Changeset 77033 in webkit
- Timestamp:
- Jan 28, 2011 4:57:05 PM (13 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r77032 r77033 1 2011-01-28 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Daniel Bates. 4 5 Teach XSSFilter about <meta> and <base> tags 6 https://bugs.webkit.org/show_bug.cgi?id=53339 7 8 I'm not 100% sure we need to block <meta http-equiv>, but it seems 9 prudent given how powerful that attribute is. We definitely need to 10 block injection of <base href> because that can redirect script tags 11 that use relative URLs. 12 13 * html/parser/XSSFilter.cpp: 14 (WebCore::XSSFilter::filterToken): 15 (WebCore::XSSFilter::filterMetaToken): 16 (WebCore::XSSFilter::filterBaseToken): 17 * html/parser/XSSFilter.h: 18 1 19 2011-01-28 Adam Barth <abarth@webkit.org> 2 20 -
trunk/Source/WebCore/html/parser/XSSFilter.cpp
r77032 r77033 120 120 return filterAppletToken(token); 121 121 122 if (hasName(token, metaTag)) 123 return filterMetaToken(token); 124 125 if (hasName(token, baseTag)) 126 return filterBaseToken(token); 127 122 128 for (size_t i = 0; i < token.attributes().size(); ++i) { 123 129 const HTMLToken::Attribute& attribute = token.attributes().at(i); … … 195 201 } 196 202 203 void XSSFilter::filterMetaToken(HTMLToken& token) 204 { 205 ASSERT(m_state == Initial); 206 ASSERT(token.type() == HTMLToken::StartTag); 207 ASSERT(hasName(token, metaTag)); 208 209 eraseAttributeIfInjected(token, http_equivAttr); 210 } 211 212 void XSSFilter::filterBaseToken(HTMLToken& token) 213 { 214 ASSERT(m_state == Initial); 215 ASSERT(token.type() == HTMLToken::StartTag); 216 ASSERT(hasName(token, baseTag)); 217 218 eraseAttributeIfInjected(token, hrefAttr); 219 } 220 197 221 bool XSSFilter::eraseAttributeIfInjected(HTMLToken& token, const QualifiedName& attributeName) 198 222 { -
trunk/Source/WebCore/html/parser/XSSFilter.h
r77032 r77033 51 51 void filterEmbedToken(HTMLToken&); 52 52 void filterAppletToken(HTMLToken&); 53 void filterMetaToken(HTMLToken&); 54 void filterBaseToken(HTMLToken&); 53 55 54 56 bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&);
Note: See TracChangeset
for help on using the changeset viewer.