Changeset 194979 in webkit

Timestamp:

Jan 13, 2016 1:20:38 PM (8 years ago)

Author:

commit-queue@webkit.org

Message:

[XSS Auditor] Do not include trailing comment characters in JavaScript snippets
​https://bugs.webkit.org/show_bug.cgi?id=152873

Patch by Daniel Bates <​dabates@apple.com> on 2016-01-13
Reviewed by Brent Fulgham.

Merged from Blink (patch by Tom Sepez <​tsepez@chromium.org>):
<​https://src.chromium.org/viewvc/blink?view=rev&revision=169967>

Source/WebCore:

Test: http/tests/security/xssAuditor/script-tag-with-injected-comment.html

• html/parser/XSSAuditor.cpp:

(WebCore::XSSAuditor::decodedSnippetForJavaScript):

LayoutTests:

• http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt: Added.
• http/tests/security/xssAuditor/script-tag-with-injected-comment.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/parser/XSSAuditor.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-01-13  Daniel Bates  <dabates@apple.com>
+
+        [XSS Auditor] Do not include trailing comment characters in JavaScript snippets
+        https://bugs.webkit.org/show_bug.cgi?id=152873
+
+        Reviewed by Brent Fulgham.
+
+        Merged from Blink (patch by Tom Sepez <tsepez@chromium.org>):
+        <https://src.chromium.org/viewvc/blink?view=rev&revision=169967>
+
+        * http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-with-injected-comment.html: Added.
+
 2016-01-13  Daniel Bates  <dabates@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-01-13  Daniel Bates  <dabates@apple.com>
+
+        [XSS Auditor] Do not include trailing comment characters in JavaScript snippets
+        https://bugs.webkit.org/show_bug.cgi?id=152873
+
+        Reviewed by Brent Fulgham.
+
+        Merged from Blink (patch by Tom Sepez <tsepez@chromium.org>):
+        <https://src.chromium.org/viewvc/blink?view=rev&revision=169967>
+
+        Test: http/tests/security/xssAuditor/script-tag-with-injected-comment.html
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::decodedSnippetForJavaScript):
+
 2016-01-13  Adam Bergkvist  <adam.bergkvist@ericsson.com>
 

trunk/Source/WebCore/html/parser/XSSAuditor.cpp

@@ -671 +671 @@
         for (foundPosition = startPosition; foundPosition < endPosition; foundPosition++) {
             if (!request.shouldAllowCDATA) {
-                if (startsSingleLineCommentAt(string, foundPosition) || startsMultiLineCommentAt(string, foundPosition)) {
-                    foundPosition += 2;
-                    break;
-                }
-                if (startsHTMLCommentAt(string, foundPosition)) {
-                    foundPosition += 4;
+                if (startsSingleLineCommentAt(string, foundPosition)
+                    || startsMultiLineCommentAt(string, foundPosition)
+                    || startsHTMLCommentAt(string, foundPosition)) {
                     break;
                 }