Changeset 57627 in webkit

Timestamp:

Apr 14, 2010 8:11:31 PM (14 years ago)

Author:

abarth@webkit.org

Message:

2010-04-14 Justin Schuh <​jschuh@chromium.org>

Reviewed by Adam Barth.

Javascript URL can be set as iframe.src via multiple DOM aliases
​https://bugs.webkit.org/show_bug.cgi?id=37031

Moved frame/iframe checks from Attr to Node on inherited members.
Node child manipulation methods now return NOT_SUPPORTED_ERR if used
on a frame/iframe src attribute.
NamedNodeMap set methods now perform frame/iframe src checks.
Moved allowSettingSrcToJavascriptURL static helper function from
JSElementCustom.cpp to exported function in JSDOMBinding.h.

• bindings/js/JSAttrCustom.cpp: (WebCore::JSAttr::setValue):
• bindings/js/JSDOMBinding.cpp: (WebCore::allowSettingSrcToJavascriptURL):
• bindings/js/JSDOMBinding.h:
• bindings/js/JSElementCustom.cpp:
• bindings/js/JSNamedNodeMapCustom.cpp: (WebCore::JSNamedNodeMap::setNamedItem): (WebCore::JSNamedNodeMap::setNamedItemNS):
• bindings/js/JSNodeCustom.cpp: (WebCore::isAttrFrameSrc): (WebCore::JSNode::setNodeValue): (WebCore::JSNode::setTextContent): (WebCore::JSNode::insertBefore): (WebCore::JSNode::replaceChild): (WebCore::JSNode::removeChild): (WebCore::JSNode::appendChild):
• bindings/v8/custom/V8AttrCustom.cpp:
• bindings/v8/custom/V8NamedNodeMapCustom.cpp: (WebCore::V8NamedNodeMap::setNamedItemNSCallback): (WebCore::V8NamedNodeMap::setNamedItemCallback): (WebCore::toV8):
• bindings/v8/custom/V8NodeCustom.cpp: (WebCore::isFrameSrc): (WebCore::V8Node::textContentAccessorSetter): (WebCore::V8Node::nodeValueAccessorSetter): (WebCore::V8Node::insertBeforeCallback): (WebCore::V8Node::replaceChildCallback): (WebCore::V8Node::removeChildCallback): (WebCore::V8Node::appendChildCallback):
• dom/Attr.idl:
• dom/NamedNodeMap.idl:
• dom/Node.idl:

2010-04-14 Justin Schuh <​jschuh@chromium.org>

Reviewed by Adam Barth.

Fix frame/iframe src setting for JavaScript URLs
​https://bugs.webkit.org/show_bug.cgi?id=37031

• http/tests/security/xss-DENIED-iframe-src-alias-expected.txt:
• http/tests/security/xss-DENIED-iframe-src-alias.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias-expected.txt (modified) (2 diffs)
• LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias.html (modified) (3 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSAttrCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMBinding.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSDOMBinding.h (modified) (1 diff)
• WebCore/bindings/js/JSElementCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSNamedNodeMapCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSNodeCustom.cpp (modified) (5 diffs)
• WebCore/bindings/v8/custom/V8AttrCustom.cpp (modified) (1 diff)
• WebCore/bindings/v8/custom/V8NamedNodeMapCustom.cpp (modified) (2 diffs)
• WebCore/bindings/v8/custom/V8NodeCustom.cpp (modified) (6 diffs)
• WebCore/dom/Attr.idl (modified) (2 diffs)
• WebCore/dom/NamedNodeMap.idl (modified) (2 diffs)
• WebCore/dom/Node.idl (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-04-14  Justin Schuh  <jschuh@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Fix frame/iframe src setting for JavaScript URLs
+        https://bugs.webkit.org/show_bug.cgi?id=37031
+
+        * http/tests/security/xss-DENIED-iframe-src-alias-expected.txt:
+        * http/tests/security/xss-DENIED-iframe-src-alias.html:
+
 2010-04-14  Xan Lopez  <xlopez@igalia.com>
 

trunk/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias-expected.txt

@@ -11 +11 @@
 CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
 
-This script tests if iframe.src can be set to a JavaScript URL via an alias (such as Attr.textContent or Attr.nodeValue). The test is successful if no alerts appear and the page finishes loading.
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+This script tests if iframe.src can be set to a JavaScript URL via alternate DOM interfaces (such as Node.textContent or NamedNode.setNamedItem). The test is successful if no alerts appear and the page finishes loading.
 
 
@@ -20 +26 @@
 
 
+
+
+
+
+
+
+
+

trunk/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias.html

@@ -8 +8 @@
     }
 
-    var alert = 'javascript:alert("FAIL")';
-    // Test different ways of aliasing iframe.src
+    function alertMsg(msg) { 
+        return "javascript:alert(\"FAIL: " + msg + 
+            "\");document.body.innerHTML=\"<p style='font-weight:bold;color:red'>Failure testing " + msg + "</p>\";//"; 
+    }
+    // Test different ways of setting iframe.src
     var aliasTests = [
-        function(iFrame) { iFrame.attributes['src'].textContent = alert;},
-        function(iFrame) { iFrame.attributes['src'].nodeValue = alert;},
-        function(iFrame) { iFrame.attributes[0].textContent = alert;},
-        function(iFrame) { iFrame.attributes[0].nodeValue = alert;},
-        function(iFrame) { iFrame.attributes.item(0).textContent = alert;},
-        function(iFrame) { iFrame.attributes.item(0).nodeValue = alert;}
+        // Attr/Node attributes
+        function(iFrame) { iFrame.attributes['src'].value = alertMsg("value"); iFrame.src = iFrame.src;},
+        function(iFrame) { iFrame.attributes['src'].textContent = alertMsg("textContent");},
+        function(iFrame) { iFrame.attributes['src'].nodeValue = alertMsg("nodeValue");},
+        // Node attribute manipulation functions
+        function(iFrame) { iFrame.setAttribute("src", alertMsg("setAttribute"));},
+        function(iFrame) { iFrame.setAttributeNS(null, "src", alertMsg("setAttributeNS"));},
+        function(iFrame) {
+            var a = document.createAttribute('src');
+            a.nodeValue = alertMsg("setAttributeNode");
+            iFrame.setAttributeNode(a);
+        },
+        function(iFrame) {
+            var a = document.createAttribute('src');
+            a.nodeValue = alertMsg("setAttributeNodeNS");
+            iFrame.setAttributeNodeNS(a);
+        },
+        // Child manipulation methods
+        function(iFrame) { 
+            var src = iFrame.attributes['src'];
+            src.appendChild(document.createTextNode(alertMsg("appendChild() + removeChild()")));
+            src.removeChild(src.firstChild);
+        },
+        function(iFrame) { 
+            var src = iFrame.attributes['src'];
+            src.replaceChild(document.createTextNode(alertMsg("replaceChild()")), src.firstChild);
+        },
+        function(iFrame) { 
+            var src = iFrame.attributes['src'];
+            while (src.firstChild)
+                src.removeChild(src.firstChild);
+            src.appendChild(document.createTextNode(alertMsg("removeChild() + appendChild()")));
+        },
+        function(iFrame) { 
+            var src = iFrame.attributes['src'];
+            while (src.firstChild)
+                src.removeChild(src.firstChild);
+            var msg = alertMsg("removeChild() + appendChild() + appendChild()");
+            src.appendChild(document.createTextNode(msg.slice(0,4)));
+            src.appendChild(document.createTextNode(msg.slice(4)));
+        },
+        function(iFrame) { 
+            var src = iFrame.attributes['src'];
+            src.insertBefore(document.createTextNode(alertMsg("insertBefore()")), src.firstChild);
+        },
+        // NamedNodeMap
+        function(iFrame) {
+            var a = document.createAttribute('src');
+            a.nodeValue = alertMsg("setNamedItem()");
+            iFrame.attributes.setNamedItem(a);
+        },
+        function(iFrame) {
+            var a = document.createAttribute('src');
+            a.nodeValue = alertMsg("setNamedItemNS()");
+            iFrame.attributes.setNamedItemNS(a);
+        }
     ];
 
@@ -33 +86 @@
         aFrame.onload = makeOnloadHandler(i, aFrame);
         aFrame.width = 700;
+        aFrame.height = 40;
         document.body.appendChild(aFrame);
         document.body.appendChild(document.createElement('br'));
@@ -41 +95 @@
 </head>
 <body>
-<p>This script tests if iframe.src can be set to a JavaScript URL via an alias 
-   (such as Attr.textContent or Attr.nodeValue). The test is successful if no 
-   alerts appear and the page finishes loading.</p>
+<p>This script tests if iframe.src can be set to a JavaScript URL via alternate 
+   DOM interfaces (such as Node.textContent or NamedNode.setNamedItem). 
+   The test is successful if no alerts appear and the page finishes loading.</p>
 </body>
 </html>

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-04-14  Justin Schuh  <jschuh@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Javascript URL can be set as iframe.src via multiple DOM aliases
+        https://bugs.webkit.org/show_bug.cgi?id=37031
+
+        Moved frame/iframe checks from Attr to Node on inherited members.
+        Node child manipulation methods now return NOT_SUPPORTED_ERR if used
+        on a frame/iframe src attribute.
+        NamedNodeMap set methods now perform frame/iframe src checks.
+        Moved allowSettingSrcToJavascriptURL static helper function from 
+        JSElementCustom.cpp to exported function in JSDOMBinding.h.
+
+        * bindings/js/JSAttrCustom.cpp:
+        (WebCore::JSAttr::setValue):
+        * bindings/js/JSDOMBinding.cpp:
+        (WebCore::allowSettingSrcToJavascriptURL):
+        * bindings/js/JSDOMBinding.h:
+        * bindings/js/JSElementCustom.cpp:
+        * bindings/js/JSNamedNodeMapCustom.cpp:
+        (WebCore::JSNamedNodeMap::setNamedItem):
+        (WebCore::JSNamedNodeMap::setNamedItemNS):
+        * bindings/js/JSNodeCustom.cpp:
+        (WebCore::isAttrFrameSrc):
+        (WebCore::JSNode::setNodeValue):
+        (WebCore::JSNode::setTextContent):
+        (WebCore::JSNode::insertBefore):
+        (WebCore::JSNode::replaceChild):
+        (WebCore::JSNode::removeChild):
+        (WebCore::JSNode::appendChild):
+        * bindings/v8/custom/V8AttrCustom.cpp:
+        * bindings/v8/custom/V8NamedNodeMapCustom.cpp:
+        (WebCore::V8NamedNodeMap::setNamedItemNSCallback):
+        (WebCore::V8NamedNodeMap::setNamedItemCallback):
+        (WebCore::toV8):
+        * bindings/v8/custom/V8NodeCustom.cpp:
+        (WebCore::isFrameSrc):
+        (WebCore::V8Node::textContentAccessorSetter):
+        (WebCore::V8Node::nodeValueAccessorSetter):
+        (WebCore::V8Node::insertBeforeCallback):
+        (WebCore::V8Node::replaceChildCallback):
+        (WebCore::V8Node::removeChildCallback):
+        (WebCore::V8Node::appendChildCallback):
+        * dom/Attr.idl:
+        * dom/NamedNodeMap.idl:
+        * dom/Node.idl:
+
 2010-04-14  Alejandro G. Castro  <alex@igalia.com>
 

trunk/WebCore/bindings/js/JSAttrCustom.cpp

@@ -34 +34 @@
 #include "HTMLFrameElementBase.h"
 #include "HTMLNames.h"
+#include "JSDOMBinding.h"
 
 using namespace JSC;
@@ -47 +48 @@
 
     Element* ownerElement = imp->ownerElement();
-    if (ownerElement && (ownerElement->hasTagName(iframeTag) || ownerElement->hasTagName(frameTag))) {
-        if (equalIgnoringCase(imp->name(), "src") && protocolIsJavaScript(deprecatedParseURL(attrValue))) {
-            Document* contentDocument = static_cast<HTMLFrameElementBase*>(ownerElement)->contentDocument();
-            if (contentDocument && !checkNodeSecurity(exec, contentDocument))
-                return;
-        }
-    }
+    if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->name(), attrValue))
+        return;
 
     ExceptionCode ec = 0;
     imp->setValue(attrValue, ec);
     setDOMException(exec, ec);
-}
-
-JSC::JSValue JSAttr::nodeValue(JSC::ExecState* exec) const
-{
-    Attr* imp = this->impl();
-    return jsStringOrNull(exec, imp->value());
-}
-
-void JSAttr::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)
-{
-    setValue(exec, value);
-}
-
-JSC::JSValue JSAttr::textContent(JSC::ExecState* exec) const
-{
-    return nodeValue(exec);
-}
-
-void JSAttr::setTextContent(JSC::ExecState* exec, JSC::JSValue value)
-{
-    setValue(exec, value);
 }
 

trunk/WebCore/bindings/js/JSDOMBinding.cpp

@@ -25 +25 @@
 
 #include "ActiveDOMObject.h"
+#include "CSSHelper.h"
 #include "DOMCoreException.h"
 #include "DOMObjectHashTableMap.h"
@@ -34 +35 @@
 #include "HTMLAudioElement.h"
 #include "HTMLCanvasElement.h"
+#include "HTMLFrameElementBase.h"
 #include "HTMLImageElement.h"
 #include "HTMLNames.h"
@@ -623 +625 @@
 }
 
+bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
+{
+    if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
+          Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
+          if (contentDocument && !checkNodeSecurity(exec, contentDocument))
+              return false;
+      }
+      return true;
+}
+
 void printErrorMessageForFrame(Frame* frame, const String& message)
 {

trunk/WebCore/bindings/js/JSDOMBinding.h

@@ -301 +301 @@
     bool allowsAccessFromFrame(JSC::ExecState*, Frame*, String& message);
     bool shouldAllowNavigation(JSC::ExecState*, Frame*);
+    bool allowSettingSrcToJavascriptURL(JSC::ExecState*, Element*, const String&, const String&);
+
     void printErrorMessageForFrame(Frame*, const String& message);
     JSC::JSValue objectToStringFunctionGetter(JSC::ExecState*, JSC::JSValue, const JSC::Identifier& propertyName);

trunk/WebCore/bindings/js/JSElementCustom.cpp

@@ -37 +37 @@
 #include "HTMLNames.h"
 #include "JSAttr.h"
+#include "JSDOMBinding.h"
 #include "JSHTMLElementWrapperFactory.h"
 #include "JSNodeList.h"
@@ -62 +63 @@
     if (element->isStyledElement())
         markDOMObjectWrapper(markStack, globalData, static_cast<StyledElement*>(element)->inlineStyleDecl());
-}
-
-static inline bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
-{
-    if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
-        Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
-        if (contentDocument && !checkNodeSecurity(exec, contentDocument))
-            return false;
-    }
-    return true;
 }
 

trunk/WebCore/bindings/js/JSNamedNodeMapCustom.cpp

@@ -36 +36 @@
 namespace WebCore {
 
+JSValue JSNamedNodeMap::setNamedItem(ExecState* exec, const ArgList& args)
+{
+    NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
+    ExceptionCode ec = 0;
+    Node* newNode = toNode(args.at(0));
+
+    if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+        if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
+            return jsNull();
+    }
+
+    JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItem(newNode, ec)));
+    setDOMException(exec, ec);
+    return result;
+}
+
+JSValue JSNamedNodeMap::setNamedItemNS(ExecState* exec, const ArgList& args)
+{
+    NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
+    ExceptionCode ec = 0;
+    Node* newNode = toNode(args.at(0));
+
+    if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+        if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
+            return jsNull();
+    }
+
+    JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItemNS(newNode, ec)));
+    setDOMException(exec, ec);
+    return result;
+}
+
 bool JSNamedNodeMap::canGetItemsForName(ExecState*, NamedNodeMap* impl, const Identifier& propertyName)
 {

trunk/WebCore/bindings/js/JSNodeCustom.cpp

@@ -39 +39 @@
 #include "JSCDATASection.h"
 #include "JSComment.h"
+#include "JSDOMBinding.h"
 #include "JSDocument.h"
 #include "JSDocumentFragment.h"
@@ -67 +68 @@
 namespace WebCore {
 
-typedef int ExpectionCode;
+static inline bool isAttrFrameSrc(Element *element, const String& name)
+{
+    return element && (element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src");
+}
+
+void JSNode::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)
+{
+    Node* imp = static_cast<Node*>(impl());
+    String nodeValue = valueToStringWithNullCheck(exec, value);
+
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+        Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
+        if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
+            return;
+    }
+
+    ExceptionCode ec = 0;
+    imp->setNodeValue(nodeValue, ec);
+    setDOMException(exec, ec);
+}
+
+void JSNode::setTextContent(JSC::ExecState* exec, JSC::JSValue value)
+{
+    Node* imp = static_cast<Node*>(impl());
+    String nodeValue = valueToStringWithNullCheck(exec, value);
+
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+        Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
+        if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
+            return;
+    }
+
+    ExceptionCode ec = 0;
+    imp->setTextContent(nodeValue, ec);
+    setDOMException(exec, ec);
+}
 
 JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args)
 {
-    ExceptionCode ec = 0;
-    bool ok = impl()->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+    Node* imp = static_cast<Node*>(impl());
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+        setDOMException(exec, NOT_SUPPORTED_ERR);
+        return jsNull();
+    }
+
+    ExceptionCode ec = 0;
+    bool ok = imp->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
     setDOMException(exec, ec);
     if (ok)
@@ -81 +123 @@
 JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args)
 {
-    ExceptionCode ec = 0;
-    bool ok = impl()->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+    Node* imp = static_cast<Node*>(impl());
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+        setDOMException(exec, NOT_SUPPORTED_ERR);
+        return jsNull();
+    }
+
+    ExceptionCode ec = 0;
+    bool ok = imp->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
     setDOMException(exec, ec);
     if (ok)
@@ -91 +139 @@
 JSValue JSNode::removeChild(ExecState* exec, const ArgList& args)
 {
-    ExceptionCode ec = 0;
-    bool ok = impl()->removeChild(toNode(args.at(0)), ec);
+    Node* imp = static_cast<Node*>(impl());
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+        setDOMException(exec, NOT_SUPPORTED_ERR);
+        return jsNull();
+    }
+
+    ExceptionCode ec = 0;
+    bool ok = imp->removeChild(toNode(args.at(0)), ec);
     setDOMException(exec, ec);
     if (ok)
@@ -101 +155 @@
 JSValue JSNode::appendChild(ExecState* exec, const ArgList& args)
 {
-    ExceptionCode ec = 0;
-    bool ok = impl()->appendChild(toNode(args.at(0)), ec, true);
+    Node* imp = static_cast<Node*>(impl());
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+        setDOMException(exec, NOT_SUPPORTED_ERR);
+        return jsNull();
+    }
+
+    ExceptionCode ec = 0;
+    bool ok = imp->appendChild(toNode(args.at(0)), ec, true);
     setDOMException(exec, ec);
     if (ok)

trunk/WebCore/bindings/v8/custom/V8AttrCustom.cpp

@@ -56 +56 @@
 }
 
-void V8Attr::nodeValueAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
-{
-    valueAccessorSetter(name, value, info);
-}
-v8::Handle<v8::Value> V8Attr::nodeValueAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
-{
-    Attr* imp = V8Attr::toNative(info.Holder());
-    return v8StringOrNull(imp->value());
-}
-
-void V8Attr::textContentAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
-{
-    valueAccessorSetter(name, value, info);
-}
-
-v8::Handle<v8::Value> V8Attr::textContentAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
-{
-    return nodeValueAccessorGetter(name, info);
-}
-
 } // namespace WebCore

trunk/WebCore/bindings/v8/custom/V8NamedNodeMapCustom.cpp

@@ -33 +33 @@
 
 #include "NamedNodeMap.h"
+#include "V8Attr.h"
 #include "V8Binding.h"
-#include "V8DOMWrapper.h"
+#include "V8BindingState.h"
 #include "V8Element.h"
 #include "V8Node.h"
@@ -75 +76 @@
 }
 
+v8::Handle<v8::Value> V8NamedNodeMap::setNamedItemNSCallback(const v8::Arguments& args)
+{
+    INC_STATS("DOM.NamedNodeMap.setNamedItemNS");
+    NamedNodeMap* imp = V8NamedNodeMap::toNative(args.Holder());
+    Node* newNode = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
+
+    if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+        if (!V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), imp->element(), newNode->nodeName(), newNode->nodeValue()))
+            return v8::Handle<v8::Value>();
+    }
+
+    ExceptionCode ec = 0;
+    RefPtr<Node> result = imp->setNamedItemNS(newNode, ec);
+    if (UNLIKELY(!ec)) {
+        throwError(ec);
+        return v8::Handle<v8::Value>();
+    }
+
+    return toV8(result.release());
+}
+
+v8::Handle<v8::Value> V8NamedNodeMap::setNamedItemCallback(const v8::Arguments & args)
+{
+    INC_STATS("DOM.NamedNodeMap.setNamedItem");
+    NamedNodeMap* imp = V8NamedNodeMap::toNative(args.Holder());
+    Node* newNode = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
+
+    if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+      if (!V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), imp->element(), newNode->nodeName(), newNode->nodeValue()))
+            return v8::Handle<v8::Value>();
+    }
+
+    ExceptionCode ec = 0;
+    RefPtr<Node> result = imp->setNamedItem(newNode, ec);
+    if (UNLIKELY(!ec)) {
+        throwError(ec);
+        return v8::Handle<v8::Value>();
+    }
+
+    return toV8(result.release());
+}
+
 v8::Handle<v8::Value> toV8(NamedNodeMap* impl)
 {

trunk/WebCore/bindings/v8/custom/V8NodeCustom.cpp

@@ -38 +38 @@
 #include "V8Attr.h"
 #include "V8Binding.h"
+#include "V8BindingState.h"
 #include "V8CDATASection.h"
 #include "V8Comment.h"
@@ -57 +58 @@
 namespace WebCore {
 
+static inline bool isFrameSrc(Element *element, const String& name)
+{
+    return element && (element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src");
+}
+
+void V8Node::textContentAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
+{
+    Node* imp = V8Node::toNative(info.Holder());
+    String nodeValue = toWebCoreStringWithNullCheck(value);
+
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+        Element * ownerElement = V8Attr::toNative(info.Holder())->ownerElement();
+        if (ownerElement && !V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), ownerElement, imp->nodeName(), nodeValue))
+            return;
+    }
+
+    ExceptionCode ec = 0;
+    imp->setTextContent(nodeValue, ec);
+    if (ec)
+        throwError(ec);
+}
+
+void V8Node::nodeValueAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
+{
+    Node* imp = V8Node::toNative(info.Holder());
+    String nodeValue = toWebCoreStringWithNullCheck(value);
+
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+        Element * ownerElement = V8Attr::toNative(info.Holder())->ownerElement();
+        if (ownerElement && !V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), ownerElement, imp->nodeName(), nodeValue))
+            return;
+    }
+
+    ExceptionCode ec = 0;
+    imp->setNodeValue(nodeValue, ec);
+    if (ec)
+        throwError(ec);
+}
+
 // This function is customized to take advantage of the optional 4th argument: shouldLazyAttach
 v8::Handle<v8::Value> V8Node::insertBeforeCallback(const v8::Arguments& args)
@@ -63 +103 @@
     v8::Handle<v8::Object> holder = args.Holder();
     Node* imp = V8Node::toNative(holder);
+
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) {
+        V8Proxy::setDOMException(NOT_SUPPORTED_ERR);
+        return v8::Handle<v8::Value>();
+    }
+
     ExceptionCode ec = 0;
     Node* newChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
@@ -82 +128 @@
     v8::Handle<v8::Object> holder = args.Holder();
     Node* imp = V8Node::toNative(holder);
+
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) {
+        V8Proxy::setDOMException(NOT_SUPPORTED_ERR);
+        return v8::Handle<v8::Value>();
+    }
+
     ExceptionCode ec = 0;
     Node* newChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
@@ -100 +152 @@
     v8::Handle<v8::Object> holder = args.Holder();
     Node* imp = V8Node::toNative(holder);
+
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) {
+        V8Proxy::setDOMException(NOT_SUPPORTED_ERR);
+        return v8::Handle<v8::Value>();
+    }
+
     ExceptionCode ec = 0;
     Node* oldChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
@@ -118 +176 @@
     v8::Handle<v8::Object> holder = args.Holder();
     Node* imp = V8Node::toNative(holder);
+
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) {
+        V8Proxy::setDOMException(NOT_SUPPORTED_ERR);
+        return v8::Handle<v8::Value>();
+    }
+
     ExceptionCode ec = 0;
     Node* newChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;

trunk/WebCore/dom/Attr.idl

@@ -35 +35 @@
                      setter raises(DOMException);
 
-#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT  // Used for JavaScript iFrame src check.
-                 attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString nodeValue
-                     setter raises(DOMException);
-#endif
-
         // DOM Level 2
 
@@ -48 +43 @@
         readonly attribute boolean isId;
 
-#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT  // Used for JavaScript iFrame src check.
-                 attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString textContent
-                     setter raises(DOMException);
-#endif
-
         // extensions
         readonly attribute CSSStyleDeclaration style;

trunk/WebCore/dom/NamedNodeMap.idl

@@ -29 +29 @@
         Node getNamedItem(in DOMString name);
 
-        Node setNamedItem(in Node node)
+        [Custom] Node setNamedItem(in Node node)
             raises(DOMException);
 
@@ -47 +47 @@
             /*raises(DOMException)*/;
 
-        Node setNamedItemNS(in Node node)
+        [Custom] Node setNamedItemNS(in Node node)
             raises(DOMException);
 

trunk/WebCore/dom/Node.idl

@@ -52 +52 @@
 
                  // FIXME: the spec says this can also raise on retrieval.
-                 attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString        nodeValue
+                 attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString        nodeValue
                      setter raises(DOMException);
 
@@ -97 +97 @@
 
                  // FIXME: the spec says this can also raise on retrieval.
-                 attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString       textContent
+                 attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString       textContent
                      setter raises(DOMException);