Changeset 77033 in webkit


Ignore:
Timestamp:
Jan 28, 2011 4:57:05 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-01-28 Adam Barth <abarth@webkit.org>

Reviewed by Daniel Bates.

Teach XSSFilter about <meta> and <base> tags
https://bugs.webkit.org/show_bug.cgi?id=53339

I'm not 100% sure we need to block <meta http-equiv>, but it seems
prudent given how powerful that attribute is. We definitely need to
block injection of <base href> because that can redirect script tags
that use relative URLs.

  • html/parser/XSSFilter.cpp: (WebCore::XSSFilter::filterToken): (WebCore::XSSFilter::filterMetaToken): (WebCore::XSSFilter::filterBaseToken):
  • html/parser/XSSFilter.h:
Location:
trunk/Source/WebCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r77032 r77033  
     12011-01-28  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Daniel Bates.
     4
     5        Teach XSSFilter about <meta> and <base> tags
     6        https://bugs.webkit.org/show_bug.cgi?id=53339
     7
     8        I'm not 100% sure we need to block <meta http-equiv>, but it seems
     9        prudent given how powerful that attribute is.  We definitely need to
     10        block injection of <base href> because that can redirect script tags
     11        that use relative URLs.
     12
     13        * html/parser/XSSFilter.cpp:
     14        (WebCore::XSSFilter::filterToken):
     15        (WebCore::XSSFilter::filterMetaToken):
     16        (WebCore::XSSFilter::filterBaseToken):
     17        * html/parser/XSSFilter.h:
     18
    1192011-01-28  Adam Barth  <abarth@webkit.org>
    220

  • trunk/Source/WebCore/html/parser/XSSFilter.cpp

    r77032 r77033  
    120120        return filterAppletToken(token);
    121121
     122    if (hasName(token, metaTag))
     123        return filterMetaToken(token);
     124
     125    if (hasName(token, baseTag))
     126        return filterBaseToken(token);
     127
    122128    for (size_t i = 0; i < token.attributes().size(); ++i) {
    123129        const HTMLToken::Attribute& attribute = token.attributes().at(i);
     
    195201}
    196202
     203void XSSFilter::filterMetaToken(HTMLToken& token)
     204{
     205    ASSERT(m_state == Initial);
     206    ASSERT(token.type() == HTMLToken::StartTag);
     207    ASSERT(hasName(token, metaTag));
     208
     209    eraseAttributeIfInjected(token, http_equivAttr);
     210}
     211
     212void XSSFilter::filterBaseToken(HTMLToken& token)
     213{
     214    ASSERT(m_state == Initial);
     215    ASSERT(token.type() == HTMLToken::StartTag);
     216    ASSERT(hasName(token, baseTag));
     217
     218    eraseAttributeIfInjected(token, hrefAttr);
     219}
     220
    197221bool XSSFilter::eraseAttributeIfInjected(HTMLToken& token, const QualifiedName& attributeName)
    198222{

  • trunk/Source/WebCore/html/parser/XSSFilter.h

    r77032 r77033  
    5151    void filterEmbedToken(HTMLToken&);
    5252    void filterAppletToken(HTMLToken&);
     53    void filterMetaToken(HTMLToken&);
     54    void filterBaseToken(HTMLToken&);
    5355
    5456    bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&);
Note: See TracChangeset for help on using the changeset viewer.