.size())))
                 return false;
             if (threadSafeMatch(attributeName, http_equivAttr) && !isDangerousHTTPEquiv(String(attribute.m_value.data(), attribute.m_value.size())))
                 return false;
-            token.eraseValueOfAttribute(indexOfAttribute);
+            request.token.eraseValueOfAttribute(indexOfAttribute);
             if (!replacementValue.isEmpty())
-                token.appendToAttributeValue(indexOfAttribute, replacementValue);
+                request.token.appendToAttributeValue(indexOfAttribute, replacementValue);
             return true;
         }
@@ -509 +509 @@
 }
 
-String XSSAuditor::decodedSnippetForName(const HTMLToken& token)
+String XSSAuditor::decodedSnippetForName(const FilterTokenRequest& request)
 {
     // Grab a fixed number of characters equal to the length of the token's name plus one (to account for the "<").
-    return fullyDecodeString(m_parser->sourceForToken(token), m_parser->document()->decoder()).substring(0, token.name().size() + 1);
-}
-
-String XSSAuditor::decodedSnippetForAttribute(const HTMLToken& token, const HTMLToken::Attribute& attribute, AttributeKind treatment)
+    return fullyDecodeString(request.sourceTracker.sourceForToken(request.token), request.decoder).substring(0, request.token.name().size() + 1);
+}
+
+String XSSAuditor::decodedSnippetForAttribute(const FilterTokenRequest& request, const HTMLToken::Attribute& attribute, AttributeKind treatment)
 {
     // The range doesn't inlcude the character which terminates the value. So,
@@ -521 +521 @@
     // unquoted input of |name=value |, the snippet is |name=value|.
     // FIXME: We should grab one character before the name also.
-    int start = attribute.m_nameRange.m_start - token.startIndex();
-    int end = attribute.m_valueRange.m_end - token.startIndex();
-    String decodedSnippet = fullyDecodeString(m_parser->sourceForToken(token).substring(start, end - start), m_parser->document()->decoder());
+    int start = attribute.m_nameRange.m_start - request.token.startIndex();
+    int end = attribute.m_valueRange.m_end - request.token.startIndex();
+    String decodedSnippet = fullyDecodeString(request.sourceTracker.sourceForToken(request.token).substring(start, end - start), request.decoder);
     decodedSnippet.truncate(kMaximumFragmentLengthTarget);
     if (treatment == SrcLikeAttribute) {
@@ -574 +574 @@
 }
 
-String XSSAuditor::decodedSnippetForJavaScript(const HTMLToken& token)
-{
-    String string = m_parser->sourceForToken(token);
+String XSSAuditor::decodedSnippetForJavaScript(const FilterTokenRequest& request)
+{
+    String string = request.sourceTracker.sourceForToken(request.token);
     size_t startPosition = 0;
     size_t endPosition = string.length();
@@ -631 +631 @@
         }
 
-        result = fullyDecodeString(string.substring(startPosition, foundPosition - startPosition), m_parser->document()->decoder());
+        result = fullyDecodeString(string.substring(startPosition, foundPosition - startPosition), request.decoder);
         startPosition = foundPosition + 1;
     }

trunk/Source/WebCore/html/parser/XSSAuditor.h

@@ -37 +37 @@
 class Document;
 class HTMLDocumentParser;
+class HTMLSourceTracker;
+class TextResourceDecoder;
+
+struct FilterTokenRequest {
+    FilterTokenRequest(HTMLToken& token, HTMLSourceTracker& sourceTracker, const TextResourceDecoder* decoder)
+        : token(token)
+        , sourceTracker(sourceTracker)
+        , decoder(decoder)
+    { }
+
+    HTMLToken& token;
+    HTMLSourceTracker& sourceTracker;
+    const TextResourceDecoder* decoder;
+};
 
 class XSSAuditor {
@@ -44 +58 @@
 
     void init(Document*);
-    PassOwnPtr<DidBlockScriptRequest> filterToken(HTMLToken&);
+    PassOwnPtr<DidBlockScriptRequest> filterToken(const FilterTokenRequest&);
 
 private:
@@ -60 +74 @@
     };
 
-    bool filterStartToken(HTMLToken&);
+    bool filterStartToken(const FilterTokenRequest&);
     void filterEndToken(HTMLToken&);
-    bool filterCharacterToken(HTMLToken&);
-    bool filterScriptToken(HTMLToken&);
-    bool filterObjectToken(HTMLToken&);
-    bool filterParamToken(HTMLToken&);
-    bool filterEmbedToken(HTMLToken&);
-    bool filterAppletToken(HTMLToken&);
-    bool filterIframeToken(HTMLToken&);
-    bool filterMetaToken(HTMLToken&);
-    bool filterBaseToken(HTMLToken&);
-    bool filterFormToken(HTMLToken&);
+    bool filterCharacterToken(const FilterTokenRequest&);
+    bool filterScriptToken(const FilterTokenRequest&);
+    bool filterObjectToken(const FilterTokenRequest&);
+    bool filterParamToken(const FilterTokenRequest&);
+    bool filterEmbedToken(const FilterTokenRequest&);
+    bool filterAppletToken(const FilterTokenRequest&);
+    bool filterIframeToken(const FilterTokenRequest&);
+    bool filterMetaToken(const FilterTokenRequest&);
+    bool filterBaseToken(const FilterTokenRequest&);
+    bool filterFormToken(const FilterTokenRequest&);
 
-    bool eraseDangerousAttributesIfInjected(HTMLToken&);
-    bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&, const String& replacementValue = String(), AttributeKind treatment = NormalAttribute);
+    bool eraseDangerousAttributesIfInjected(const FilterTokenRequest&);
+    bool eraseAttributeIfInjected(const FilterTokenRequest&, const QualifiedName&, const String& replacementValue = String(), AttributeKind treatment = NormalAttribute);
 
     String decodedSnippetForToken(const HTMLToken&);
-    String decodedSnippetForName(const HTMLToken&);
-    String decodedSnippetForAttribute(const HTMLToken&, const HTMLToken::Attribute&, AttributeKind treatment = NormalAttribute);
-    String decodedSnippetForJavaScript(const HTMLToken&);
+    String decodedSnippetForName(const FilterTokenRequest&);
+    String decodedSnippetForAttribute(const FilterTokenRequest&, const HTMLToken::Attribute&, AttributeKind treatment = NormalAttribute);
+    String decodedSnippetForJavaScript(const FilterTokenRequest&);
 
     bool isContainedInRequest(const String&);