Changeset 206277 in webkit
- Timestamp:
- Sep 22, 2016 2:34:12 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r206276 r206277 1 2016-09-22 Daniel Bates <dabates@apple.com> 2 3 [XSS Auditor] HTML5 entities can bypass XSS Auditor 4 https://bugs.webkit.org/show_bug.cgi?id=161939 5 <rdar://problem/25819815> 6 7 Reviewed by David Kilzer. 8 9 * http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt: Added. 10 * http/tests/security/xssAuditor/script-tag-with-source-data-url5.html: Added. 11 1 12 2016-09-22 Daniel Bates <dabates@apple.com> 2 13 -
trunk/Source/WebCore/ChangeLog
r206276 r206277 1 2016-09-22 Daniel Bates <dabates@apple.com> 2 3 [XSS Auditor] HTML5 entities can bypass XSS Auditor 4 https://bugs.webkit.org/show_bug.cgi?id=161939 5 <rdar://problem/25819815> 6 7 Reviewed by David Kilzer. 8 9 Merged from Blink: 10 <https://chromium.googlesource.com/chromium/src/+/04e44060dccee711842d08652bf1c622a0f43179> 11 12 Truncate a src-like URL at the first & character as it may mark the start of an HTML entity. 13 We will evaluate the effectiveness of this approach and adjust it if necessary if we see an 14 increase in false positives. 15 16 HTML5 defines more named character references, including named character references for common 17 punctuation characters. Characters following some punctuation characters may come from the page 18 itself. We truncate src-like strings at punctuation characters to avoid considering such page 19 content when performing a match. 20 21 Test: http/tests/security/xssAuditor/script-tag-with-source-data-url5.html 22 23 * html/parser/XSSAuditor.cpp: 24 (WebCore::truncateForSrcLikeAttribute): 25 1 26 2016-09-22 Daniel Bates <dabates@apple.com> 2 27 -
trunk/Source/WebCore/html/parser/XSSAuditor.cpp
r206276 r206277 183 183 // data URLs may use the same string literal tricks as with script content itself. 184 184 // In either case, content following this may come from the page and may be ignored 185 // when the script is executed. 186 // For simplicity, we don't differentiate based on URL scheme, and stop at 185 // when the script is executed. Also, any of these characters may now be represented 186 // by the (enlarged) set of HTML5 entities. 187 // For simplicity, we don't differentiate based on URL scheme, and stop at the first 188 // & (since it might be part of an entity for any of the subsequent punctuation) 187 189 // the first # or ?, the third slash, or the first slash, <, ', or " once a comma 188 190 // is seen. … … 191 193 for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) { 192 194 UChar currentChar = decodedSnippet[currentLength]; 193 if (currentChar == '?' 195 if (currentChar == '&' 196 || currentChar == '?' 194 197 || currentChar == '#' 195 198 || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))
Note: See TracChangeset
for help on using the changeset viewer.