Changeset 194982 in webkit

Timestamp:

Jan 13, 2016 1:45:07 PM (8 years ago)

Author:

commit-queue@webkit.org

Message:

Cleanup: XSS Auditor should avoid re-evaluating the parsed script tag
​https://bugs.webkit.org/show_bug.cgi?id=152870

Patch by Daniel Bates <​dabates@apple.com> on 2016-01-13
Reviewed by Brent Fulgham.

Merged from Blink (patch by Tom Sepez <​tsepez@chromium.org>):
<​https://src.chromium.org/viewvc/blink?revision=154354&view=revision>

Although the XSS Auditor caches the decoded start tag of a script as an optimization to
avoid decoding it again when filtering the character data of the script, it is sufficient
to cache whether the HTTP response contains the decoded start tag of a script. This
avoids both decoding the start tag of a script and determining whether the HTTP response
contains it again when filtering the character data of the script. Moreover, this removes
the need to cache a string object.

• html/parser/XSSAuditor.cpp:

(WebCore::XSSAuditor::filterCharacterToken):
(WebCore::XSSAuditor::filterScriptToken):

• html/parser/XSSAuditor.h:

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• html/parser/XSSAuditor.cpp (modified) (2 diffs)
• html/parser/XSSAuditor.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-01-13  Daniel Bates  <dabates@apple.com>
+
+        Cleanup: XSS Auditor should avoid re-evaluating the parsed script tag
+        https://bugs.webkit.org/show_bug.cgi?id=152870
+
+        Reviewed by Brent Fulgham.
+
+        Merged from Blink (patch by Tom Sepez <tsepez@chromium.org>):
+        <https://src.chromium.org/viewvc/blink?revision=154354&view=revision>
+
+        Although the XSS Auditor caches the decoded start tag of a script as an optimization to
+        avoid decoding it again when filtering the character data of the script, it is sufficient
+        to cache whether the HTTP response contains the decoded start tag of a script. This
+        avoids both decoding the start tag of a script and determining whether the HTTP response
+        contains it again when filtering the character data of the script. Moreover, this removes
+        the need to cache a string object.
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::filterCharacterToken):
+        (WebCore::XSSAuditor::filterScriptToken):
+        * html/parser/XSSAuditor.h:
+
 2016-01-13  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WebCore/html/parser/XSSAuditor.cpp

@@ -389 +389 @@
 {
     ASSERT(m_scriptTagNestingLevel);
-    if (isContainedInRequest(m_cachedDecodedSnippet) && isContainedInRequest(decodedSnippetForJavaScript(request))) {
+    if (m_wasScriptTagFoundInRequest && isContainedInRequest(decodedSnippetForJavaScript(request))) {
         request.token.clear();
         LChar space = ' ';
@@ -403 +403 @@
     ASSERT(hasName(request.token, scriptTag));
 
-    m_cachedDecodedSnippet = decodedSnippetForName(request);
+    m_wasScriptTagFoundInRequest = isContainedInRequest(decodedSnippetForName(request));
 
     bool didBlockScript = false;
-    if (isContainedInRequest(decodedSnippetForName(request))) {
+    if (m_wasScriptTagFoundInRequest) {
         didBlockScript |= eraseAttributeIfInjected(request, srcAttr, blankURL().string(), SrcLikeAttribute);
         didBlockScript |= eraseAttributeIfInjected(request, XLinkNames::hrefAttr, blankURL().string(), SrcLikeAttribute);

trunk/Source/WebCore/html/parser/XSSAuditor.h

@@ -115 +115 @@
 
     State m_state;
-    String m_cachedDecodedSnippet;
+    bool m_wasScriptTagFoundInRequest { false };
     unsigned m_scriptTagNestingLevel;
     TextEncoding m_encoding;