Changeset 77059 in webkit
- Timestamp:
- Jan 29, 2011 1:20:44 AM (13 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r77058 r77059 1 2011-01-29 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Daniel Bates. 4 5 XSSFilter should pass xssAuditor/script-tag-addslashes* 6 https://bugs.webkit.org/show_bug.cgi?id=53365 7 8 We need to canonicalize strings to avoid being tricked by addslashes. 9 10 * html/parser/XSSFilter.cpp: 11 (WebCore::HTMLNames::isNonCanonicalCharacter): 12 - This function is copied from the XSSAuditor (with some tweaks). 13 We'll eventually remove the XSSAuditor once we've got XSSFilter 14 working properly. 15 (WebCore::HTMLNames::canonicalize): 16 (WebCore::HTMLNames::decodeURL): 17 (WebCore::XSSFilter::isContainedInRequest): 18 1 19 2011-01-29 Adam Barth <abarth@webkit.org> 2 20 -
trunk/Source/WebCore/html/parser/XSSFilter.cpp
r77058 r77059 46 46 namespace { 47 47 48 bool isNonCanonicalCharacter(UChar c) 49 { 50 // We remove all non-ASCII characters, including non-printable ASCII characters. 51 // 52 // Note, we don't remove backslashes like PHP stripslashes(), which among other things converts "\\0" to the \0 character. 53 // Instead, we remove backslashes and zeros (since the string "\\0" =(remove backslashes)=> "0"). However, this has the 54 // adverse effect that we remove any legitimate zeros from a string. 55 // 56 // For instance: new String("http://localhost:8000") => new String("http://localhost:8"). 57 return (c == '\\' || c == '0' || c == '\0' || c >= 127); 58 } 59 60 String canonicalize(const String& string) 61 { 62 return string.removeCharacters(&isNonCanonicalCharacter); 63 } 64 48 65 bool hasName(const HTMLToken& token, const QualifiedName& name) 49 66 { … … 79 96 // FIXME: Is this check necessary? 80 97 if (decodedString.isEmpty()) 81 return workingString;82 return decodedString;98 return canonicalize(workingString); 99 return canonicalize(decodedString); 83 100 } 84 101 … … 325 342 bool XSSFilter::isContainedInRequest(const String& snippet) 326 343 { 327 return m_decodedURL.find(snippet, 0, false) != notFound || m_decodedHTTPBody.find(snippet, 0, false) != notFound; 344 String canonicalizedSnippet = canonicalize(snippet); 345 return m_decodedURL.find(canonicalizedSnippet, 0, false) != notFound 346 || m_decodedHTTPBody.find(canonicalizedSnippet, 0, false) != notFound; 328 347 } 329 348
Note: See TracChangeset
for help on using the changeset viewer.