Changeset 86087 in webkit
- Timestamp:
- May 9, 2011 2:20:21 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r86085 r86087 1 2011-05-09 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Daniel Bates. 4 5 XSSAuditor should be more selective about the <meta http-equivs> that it blocks 6 https://bugs.webkit.org/show_bug.cgi?id=60489 7 8 We don't need to filter most http-equiv attributes. This patch 9 introduces a blacklist for two that we probably do want to filter. 10 It's possible a whitelist would be more appropriate, but I'm inclined 11 to start with a blacklist and see how it works. 12 13 This patch will hopefully fix a false positive that is causing errors 14 with copy-and-pasted text in Gmail in some configurations (due to using 15 the <meta> tag to request UTF-8 encoding both in the pasted text and in 16 the page itself). 17 18 * html/parser/XSSFilter.cpp: 19 (WebCore::isNonCanonicalCharacter): 20 (WebCore::canonicalize): 21 (WebCore::isRequiredForInjection): 22 (WebCore::hasName): 23 (WebCore::findAttributeWithName): 24 (WebCore::isNameOfInlineEventHandler): 25 (WebCore::isDangerousHTTPEquiv): 26 - This function is new in the patch and includes a blacklist of 27 dangerous http-equivs. Many of the other functions listed here 28 are just being moved from an anonymous namespace to use static 29 for internal linkage. 30 (WebCore::containsJavaScriptURL): 31 (WebCore::decodeURL): 32 (WebCore::XSSFilter::eraseAttributeIfInjected): 33 1 34 2011-05-05 Matthew Delaney <mdelaney@apple.com> 2 35 -
trunk/Source/WebCore/html/parser/XSSFilter.cpp
r85484 r86087 45 45 using namespace HTMLNames; 46 46 47 namespace { 48 49 bool isNonCanonicalCharacter(UChar c) 47 static bool isNonCanonicalCharacter(UChar c) 50 48 { 51 49 // We remove all non-ASCII characters, including non-printable ASCII characters. … … 59 57 } 60 58 61 String canonicalize(const String& string)59 static String canonicalize(const String& string) 62 60 { 63 61 return string.removeCharacters(&isNonCanonicalCharacter); 64 62 } 65 63 66 bool isRequiredForInjection(UChar c)64 static bool isRequiredForInjection(UChar c) 67 65 { 68 66 return (c == '\'' || c == '"' || c == '<' || c == '>'); 69 67 } 70 68 71 bool hasName(const HTMLToken& token, const QualifiedName& name)69 static bool hasName(const HTMLToken& token, const QualifiedName& name) 72 70 { 73 71 return equalIgnoringNullity(token.name(), static_cast<const String&>(name.localName())); 74 72 } 75 73 76 bool findAttributeWithName(const HTMLToken& token, const QualifiedName& name, size_t& indexOfMatchingAttribute)74 static bool findAttributeWithName(const HTMLToken& token, const QualifiedName& name, size_t& indexOfMatchingAttribute) 77 75 { 78 76 for (size_t i = 0; i < token.attributes().size(); ++i) { … … 85 83 } 86 84 87 bool isNameOfInlineEventHandler(const Vector<UChar, 32>& name)85 static bool isNameOfInlineEventHandler(const Vector<UChar, 32>& name) 88 86 { 89 87 const size_t lengthOfShortestInlineEventHandlerName = 5; // To wit: oncut. … … 93 91 } 94 92 95 bool containsJavaScriptURL(const Vector<UChar, 32>& value) 93 static bool isDangerousHTTPEquiv(const String& value) 94 { 95 String equiv = value.stripWhiteSpace(); 96 return equalIgnoringCase(equiv, "refresh") || equalIgnoringCase(equiv, "set-cookie"); 97 } 98 99 static bool containsJavaScriptURL(const Vector<UChar, 32>& value) 96 100 { 97 101 static const char javaScriptScheme[] = "javascript:"; … … 110 114 } 111 115 112 String decodeURL(const String& string, const TextEncoding& encoding)116 static String decodeURL(const String& string, const TextEncoding& encoding) 113 117 { 114 118 String workingString = string; … … 121 125 return canonicalize(workingString); 122 126 return canonicalize(decodedString); 123 }124 125 127 } 126 128 … … 422 424 if (attributeName == srcAttr && isSameOriginResource(String(attribute.m_value.data(), attribute.m_value.size()))) 423 425 return false; 426 if (attributeName == http_equivAttr && !isDangerousHTTPEquiv(String(attribute.m_value.data(), attribute.m_value.size()))) 427 return false; 424 428 token.eraseValueOfAttribute(indexOfAttribute); 425 429 if (!replacementValue.isEmpty())
Note: See TracChangeset
for help on using the changeset viewer.