Changeset 57105 in webkit

Timestamp:

Apr 5, 2010 5:08:34 PM (14 years ago)

Author:

eric@webkit.org

Message:

2010-04-05 Yuta Kitamura <​yutak@chromium.org>

Reviewed by Darin Adler.

Escape control characters in CSS string value when it is serialilzed.

When WebKit serializes a CSS string value that contains binary characters
('\0\1\2' for example), it did not escape these characters. As a result,
users got (invisible) control characters through scripts. This change fixes
this issue.

As a side effect, two separate codes for escaping CSS strings are merged, and
become a public function (quoteCSSString).

CSS string value is not correctly serialized when it contains binary characters
​https://bugs.webkit.org/show_bug.cgi?id=28938

• fast/css/script-tests/string-quote-binary.js: Added.
• fast/css/string-quote-binary-expected.txt: Added.
• fast/css/string-quote-binary.html: Added.
• fast/js/resources/js-test-pre.js: (shouldBeEqualToString): Considering the case when the argument contains binary characters.

2010-04-05 Yuta Kitamura <​yutak@chromium.org>

Reviewed by Darin Adler.

Escape control characters in CSS string value when it is serialilzed.

When WebKit serializes a CSS string value that contains binary characters
('\0\1\2' for example), it did not escape these characters. As a result,
users got (invisible) control characters through scripts. This change fixes
this issue.

As a side effect, two separate codes for escaping CSS strings are merged, and
become a public function (quoteCSSString).

CSS string value is not correctly serialized when it contains binary characters
​https://bugs.webkit.org/show_bug.cgi?id=28938

Test: fast/css/string-quote-binary.html

• css/CSSParser.cpp: (WebCore::isCSSTokenizerIdentifier): (WebCore::isCSSTokenizerURL): (WebCore::quoteCSSString): (WebCore::quoteCSSStringIfNeeded): (WebCore::quoteCSSURLIfNeeded):
• css/CSSParser.h:
• css/CSSPrimitiveValue.cpp: (WebCore::CSSPrimitiveValue::cssText):
• css/FontFamilyValue.cpp: (WebCore::FontFamilyValue::cssText):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/css/script-tests/string-quote-binary.js (added)
• LayoutTests/fast/css/string-quote-binary-expected.txt (added)
• LayoutTests/fast/css/string-quote-binary.html (added)
• LayoutTests/fast/js/resources/js-test-pre.js (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/css/CSSParser.cpp (modified) (2 diffs)
• WebCore/css/CSSParser.h (modified) (1 diff)
• WebCore/css/CSSPrimitiveValue.cpp (modified) (4 diffs)
• WebCore/css/FontFamilyValue.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-04-05  Yuta Kitamura  <yutak@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Escape control characters in CSS string value when it is serialilzed.
+
+        When WebKit serializes a CSS string value that contains binary characters
+        ('\0\1\2' for example), it did not escape these characters. As a result,
+        users got (invisible) control characters through scripts. This change fixes
+        this issue.
+
+        As a side effect, two separate codes for escaping CSS strings are merged, and
+        become a public function (quoteCSSString).
+
+        CSS string value is not correctly serialized when it contains binary characters
+        https://bugs.webkit.org/show_bug.cgi?id=28938
+
+        * fast/css/script-tests/string-quote-binary.js: Added.
+        * fast/css/string-quote-binary-expected.txt: Added.
+        * fast/css/string-quote-binary.html: Added.
+        * fast/js/resources/js-test-pre.js:
+        (shouldBeEqualToString): Considering the case when the argument contains binary characters.
+
 2010-04-05  John Gregg  <johnnyg@google.com>
 

trunk/LayoutTests/fast/js/resources/js-test-pre.js

@@ -123 +123 @@
 function shouldBeEqualToString(a, b)
 {
-  var unevaledString = '"' + b.replace(/"/g, "\"") + '"';
+  var unevaledString = '"' + b.replace(/\\/g, "\\\\").replace(/"/g, "\"") + '"';
   shouldBe(a, unevaledString);
 }

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-04-05  Yuta Kitamura  <yutak@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Escape control characters in CSS string value when it is serialilzed.
+
+        When WebKit serializes a CSS string value that contains binary characters
+        ('\0\1\2' for example), it did not escape these characters. As a result,
+        users got (invisible) control characters through scripts. This change fixes
+        this issue.
+
+        As a side effect, two separate codes for escaping CSS strings are merged, and
+        become a public function (quoteCSSString).
+
+        CSS string value is not correctly serialized when it contains binary characters
+        https://bugs.webkit.org/show_bug.cgi?id=28938
+
+        Test: fast/css/string-quote-binary.html
+
+        * css/CSSParser.cpp:
+        (WebCore::isCSSTokenizerIdentifier):
+        (WebCore::isCSSTokenizerURL):
+        (WebCore::quoteCSSString):
+        (WebCore::quoteCSSStringIfNeeded):
+        (WebCore::quoteCSSURLIfNeeded):
+        * css/CSSParser.h:
+        * css/CSSPrimitiveValue.cpp:
+        (WebCore::CSSPrimitiveValue::cssText):
+        * css/FontFamilyValue.cpp:
+        (WebCore::FontFamilyValue::cssText):
+
 2010-04-05  John Gregg  <johnnyg@google.com>
 

trunk/WebCore/css/CSSParser.cpp

@@ -66 +66 @@
 #include "Rect.h"
 #include "ShadowValue.h"
+#include "StringBuffer.h"
 #include "WebKitCSSKeyframeRule.h"
 #include "WebKitCSSKeyframesRule.h"
@@ -5401 +5402 @@
 }
 
+// "ident" from the CSS tokenizer, minus backslash-escape sequences
+static bool isCSSTokenizerIdentifier(const String& string)
+{
+    const UChar* p = string.characters();
+    const UChar* end = p + string.length();
+
+    // -?
+    if (p != end && p[0] == '-')
+        ++p;
+
+    // {nmstart}
+    if (p == end || !(p[0] == '_' || p[0] >= 128 || isASCIIAlpha(p[0])))
+        return false;
+    ++p;
+
+    // {nmchar}*
+    for (; p != end; ++p) {
+        if (!(p[0] == '_' || p[0] == '-' || p[0] >= 128 || isASCIIAlphanumeric(p[0])))
+            return false;
+    }
+
+    return true;
+}
+
+// "url" from the CSS tokenizer, minus backslash-escape sequences
+static bool isCSSTokenizerURL(const String& string)
+{
+    const UChar* p = string.characters();
+    const UChar* end = p + string.length();
+
+    for (; p != end; ++p) {
+        UChar c = p[0];
+        switch (c) {
+            case '!':
+            case '#':
+            case '$':
+            case '%':
+            case '&':
+                break;
+            default:
+                if (c < '*')
+                    return false;
+                if (c <= '~')
+                    break;
+                if (c < 128)
+                    return false;
+        }
+    }
+
+    return true;
+}
+
+// We use single quotes for now because markup.cpp uses double quotes.
+String quoteCSSString(const String& string)
+{
+    // For efficiency, we first pre-calculate the length of the quoted string, then we build the actual one.
+    // Please see below for the actual logic.
+    unsigned quotedStringSize = 2; // Two quotes surrounding the entire string.
+    bool afterEscape = false;
+    for (unsigned i = 0; i < string.length(); ++i) {
+        UChar ch = string[i];
+        if (ch == '\\' || ch == '\'') {
+            quotedStringSize += 2;
+            afterEscape = false;
+        } else if (ch < 0x20 || ch == 0x7F) {
+            quotedStringSize += 2 + (ch >= 0x10);
+            afterEscape = true;
+        } else {
+            quotedStringSize += 1 + (afterEscape && (isASCIIHexDigit(ch) || ch == ' '));
+            afterEscape = false;
+        }
+    }
+
+    StringBuffer buffer(quotedStringSize);
+    unsigned index = 0;
+    buffer[index++] = '\'';
+    afterEscape = false;
+    for (unsigned i = 0; i < string.length(); ++i) {
+        UChar ch = string[i];
+        if (ch == '\\' || ch == '\'') {
+            buffer[index++] = '\\';
+            buffer[index++] = ch;
+            afterEscape = false;
+        } else if (ch < 0x20 || ch == 0x7F) { // Control characters.
+            static const char hexDigits[17] = "0123456789abcdef";
+            buffer[index++] = '\\';
+            if (ch >= 0x10)
+                buffer[index++] = hexDigits[ch >> 4];
+            buffer[index++] = hexDigits[ch & 0xF];
+            afterEscape = true;
+        } else {
+            // Space character may be required to separate backslash-escape sequence and normal characters.
+            if (afterEscape && (isASCIIHexDigit(ch) || ch == ' '))
+                buffer[index++] = ' ';
+            buffer[index++] = ch;
+            afterEscape = false;
+        }
+    }
+    buffer[index++] = '\'';
+
+    ASSERT(quotedStringSize == index);
+    return String::adopt(buffer);
+}
+
+String quoteCSSStringIfNeeded(const String& string)
+{
+    return isCSSTokenizerIdentifier(string) ? string : quoteCSSString(string);
+}
+
+String quoteCSSURLIfNeeded(const String& string)
+{
+    return isCSSTokenizerURL(string) ? string : quoteCSSString(string);
+}
+
 #define YY_DECL int CSSParser::lex()
 #define yyconst const

trunk/WebCore/css/CSSParser.h

@@ -321 +321 @@
     };
 
+    String quoteCSSString(const String&);
+    String quoteCSSStringIfNeeded(const String&);
+    String quoteCSSURLIfNeeded(const String&);
+
 } // namespace WebCore
 

trunk/WebCore/css/CSSPrimitiveValue.cpp

@@ -23 +23 @@
 
 #include "CSSHelper.h"
+#include "CSSParser.h"
 #include "CSSPropertyNames.h"
 #include "CSSStyleSheet.h"
@@ -143 +144 @@
 }
 
-// "ident" from the CSS tokenizer, minus backslash-escape sequences
-static bool isCSSTokenizerIdentifier(const String& string)
-{
-    const UChar* p = string.characters();
-    const UChar* end = p + string.length();
-
-    // -?
-    if (p != end && p[0] == '-')
-        ++p;
-
-    // {nmstart}
-    if (p == end || !(p[0] == '_' || p[0] >= 128 || isASCIIAlpha(p[0])))
-        return false;
-    ++p;
-
-    // {nmchar}*
-    for (; p != end; ++p) {
-        if (!(p[0] == '_' || p[0] == '-' || p[0] >= 128 || isASCIIAlphanumeric(p[0])))
-            return false;
-    }
-
-    return true;
-}
-
-// "url" from the CSS tokenizer, minus backslash-escape sequences
-static bool isCSSTokenizerURL(const String& string)
-{
-    const UChar* p = string.characters();
-    const UChar* end = p + string.length();
-
-    for (; p != end; ++p) {
-        UChar c = p[0];
-        switch (c) {
-            case '!':
-            case '#':
-            case '$':
-            case '%':
-            case '&':
-                break;
-            default:
-                if (c < '*')
-                    return false;
-                if (c <= '~')
-                    break;
-                if (c < 128)
-                    return false;
-        }
-    }
-
-    return true;
-}
-
-// We use single quotes for now because markup.cpp uses double quotes.
-static String quoteString(const String& string)
-{
-    // FIXME: Also need to escape characters like '\n'.
-    String s = string;
-    s.replace('\\', "\\\\");
-    s.replace('\'', "\\'");
-    return "'" + s + "'";
-}
-
-static String quoteStringIfNeeded(const String& string)
-{
-    return isCSSTokenizerIdentifier(string) ? string : quoteString(string);
-}
-
-static String quoteURLIfNeeded(const String& string)
-{
-    return isCSSTokenizerURL(string) ? string : quoteString(string);
-}
-
 CSSPrimitiveValue::CSSPrimitiveValue()
     : m_type(0)
@@ -775 +704 @@
             break;
         case CSS_STRING:
-            text = quoteStringIfNeeded(m_value.string);
+            text = quoteCSSStringIfNeeded(m_value.string);
             break;
         case CSS_URI:
-            text = "url(" + quoteURLIfNeeded(m_value.string) + ")";
+            text = "url(" + quoteCSSURLIfNeeded(m_value.string) + ")";
             break;
         case CSS_IDENT:
@@ -906 +835 @@
         }
         case CSS_PARSER_IDENTIFIER:
-            text = quoteStringIfNeeded(m_value.string);
+            text = quoteCSSStringIfNeeded(m_value.string);
             break;
     }

trunk/WebCore/css/FontFamilyValue.cpp

@@ -22 +22 @@
 #include "FontFamilyValue.h"
 
+#include "CSSParser.h"
+
 namespace WebCore {
-
-// FIXME: This appears identical to isCSSTokenizerIdentifier from CSSPrimitiveValue.cpp, we should use a single function.
-static bool isValidCSSIdentifier(const String& string)
-{
-    unsigned length = string.length();
-    if (!length)
-        return false;
-
-    const UChar* characters = string.characters();
-    UChar c = characters[0];
-    if (!(c == '_' || (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || c == '-' || c >= 0x80))
-        return false;
-
-    for (unsigned i = 1; i < length; ++i) {
-        c = characters[i];
-        if (!(c == '_' || (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '-' || c >= 0x80))
-            return false;
-    }
-
-    return true;
-}
-
-// Quotes the string if it needs quoting.
-// We use single quotes because serialization code uses double quotes, and it's nice to
-// avoid having to turn all the quote marks into &quot; as we would have to.
-static String quoteStringIfNeeded(const String& string)
-{
-    if (isValidCSSIdentifier(string))
-        return string;
-
-    // FIXME: Also need to transform control characters (00-1F) into \ sequences.
-    // FIXME: This is inefficient -- should use a Vector<UChar> instead.
-    String quotedString = string;
-    quotedString.replace('\\', "\\\\");
-    quotedString.replace('\'', "\\'");
-    return "'" + quotedString + "'";
-}
 
 FontFamilyValue::FontFamilyValue(const String& familyName)
@@ -102 +67 @@
 String FontFamilyValue::cssText() const
 {
-    return quoteStringIfNeeded(m_familyName);
+    return quoteCSSStringIfNeeded(m_familyName);
 }