Changeset 57627 in webkit
- Timestamp:
- Apr 14, 2010 8:11:31 PM (14 years ago)
- Location:
- trunk
- Files:
-
- 16 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r57617 r57627 1 2010-04-14 Justin Schuh <jschuh@chromium.org> 2 3 Reviewed by Adam Barth. 4 5 Fix frame/iframe src setting for JavaScript URLs 6 https://bugs.webkit.org/show_bug.cgi?id=37031 7 8 * http/tests/security/xss-DENIED-iframe-src-alias-expected.txt: 9 * http/tests/security/xss-DENIED-iframe-src-alias.html: 10 1 11 2010-04-14 Xan Lopez <xlopez@igalia.com> 2 12 -
trunk/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias-expected.txt
r56651 r57627 11 11 CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match. 12 12 13 This script tests if iframe.src can be set to a JavaScript URL via an alias (such as Attr.textContent or Attr.nodeValue). The test is successful if no alerts appear and the page finishes loading. 13 CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match. 14 15 CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match. 16 17 CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match. 18 19 This script tests if iframe.src can be set to a JavaScript URL via alternate DOM interfaces (such as Node.textContent or NamedNode.setNamedItem). The test is successful if no alerts appear and the page finishes loading. 14 20 15 21 … … 20 26 21 27 28 29 30 31 32 33 34 35 -
trunk/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias.html
r56651 r57627 8 8 } 9 9 10 var alert = 'javascript:alert("FAIL")'; 11 // Test different ways of aliasing iframe.src 10 function alertMsg(msg) { 11 return "javascript:alert(\"FAIL: " + msg + 12 "\");document.body.innerHTML=\"<p style='font-weight:bold;color:red'>Failure testing " + msg + "</p>\";//"; 13 } 14 // Test different ways of setting iframe.src 12 15 var aliasTests = [ 13 function(iFrame) { iFrame.attributes['src'].textContent = alert;}, 14 function(iFrame) { iFrame.attributes['src'].nodeValue = alert;}, 15 function(iFrame) { iFrame.attributes[0].textContent = alert;}, 16 function(iFrame) { iFrame.attributes[0].nodeValue = alert;}, 17 function(iFrame) { iFrame.attributes.item(0).textContent = alert;}, 18 function(iFrame) { iFrame.attributes.item(0).nodeValue = alert;} 16 // Attr/Node attributes 17 function(iFrame) { iFrame.attributes['src'].value = alertMsg("value"); iFrame.src = iFrame.src;}, 18 function(iFrame) { iFrame.attributes['src'].textContent = alertMsg("textContent");}, 19 function(iFrame) { iFrame.attributes['src'].nodeValue = alertMsg("nodeValue");}, 20 // Node attribute manipulation functions 21 function(iFrame) { iFrame.setAttribute("src", alertMsg("setAttribute"));}, 22 function(iFrame) { iFrame.setAttributeNS(null, "src", alertMsg("setAttributeNS"));}, 23 function(iFrame) { 24 var a = document.createAttribute('src'); 25 a.nodeValue = alertMsg("setAttributeNode"); 26 iFrame.setAttributeNode(a); 27 }, 28 function(iFrame) { 29 var a = document.createAttribute('src'); 30 a.nodeValue = alertMsg("setAttributeNodeNS"); 31 iFrame.setAttributeNodeNS(a); 32 }, 33 // Child manipulation methods 34 function(iFrame) { 35 var src = iFrame.attributes['src']; 36 src.appendChild(document.createTextNode(alertMsg("appendChild() + removeChild()"))); 37 src.removeChild(src.firstChild); 38 }, 39 function(iFrame) { 40 var src = iFrame.attributes['src']; 41 src.replaceChild(document.createTextNode(alertMsg("replaceChild()")), src.firstChild); 42 }, 43 function(iFrame) { 44 var src = iFrame.attributes['src']; 45 while (src.firstChild) 46 src.removeChild(src.firstChild); 47 src.appendChild(document.createTextNode(alertMsg("removeChild() + appendChild()"))); 48 }, 49 function(iFrame) { 50 var src = iFrame.attributes['src']; 51 while (src.firstChild) 52 src.removeChild(src.firstChild); 53 var msg = alertMsg("removeChild() + appendChild() + appendChild()"); 54 src.appendChild(document.createTextNode(msg.slice(0,4))); 55 src.appendChild(document.createTextNode(msg.slice(4))); 56 }, 57 function(iFrame) { 58 var src = iFrame.attributes['src']; 59 src.insertBefore(document.createTextNode(alertMsg("insertBefore()")), src.firstChild); 60 }, 61 // NamedNodeMap 62 function(iFrame) { 63 var a = document.createAttribute('src'); 64 a.nodeValue = alertMsg("setNamedItem()"); 65 iFrame.attributes.setNamedItem(a); 66 }, 67 function(iFrame) { 68 var a = document.createAttribute('src'); 69 a.nodeValue = alertMsg("setNamedItemNS()"); 70 iFrame.attributes.setNamedItemNS(a); 71 } 19 72 ]; 20 73 … … 33 86 aFrame.onload = makeOnloadHandler(i, aFrame); 34 87 aFrame.width = 700; 88 aFrame.height = 40; 35 89 document.body.appendChild(aFrame); 36 90 document.body.appendChild(document.createElement('br')); … … 41 95 </head> 42 96 <body> 43 <p>This script tests if iframe.src can be set to a JavaScript URL via a n alias44 (such as Attr.textContent or Attr.nodeValue). The test is successful if no45 alerts appear and the page finishes loading.</p>97 <p>This script tests if iframe.src can be set to a JavaScript URL via alternate 98 DOM interfaces (such as Node.textContent or NamedNode.setNamedItem). 99 The test is successful if no alerts appear and the page finishes loading.</p> 46 100 </body> 47 101 </html> -
trunk/WebCore/ChangeLog
r57624 r57627 1 2010-04-14 Justin Schuh <jschuh@chromium.org> 2 3 Reviewed by Adam Barth. 4 5 Javascript URL can be set as iframe.src via multiple DOM aliases 6 https://bugs.webkit.org/show_bug.cgi?id=37031 7 8 Moved frame/iframe checks from Attr to Node on inherited members. 9 Node child manipulation methods now return NOT_SUPPORTED_ERR if used 10 on a frame/iframe src attribute. 11 NamedNodeMap set methods now perform frame/iframe src checks. 12 Moved allowSettingSrcToJavascriptURL static helper function from 13 JSElementCustom.cpp to exported function in JSDOMBinding.h. 14 15 * bindings/js/JSAttrCustom.cpp: 16 (WebCore::JSAttr::setValue): 17 * bindings/js/JSDOMBinding.cpp: 18 (WebCore::allowSettingSrcToJavascriptURL): 19 * bindings/js/JSDOMBinding.h: 20 * bindings/js/JSElementCustom.cpp: 21 * bindings/js/JSNamedNodeMapCustom.cpp: 22 (WebCore::JSNamedNodeMap::setNamedItem): 23 (WebCore::JSNamedNodeMap::setNamedItemNS): 24 * bindings/js/JSNodeCustom.cpp: 25 (WebCore::isAttrFrameSrc): 26 (WebCore::JSNode::setNodeValue): 27 (WebCore::JSNode::setTextContent): 28 (WebCore::JSNode::insertBefore): 29 (WebCore::JSNode::replaceChild): 30 (WebCore::JSNode::removeChild): 31 (WebCore::JSNode::appendChild): 32 * bindings/v8/custom/V8AttrCustom.cpp: 33 * bindings/v8/custom/V8NamedNodeMapCustom.cpp: 34 (WebCore::V8NamedNodeMap::setNamedItemNSCallback): 35 (WebCore::V8NamedNodeMap::setNamedItemCallback): 36 (WebCore::toV8): 37 * bindings/v8/custom/V8NodeCustom.cpp: 38 (WebCore::isFrameSrc): 39 (WebCore::V8Node::textContentAccessorSetter): 40 (WebCore::V8Node::nodeValueAccessorSetter): 41 (WebCore::V8Node::insertBeforeCallback): 42 (WebCore::V8Node::replaceChildCallback): 43 (WebCore::V8Node::removeChildCallback): 44 (WebCore::V8Node::appendChildCallback): 45 * dom/Attr.idl: 46 * dom/NamedNodeMap.idl: 47 * dom/Node.idl: 48 1 49 2010-04-14 Alejandro G. Castro <alex@igalia.com> 2 50 -
trunk/WebCore/bindings/js/JSAttrCustom.cpp
r56651 r57627 34 34 #include "HTMLFrameElementBase.h" 35 35 #include "HTMLNames.h" 36 #include "JSDOMBinding.h" 36 37 37 38 using namespace JSC; … … 47 48 48 49 Element* ownerElement = imp->ownerElement(); 49 if (ownerElement && (ownerElement->hasTagName(iframeTag) || ownerElement->hasTagName(frameTag))) { 50 if (equalIgnoringCase(imp->name(), "src") && protocolIsJavaScript(deprecatedParseURL(attrValue))) { 51 Document* contentDocument = static_cast<HTMLFrameElementBase*>(ownerElement)->contentDocument(); 52 if (contentDocument && !checkNodeSecurity(exec, contentDocument)) 53 return; 54 } 55 } 50 if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->name(), attrValue)) 51 return; 56 52 57 53 ExceptionCode ec = 0; 58 54 imp->setValue(attrValue, ec); 59 55 setDOMException(exec, ec); 60 }61 62 JSC::JSValue JSAttr::nodeValue(JSC::ExecState* exec) const63 {64 Attr* imp = this->impl();65 return jsStringOrNull(exec, imp->value());66 }67 68 void JSAttr::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)69 {70 setValue(exec, value);71 }72 73 JSC::JSValue JSAttr::textContent(JSC::ExecState* exec) const74 {75 return nodeValue(exec);76 }77 78 void JSAttr::setTextContent(JSC::ExecState* exec, JSC::JSValue value)79 {80 setValue(exec, value);81 56 } 82 57 -
trunk/WebCore/bindings/js/JSDOMBinding.cpp
r57391 r57627 25 25 26 26 #include "ActiveDOMObject.h" 27 #include "CSSHelper.h" 27 28 #include "DOMCoreException.h" 28 29 #include "DOMObjectHashTableMap.h" … … 34 35 #include "HTMLAudioElement.h" 35 36 #include "HTMLCanvasElement.h" 37 #include "HTMLFrameElementBase.h" 36 38 #include "HTMLImageElement.h" 37 39 #include "HTMLNames.h" … … 623 625 } 624 626 627 bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value) 628 { 629 if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) { 630 Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument(); 631 if (contentDocument && !checkNodeSecurity(exec, contentDocument)) 632 return false; 633 } 634 return true; 635 } 636 625 637 void printErrorMessageForFrame(Frame* frame, const String& message) 626 638 { -
trunk/WebCore/bindings/js/JSDOMBinding.h
r57391 r57627 301 301 bool allowsAccessFromFrame(JSC::ExecState*, Frame*, String& message); 302 302 bool shouldAllowNavigation(JSC::ExecState*, Frame*); 303 bool allowSettingSrcToJavascriptURL(JSC::ExecState*, Element*, const String&, const String&); 304 303 305 void printErrorMessageForFrame(Frame*, const String& message); 304 306 JSC::JSValue objectToStringFunctionGetter(JSC::ExecState*, JSC::JSValue, const JSC::Identifier& propertyName); -
trunk/WebCore/bindings/js/JSElementCustom.cpp
r51363 r57627 37 37 #include "HTMLNames.h" 38 38 #include "JSAttr.h" 39 #include "JSDOMBinding.h" 39 40 #include "JSHTMLElementWrapperFactory.h" 40 41 #include "JSNodeList.h" … … 62 63 if (element->isStyledElement()) 63 64 markDOMObjectWrapper(markStack, globalData, static_cast<StyledElement*>(element)->inlineStyleDecl()); 64 }65 66 static inline bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)67 {68 if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {69 Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();70 if (contentDocument && !checkNodeSecurity(exec, contentDocument))71 return false;72 }73 return true;74 65 } 75 66 -
trunk/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
r55401 r57627 36 36 namespace WebCore { 37 37 38 JSValue JSNamedNodeMap::setNamedItem(ExecState* exec, const ArgList& args) 39 { 40 NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl()); 41 ExceptionCode ec = 0; 42 Node* newNode = toNode(args.at(0)); 43 44 if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) { 45 if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue())) 46 return jsNull(); 47 } 48 49 JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItem(newNode, ec))); 50 setDOMException(exec, ec); 51 return result; 52 } 53 54 JSValue JSNamedNodeMap::setNamedItemNS(ExecState* exec, const ArgList& args) 55 { 56 NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl()); 57 ExceptionCode ec = 0; 58 Node* newNode = toNode(args.at(0)); 59 60 if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) { 61 if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue())) 62 return jsNull(); 63 } 64 65 JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItemNS(newNode, ec))); 66 setDOMException(exec, ec); 67 return result; 68 } 69 38 70 bool JSNamedNodeMap::canGetItemsForName(ExecState*, NamedNodeMap* impl, const Identifier& propertyName) 39 71 { -
trunk/WebCore/bindings/js/JSNodeCustom.cpp
r57340 r57627 39 39 #include "JSCDATASection.h" 40 40 #include "JSComment.h" 41 #include "JSDOMBinding.h" 41 42 #include "JSDocument.h" 42 43 #include "JSDocumentFragment.h" … … 67 68 namespace WebCore { 68 69 69 typedef int ExpectionCode; 70 static inline bool isAttrFrameSrc(Element *element, const String& name) 71 { 72 return element && (element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src"); 73 } 74 75 void JSNode::setNodeValue(JSC::ExecState* exec, JSC::JSValue value) 76 { 77 Node* imp = static_cast<Node*>(impl()); 78 String nodeValue = valueToStringWithNullCheck(exec, value); 79 80 if (imp->nodeType() == Node::ATTRIBUTE_NODE) { 81 Element* ownerElement = static_cast<Attr*>(impl())->ownerElement(); 82 if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue)) 83 return; 84 } 85 86 ExceptionCode ec = 0; 87 imp->setNodeValue(nodeValue, ec); 88 setDOMException(exec, ec); 89 } 90 91 void JSNode::setTextContent(JSC::ExecState* exec, JSC::JSValue value) 92 { 93 Node* imp = static_cast<Node*>(impl()); 94 String nodeValue = valueToStringWithNullCheck(exec, value); 95 96 if (imp->nodeType() == Node::ATTRIBUTE_NODE) { 97 Element* ownerElement = static_cast<Attr*>(impl())->ownerElement(); 98 if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue)) 99 return; 100 } 101 102 ExceptionCode ec = 0; 103 imp->setTextContent(nodeValue, ec); 104 setDOMException(exec, ec); 105 } 70 106 71 107 JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args) 72 108 { 73 ExceptionCode ec = 0; 74 bool ok = impl()->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true); 109 Node* imp = static_cast<Node*>(impl()); 110 if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) { 111 setDOMException(exec, NOT_SUPPORTED_ERR); 112 return jsNull(); 113 } 114 115 ExceptionCode ec = 0; 116 bool ok = imp->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true); 75 117 setDOMException(exec, ec); 76 118 if (ok) … … 81 123 JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args) 82 124 { 83 ExceptionCode ec = 0; 84 bool ok = impl()->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true); 125 Node* imp = static_cast<Node*>(impl()); 126 if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) { 127 setDOMException(exec, NOT_SUPPORTED_ERR); 128 return jsNull(); 129 } 130 131 ExceptionCode ec = 0; 132 bool ok = imp->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true); 85 133 setDOMException(exec, ec); 86 134 if (ok) … … 91 139 JSValue JSNode::removeChild(ExecState* exec, const ArgList& args) 92 140 { 93 ExceptionCode ec = 0; 94 bool ok = impl()->removeChild(toNode(args.at(0)), ec); 141 Node* imp = static_cast<Node*>(impl()); 142 if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) { 143 setDOMException(exec, NOT_SUPPORTED_ERR); 144 return jsNull(); 145 } 146 147 ExceptionCode ec = 0; 148 bool ok = imp->removeChild(toNode(args.at(0)), ec); 95 149 setDOMException(exec, ec); 96 150 if (ok) … … 101 155 JSValue JSNode::appendChild(ExecState* exec, const ArgList& args) 102 156 { 103 ExceptionCode ec = 0; 104 bool ok = impl()->appendChild(toNode(args.at(0)), ec, true); 157 Node* imp = static_cast<Node*>(impl()); 158 if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) { 159 setDOMException(exec, NOT_SUPPORTED_ERR); 160 return jsNull(); 161 } 162 163 ExceptionCode ec = 0; 164 bool ok = imp->appendChild(toNode(args.at(0)), ec, true); 105 165 setDOMException(exec, ec); 106 166 if (ok) -
trunk/WebCore/bindings/v8/custom/V8AttrCustom.cpp
r56651 r57627 56 56 } 57 57 58 void V8Attr::nodeValueAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)59 {60 valueAccessorSetter(name, value, info);61 }62 v8::Handle<v8::Value> V8Attr::nodeValueAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)63 {64 Attr* imp = V8Attr::toNative(info.Holder());65 return v8StringOrNull(imp->value());66 }67 68 void V8Attr::textContentAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)69 {70 valueAccessorSetter(name, value, info);71 }72 73 v8::Handle<v8::Value> V8Attr::textContentAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)74 {75 return nodeValueAccessorGetter(name, info);76 }77 78 58 } // namespace WebCore -
trunk/WebCore/bindings/v8/custom/V8NamedNodeMapCustom.cpp
r57004 r57627 33 33 34 34 #include "NamedNodeMap.h" 35 #include "V8Attr.h" 35 36 #include "V8Binding.h" 36 #include "V8 DOMWrapper.h"37 #include "V8BindingState.h" 37 38 #include "V8Element.h" 38 39 #include "V8Node.h" … … 75 76 } 76 77 78 v8::Handle<v8::Value> V8NamedNodeMap::setNamedItemNSCallback(const v8::Arguments& args) 79 { 80 INC_STATS("DOM.NamedNodeMap.setNamedItemNS"); 81 NamedNodeMap* imp = V8NamedNodeMap::toNative(args.Holder()); 82 Node* newNode = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0; 83 84 if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) { 85 if (!V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), imp->element(), newNode->nodeName(), newNode->nodeValue())) 86 return v8::Handle<v8::Value>(); 87 } 88 89 ExceptionCode ec = 0; 90 RefPtr<Node> result = imp->setNamedItemNS(newNode, ec); 91 if (UNLIKELY(!ec)) { 92 throwError(ec); 93 return v8::Handle<v8::Value>(); 94 } 95 96 return toV8(result.release()); 97 } 98 99 v8::Handle<v8::Value> V8NamedNodeMap::setNamedItemCallback(const v8::Arguments & args) 100 { 101 INC_STATS("DOM.NamedNodeMap.setNamedItem"); 102 NamedNodeMap* imp = V8NamedNodeMap::toNative(args.Holder()); 103 Node* newNode = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0; 104 105 if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) { 106 if (!V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), imp->element(), newNode->nodeName(), newNode->nodeValue())) 107 return v8::Handle<v8::Value>(); 108 } 109 110 ExceptionCode ec = 0; 111 RefPtr<Node> result = imp->setNamedItem(newNode, ec); 112 if (UNLIKELY(!ec)) { 113 throwError(ec); 114 return v8::Handle<v8::Value>(); 115 } 116 117 return toV8(result.release()); 118 } 119 77 120 v8::Handle<v8::Value> toV8(NamedNodeMap* impl) 78 121 { -
trunk/WebCore/bindings/v8/custom/V8NodeCustom.cpp
r55096 r57627 38 38 #include "V8Attr.h" 39 39 #include "V8Binding.h" 40 #include "V8BindingState.h" 40 41 #include "V8CDATASection.h" 41 42 #include "V8Comment.h" … … 57 58 namespace WebCore { 58 59 60 static inline bool isFrameSrc(Element *element, const String& name) 61 { 62 return element && (element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src"); 63 } 64 65 void V8Node::textContentAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info) 66 { 67 Node* imp = V8Node::toNative(info.Holder()); 68 String nodeValue = toWebCoreStringWithNullCheck(value); 69 70 if (imp->nodeType() == Node::ATTRIBUTE_NODE) { 71 Element * ownerElement = V8Attr::toNative(info.Holder())->ownerElement(); 72 if (ownerElement && !V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), ownerElement, imp->nodeName(), nodeValue)) 73 return; 74 } 75 76 ExceptionCode ec = 0; 77 imp->setTextContent(nodeValue, ec); 78 if (ec) 79 throwError(ec); 80 } 81 82 void V8Node::nodeValueAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info) 83 { 84 Node* imp = V8Node::toNative(info.Holder()); 85 String nodeValue = toWebCoreStringWithNullCheck(value); 86 87 if (imp->nodeType() == Node::ATTRIBUTE_NODE) { 88 Element * ownerElement = V8Attr::toNative(info.Holder())->ownerElement(); 89 if (ownerElement && !V8BindingSecurity::allowSettingSrcToJavascriptURL(V8BindingState::Only(), ownerElement, imp->nodeName(), nodeValue)) 90 return; 91 } 92 93 ExceptionCode ec = 0; 94 imp->setNodeValue(nodeValue, ec); 95 if (ec) 96 throwError(ec); 97 } 98 59 99 // This function is customized to take advantage of the optional 4th argument: shouldLazyAttach 60 100 v8::Handle<v8::Value> V8Node::insertBeforeCallback(const v8::Arguments& args) … … 63 103 v8::Handle<v8::Object> holder = args.Holder(); 64 104 Node* imp = V8Node::toNative(holder); 105 106 if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) { 107 V8Proxy::setDOMException(NOT_SUPPORTED_ERR); 108 return v8::Handle<v8::Value>(); 109 } 110 65 111 ExceptionCode ec = 0; 66 112 Node* newChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0; … … 82 128 v8::Handle<v8::Object> holder = args.Holder(); 83 129 Node* imp = V8Node::toNative(holder); 130 131 if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) { 132 V8Proxy::setDOMException(NOT_SUPPORTED_ERR); 133 return v8::Handle<v8::Value>(); 134 } 135 84 136 ExceptionCode ec = 0; 85 137 Node* newChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0; … … 100 152 v8::Handle<v8::Object> holder = args.Holder(); 101 153 Node* imp = V8Node::toNative(holder); 154 155 if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) { 156 V8Proxy::setDOMException(NOT_SUPPORTED_ERR); 157 return v8::Handle<v8::Value>(); 158 } 159 102 160 ExceptionCode ec = 0; 103 161 Node* oldChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0; … … 118 176 v8::Handle<v8::Object> holder = args.Holder(); 119 177 Node* imp = V8Node::toNative(holder); 178 179 if (imp->nodeType() == Node::ATTRIBUTE_NODE && isFrameSrc(V8Attr::toNative(holder)->ownerElement(), imp->nodeName())) { 180 V8Proxy::setDOMException(NOT_SUPPORTED_ERR); 181 return v8::Handle<v8::Value>(); 182 } 183 120 184 ExceptionCode ec = 0; 121 185 Node* newChild = V8Node::HasInstance(args[0]) ? V8Node::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0; -
trunk/WebCore/dom/Attr.idl
r56651 r57627 35 35 setter raises(DOMException); 36 36 37 #if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT // Used for JavaScript iFrame src check.38 attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString nodeValue39 setter raises(DOMException);40 #endif41 42 37 // DOM Level 2 43 38 … … 48 43 readonly attribute boolean isId; 49 44 50 #if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT // Used for JavaScript iFrame src check.51 attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString textContent52 setter raises(DOMException);53 #endif54 55 45 // extensions 56 46 readonly attribute CSSStyleDeclaration style; -
trunk/WebCore/dom/NamedNodeMap.idl
r52921 r57627 29 29 Node getNamedItem(in DOMString name); 30 30 31 Node setNamedItem(in Node node)31 [Custom] Node setNamedItem(in Node node) 32 32 raises(DOMException); 33 33 … … 47 47 /*raises(DOMException)*/; 48 48 49 Node setNamedItemNS(in Node node)49 [Custom] Node setNamedItemNS(in Node node) 50 50 raises(DOMException); 51 51 -
trunk/WebCore/dom/Node.idl
r55215 r57627 52 52 53 53 // FIXME: the spec says this can also raise on retrieval. 54 attribute [C onvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue54 attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue 55 55 setter raises(DOMException); 56 56 … … 97 97 98 98 // FIXME: the spec says this can also raise on retrieval. 99 attribute [C onvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent99 attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent 100 100 setter raises(DOMException); 101 101
Note: See TracChangeset
for help on using the changeset viewer.