Changeset 77041 in webkit

Timestamp:

Jan 28, 2011 6:08:44 PM (13 years ago)

Author:

abarth@webkit.org

Message:

2011-01-28 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

XSSFilter should log to the console when it blocks something
​https://bugs.webkit.org/show_bug.cgi?id=53354

This patch refactors a bunch of methods in XSSFilter to return a bool
indicating whether they blocked anything. Using this bool, we decide
whether to log to the console. We're using the same log message as the
XSSAuditor, but it seems likely we can improve this message in the
future (especially by piping in the correct line number, which is now
accessible via the parser).

• html/parser/XSSFilter.cpp: (WebCore::HTMLNames::isNameOfInlineEventHandler): (WebCore::XSSFilter::filterToken): (WebCore::XSSFilter::filterTokenInitial): (WebCore::XSSFilter::filterTokenAfterScriptStartTag): (WebCore::XSSFilter::filterScriptToken): (WebCore::XSSFilter::filterObjectToken): (WebCore::XSSFilter::filterEmbedToken): (WebCore::XSSFilter::filterAppletToken): (WebCore::XSSFilter::filterMetaToken): (WebCore::XSSFilter::filterBaseToken): (WebCore::XSSFilter::eraseInlineEventHandlersIfInjected):
• html/parser/XSSFilter.h:

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• html/parser/XSSFilter.cpp (modified) (10 diffs)
• html/parser/XSSFilter.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-01-28  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        XSSFilter should log to the console when it blocks something
+        https://bugs.webkit.org/show_bug.cgi?id=53354
+
+        This patch refactors a bunch of methods in XSSFilter to return a bool
+        indicating whether they blocked anything.  Using this bool, we decide
+        whether to log to the console.  We're using the same log message as the
+        XSSAuditor, but it seems likely we can improve this message in the
+        future (especially by piping in the correct line number, which is now
+        accessible via the parser).
+
+        * html/parser/XSSFilter.cpp:
+        (WebCore::HTMLNames::isNameOfInlineEventHandler):
+        (WebCore::XSSFilter::filterToken):
+        (WebCore::XSSFilter::filterTokenInitial):
+        (WebCore::XSSFilter::filterTokenAfterScriptStartTag):
+        (WebCore::XSSFilter::filterScriptToken):
+        (WebCore::XSSFilter::filterObjectToken):
+        (WebCore::XSSFilter::filterEmbedToken):
+        (WebCore::XSSFilter::filterAppletToken):
+        (WebCore::XSSFilter::filterMetaToken):
+        (WebCore::XSSFilter::filterBaseToken):
+        (WebCore::XSSFilter::eraseInlineEventHandlersIfInjected):
+        * html/parser/XSSFilter.h:
+
 2011-01-28  Adam Barth  <abarth@webkit.org>
 

trunk/Source/WebCore/html/parser/XSSFilter.cpp

@@ -61 +61 @@
 }
 
-bool isNameOfScriptCarryingAttribute(const Vector<UChar, 32>& name)
-{
-    const size_t lengthOfShortestScriptCarryingAttribute = 5; // To wit: oncut.
-    if (name.size() < lengthOfShortestScriptCarryingAttribute)
+bool isNameOfInlineEventHandler(const Vector<UChar, 32>& name)
+{
+    const size_t lengthOfShortestInlineEventHandlerName = 5; // To wit: oncut.
+    if (name.size() < lengthOfShortestInlineEventHandlerName)
         return false;
     return name[0] == 'o' && name[1] == 'n';
@@ -105 +105 @@
         return;
 
+    bool didBlockScript = false;
+
     switch (m_state) {
     case Initial: 
+        didBlockScript = filterTokenInitial(token);
         break;
     case AfterScriptStartTag:
-        filterTokenAfterScriptStartTag(token);
+        didBlockScript = filterTokenAfterScriptStartTag(token);
         ASSERT(m_state == Initial);
         m_cachedSnippet = String();
-        return;
-    }
+        break;
+    }
+
+    if (didBlockScript) {
+        // FIXME: Consider using a more helpful console message.
+        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
+        // FIXME: We should add the real line number to the console.
+        m_parser->document()->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
+    }
+#endif
+}
+
+bool XSSFilter::filterTokenInitial(HTMLToken& token)
+{
+    ASSERT(m_state == Initial);
 
     if (token.type() != HTMLToken::StartTag)
-        return;
+        return false;
+
+    bool didBlockScript = eraseInlineEventHandlersIfInjected(token);
 
     if (hasName(token, scriptTag))
-        return filterScriptToken(token);
-
-    if (hasName(token, objectTag))
-        return filterObjectToken(token);
-
-    if (hasName(token, embedTag))
-        return filterEmbedToken(token);
-
-    if (hasName(token, appletTag))
-        return filterAppletToken(token);
-
-    if (hasName(token, metaTag))
-        return filterMetaToken(token);
-
-    if (hasName(token, baseTag))
-        return filterBaseToken(token);
-
-    for (size_t i = 0; i < token.attributes().size(); ++i) {
-        const HTMLToken::Attribute& attribute = token.attributes().at(i);
-        if (!isNameOfScriptCarryingAttribute(attribute.m_name))
-            continue;
-        if (!isContainedInRequest(snippetForAttribute(token, attribute)))
-            continue;
-        token.eraseValueOfAttribute(i);
-    }
-#endif
-}
-
-void XSSFilter::filterTokenAfterScriptStartTag(HTMLToken& token)
+        didBlockScript |= filterScriptToken(token);
+    else if (hasName(token, objectTag))
+        didBlockScript |= filterObjectToken(token);
+    else if (hasName(token, embedTag))
+        didBlockScript |= filterEmbedToken(token);
+    else if (hasName(token, appletTag))
+        didBlockScript |= filterAppletToken(token);
+    else if (hasName(token, metaTag))
+        didBlockScript |= filterMetaToken(token);
+    else if (hasName(token, baseTag))
+        didBlockScript |= filterBaseToken(token);
+
+    return didBlockScript;
+}
+
+bool XSSFilter::filterTokenAfterScriptStartTag(HTMLToken& token)
 {
     ASSERT(m_state == AfterScriptStartTag);
@@ -154 +159 @@
     if (token.type() != HTMLToken::Character) {
         ASSERT(token.type() == HTMLToken::EndTag || token.type() == HTMLToken::EndOfFile);
-        return;
+        return false;
     }
 
@@ -164 +169 @@
         token.eraseCharacters();
         token.appendToCharacter(' '); // Technically, character tokens can't be empty.
-    }
-}
-
-void XSSFilter::filterScriptToken(HTMLToken& token)
+        return true;
+    }
+    return false;
+}
+
+bool XSSFilter::filterScriptToken(HTMLToken& token)
 {
     ASSERT(m_state == Initial);
@@ -174 +181 @@
 
     if (eraseAttributeIfInjected(token, srcAttr))
-        return;
+        return true;
 
     m_state = AfterScriptStartTag;
     m_cachedSnippet = m_parser->sourceForToken(token);
-}
-
-void XSSFilter::filterObjectToken(HTMLToken& token)
+    return false;
+}
+
+bool XSSFilter::filterObjectToken(HTMLToken& token)
 {
     ASSERT(m_state == Initial);
@@ -186 +194 @@
     ASSERT(hasName(token, objectTag));
 
-    eraseAttributeIfInjected(token, dataAttr);
-    eraseAttributeIfInjected(token, typeAttr);
-    eraseAttributeIfInjected(token, classidAttr);
-}
-
-void XSSFilter::filterEmbedToken(HTMLToken& token)
+    bool didBlockScript = false;
+
+    didBlockScript |= eraseAttributeIfInjected(token, dataAttr);
+    didBlockScript |= eraseAttributeIfInjected(token, typeAttr);
+    didBlockScript |= eraseAttributeIfInjected(token, classidAttr);
+
+    return didBlockScript;
+}
+
+bool XSSFilter::filterEmbedToken(HTMLToken& token)
 {
     ASSERT(m_state == Initial);
@@ -197 +209 @@
     ASSERT(hasName(token, embedTag));
 
-    eraseAttributeIfInjected(token, srcAttr);
-    eraseAttributeIfInjected(token, typeAttr);
-}
-
-void XSSFilter::filterAppletToken(HTMLToken& token)
+    bool didBlockScript = false;
+
+    didBlockScript |= eraseAttributeIfInjected(token, srcAttr);
+    didBlockScript |= eraseAttributeIfInjected(token, typeAttr);
+
+    return didBlockScript;
+}
+
+bool XSSFilter::filterAppletToken(HTMLToken& token)
 {
     ASSERT(m_state == Initial);
@@ -207 +223 @@
     ASSERT(hasName(token, appletTag));
 
-    eraseAttributeIfInjected(token, codeAttr);
-    eraseAttributeIfInjected(token, objectAttr);
-}
-
-void XSSFilter::filterMetaToken(HTMLToken& token)
+    bool didBlockScript = false;
+
+    didBlockScript |= eraseAttributeIfInjected(token, codeAttr);
+    didBlockScript |= eraseAttributeIfInjected(token, objectAttr);
+
+    return didBlockScript;
+}
+
+bool XSSFilter::filterMetaToken(HTMLToken& token)
 {
     ASSERT(m_state == Initial);
@@ -217 +237 @@
     ASSERT(hasName(token, metaTag));
 
-    eraseAttributeIfInjected(token, http_equivAttr);
-}
-
-void XSSFilter::filterBaseToken(HTMLToken& token)
+    return eraseAttributeIfInjected(token, http_equivAttr);
+}
+
+bool XSSFilter::filterBaseToken(HTMLToken& token)
 {
     ASSERT(m_state == Initial);
@@ -226 +246 @@
     ASSERT(hasName(token, baseTag));
 
-    eraseAttributeIfInjected(token, hrefAttr);
+    return eraseAttributeIfInjected(token, hrefAttr);
+}
+
+bool XSSFilter::eraseInlineEventHandlersIfInjected(HTMLToken& token)
+{
+    bool didBlockScript = false;
+    for (size_t i = 0; i < token.attributes().size(); ++i) {
+        const HTMLToken::Attribute& attribute = token.attributes().at(i);
+        if (!isNameOfInlineEventHandler(attribute.m_name))
+            continue;
+        if (!isContainedInRequest(snippetForAttribute(token, attribute)))
+            continue;
+        token.eraseValueOfAttribute(i);
+        didBlockScript = true;
+    }
+    return didBlockScript;
 }
 

trunk/Source/WebCore/html/parser/XSSFilter.h

@@ -46 +46 @@
     };
 
-    void filterTokenAfterScriptStartTag(HTMLToken&);
-    void filterScriptToken(HTMLToken&);
-    void filterObjectToken(HTMLToken&);
-    void filterEmbedToken(HTMLToken&);
-    void filterAppletToken(HTMLToken&);
-    void filterMetaToken(HTMLToken&);
-    void filterBaseToken(HTMLToken&);
+    bool filterTokenInitial(HTMLToken&);
+    bool filterTokenAfterScriptStartTag(HTMLToken&);
 
+    bool filterScriptToken(HTMLToken&);
+    bool filterObjectToken(HTMLToken&);
+    bool filterEmbedToken(HTMLToken&);
+    bool filterAppletToken(HTMLToken&);
+    bool filterMetaToken(HTMLToken&);
+    bool filterBaseToken(HTMLToken&);
+
+    bool eraseInlineEventHandlersIfInjected(HTMLToken&);
     bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&);