Changeset 48564 in webkit
- Timestamp:
- Sep 19, 2009 1:29:29 PM (15 years ago)
- Location:
- trunk
- Files:
-
- 8 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r48562 r48564 1 2009-09-19 Daniel Bates <dbates@webkit.org> 2 3 Reviewed by Adam Barth. 4 5 https://bugs.webkit.org/show_bug.cgi?id=29511 6 7 Tests that scripts that contain non-ASCII characters do not bypass the XSSAuditor. 8 9 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt: Added. 10 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char.html: Added. 11 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected: Added. 12 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding.html: Added. 13 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt: Added. 14 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding.html: Added. 15 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt: Added. 16 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2.html: Added. 17 1 18 2009-09-19 Simon Fraser <simon.fraser@apple.com> 2 19 -
trunk/WebCore/ChangeLog
r48562 r48564 1 2009-09-19 Daniel Bates <dbates@webkit.org> 2 3 Reviewed by Adam Barth. 4 5 https://bugs.webkit.org/show_bug.cgi?id=29511 6 7 Fixes an issue where script code that contains non-ASCII characters may bypass the 8 XSSAuditor. 9 10 Before performing a comparison between the script source code and input parameters, we 11 remove all non-ASCII characters, including non-printable ASCII characters from the 12 script source code and input parameters. 13 14 Tests: http/tests/security/xssAuditor/img-onerror-non-ASCII-char.html 15 http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding.html 16 http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding.html 17 http/tests/security/xssAuditor/img-onerror-non-ASCII-char2.html 18 19 * page/XSSAuditor.cpp: 20 (WebCore::isNonCanonicalCharacter): Modified to remove all non-ASCII characters, 21 including non-printable ASCII characters. 22 1 23 2009-09-19 Simon Fraser <simon.fraser@apple.com> 2 24 -
trunk/WebCore/page/XSSAuditor.cpp
r48458 r48564 49 49 static bool isNonCanonicalCharacter(UChar c) 50 50 { 51 // We remove all non-ASCII characters, including non-printable ASCII characters. 52 // 51 53 // Note, we don't remove backslashes like PHP stripslashes(), which among other things converts "\\0" to the \0 character. 52 54 // Instead, we remove backslashes and zeros (since the string "\\0" =(remove backslashes)=> "0"). However, this has the … … 54 56 // 55 57 // For instance: new String("http://localhost:8000") => new String("http://localhost:8"). 56 return (c == '\\' || c == '0' || c < ' ' || c == 127);58 return (c == '\\' || c == '0' || c < ' ' || c >= 127); 57 59 } 58 60
Note: See TracChangeset
for help on using the changeset viewer.