Changeset 59241 in webkit

Timestamp:

May 12, 2010 11:13:00 AM (14 years ago)

Author:

Darin Adler

Message:

2010-05-12 Abhishek Arya <​inferno@chromium.org>

Reviewed by Darin Adler.

HTML Entity Escape the contents of a textarea node when accessed via the innerHTML and outerHTML node properties.
​https://bugs.webkit.org/show_bug.cgi?id=38922

Test: fast/encoding/textnode-XSS.html

• editing/markup.cpp: (WebCore::appendStartMarkup):

2010-05-12 Abhishek Arya <​inferno@chromium.org>

Reviewed by Darin Adler.

Tests that accessing the innerHTML property of a text node encodes
entities properly. Update existing test to fix the innerHTML result.
​https://bugs.webkit.org/show_bug.cgi?id=38922

• fast/innerHTML/innerHTML-special-elements-expected.txt: Added.
• fast/innerHTML/innerHTML-special-elements.html: Added.

• fast/parser/comment-in-textarea-expected.txt: Update test expectation.
• fast/parser/script-tests/comment-in-textarea.js: Update test by replacing with html entities of <, > chars in textarea innerHTML result.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/innerHTML/innerHTML-special-elements-expected.txt (added)
• LayoutTests/fast/innerHTML/innerHTML-special-elements.html (added)
• LayoutTests/fast/parser/comment-in-textarea-expected.txt (modified) (1 diff)
• LayoutTests/fast/parser/script-tests/comment-in-textarea.js (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/editing/markup.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-05-12  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Tests that accessing the innerHTML property of a text node encodes
+        entities properly. Update existing test to fix the innerHTML result.
+        https://bugs.webkit.org/show_bug.cgi?id=38922
+
+        * fast/innerHTML/innerHTML-special-elements-expected.txt: Added.
+        * fast/innerHTML/innerHTML-special-elements.html: Added.
+
+        * fast/parser/comment-in-textarea-expected.txt: Update test expectation.
+        * fast/parser/script-tests/comment-in-textarea.js: Update test by
+        replacing with html entities of <, > chars in textarea innerHTML result.
+
 2010-05-11  Ilya Tikhonovsky  <loislo@chromium.org>
 

trunk/LayoutTests/fast/parser/comment-in-textarea-expected.txt

@@ -5 +5 @@
 
 PASS textAreas.length is 1
-PASS textAreas[0].innerHTML is "<!-- </textarea> --> This should be part of the textarea"
+PASS textAreas[0].innerHTML is "&lt;!-- &lt;/textarea&gt; --&gt; This should be part of the textarea"
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/parser/script-tests/comment-in-textarea.js

@@ -7 +7 @@
 var textAreas = document.getElementsByTagName("textarea");
 shouldBe("textAreas.length", "1");
-shouldBeEqualToString("textAreas[0].innerHTML", "<!-- </textarea> --> This should be part of the textarea");
+shouldBeEqualToString("textAreas[0].innerHTML", "&lt;!-- &lt;/textarea&gt; --&gt; This should be part of the textarea");
 
 var successfullyParsed = true;

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-05-12  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        HTML Entity Escape the contents of a textarea node when accessed via the innerHTML and outerHTML node properties.
+        https://bugs.webkit.org/show_bug.cgi?id=38922
+
+        Test: fast/encoding/textnode-XSS.html
+
+        * editing/markup.cpp:
+        (WebCore::appendStartMarkup):
+
 2010-05-12  Beth Dakin  <bdakin@apple.com>
 

trunk/WebCore/editing/markup.cpp

@@ -405 +405 @@
                 if (parent->hasTagName(scriptTag)
                     || parent->hasTagName(styleTag)
-                    || parent->hasTagName(textareaTag)
                     || parent->hasTagName(xmpTag)) {
                     appendUCharRange(result, ucharRange(node, range));
+                    break;
+                } else if (parent->hasTagName(textareaTag)) {
+                    appendEscapedContent(result, ucharRange(node, range), documentIsHTML);                    
                     break;
                 }