Changeset 79106 in webkit

Timestamp:

Feb 19, 2011 12:12:02 AM (13 years ago)

Author:

abarth@webkit.org

Message:

2011-02-19 Adam Barth <​abarth@webkit.org>

Reviewed by Daniel Bates.

Fix xssAuditor/iframe-injection.html
​https://bugs.webkit.org/show_bug.cgi?id=54591

Update expected results to show that we pass.

• http/tests/security/xssAuditor/iframe-injection-expected.txt:

2011-02-19 Adam Barth <​abarth@webkit.org>

Reviewed by Daniel Bates.

Fix xssAuditor/iframe-injection.html
​https://bugs.webkit.org/show_bug.cgi?id=54591

We should block the iframe src attribute. Although this technically
can't be used to run script, it's a pretty easy vector for stealing
passwords.

• html/parser/XSSFilter.cpp: (WebCore::XSSFilter::filterTokenInitial): (WebCore::XSSFilter::filterIframeToken):
• html/parser/XSSFilter.h:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/parser/XSSFilter.cpp (modified) (2 diffs)
• Source/WebCore/html/parser/XSSFilter.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-02-19  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Daniel Bates.
+
+        Fix xssAuditor/iframe-injection.html
+        https://bugs.webkit.org/show_bug.cgi?id=54591
+
+        Update expected results to show that we pass.
+
+        * http/tests/security/xssAuditor/iframe-injection-expected.txt:
+
 2011-02-18  Andrew Wilson  <atwilson@chromium.org>
 

trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
 
+

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-02-19  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Daniel Bates.
+
+        Fix xssAuditor/iframe-injection.html
+        https://bugs.webkit.org/show_bug.cgi?id=54591
+
+        We should block the iframe src attribute.  Although this technically
+        can't be used to run script, it's a pretty easy vector for stealing
+        passwords.
+
+        * html/parser/XSSFilter.cpp:
+        (WebCore::XSSFilter::filterTokenInitial):
+        (WebCore::XSSFilter::filterIframeToken):
+        * html/parser/XSSFilter.h:
+
 2011-02-18  Tony Gentilcore  <tonyg@chromium.org>
 

trunk/Source/WebCore/html/parser/XSSFilter.cpp

@@ -246 +246 @@
     else if (hasName(token, appletTag))
         didBlockScript |= filterAppletToken(token);
+    else if (hasName(token, iframeTag))
+        didBlockScript |= filterIframeToken(token);
     else if (hasName(token, metaTag))
         didBlockScript |= filterMetaToken(token);
@@ -352 +354 @@
 
     return didBlockScript;
+}
+
+bool XSSFilter::filterIframeToken(HTMLToken& token)
+{
+    ASSERT(m_state == Initial);
+    ASSERT(token.type() == HTMLToken::StartTag);
+    ASSERT(hasName(token, iframeTag));
+
+    return eraseAttributeIfInjected(token, srcAttr);
 }
 

trunk/Source/WebCore/html/parser/XSSFilter.h

@@ -59 +59 @@
     bool filterEmbedToken(HTMLToken&);
     bool filterAppletToken(HTMLToken&);
+    bool filterIframeToken(HTMLToken&);
     bool filterMetaToken(HTMLToken&);
     bool filterBaseToken(HTMLToken&);