+2011-09-22 Tom Sepez <tsepez@chromium.org>
+
+ Make XSSAuditor extract meaningful snippet from script blocks for comparison
+ against the URL when checking for reflection. Avoids getting caugh up in
+ trailing comments.
+ https://bugs.webkit.org/show_bug.cgi?id=68094
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/xssAuditor/resources/echo-intertag.pl:
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment.html: Added.
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment2.html: Added.
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment3.html: Added.
+
2011-09-22 Ben Wells <benwells@chromium.org>
Rebaseline for bug 65583 (path based border radius drawing on skia) part 5
+2011-09-22 Tom Sepez <tsepez@chromium.org>
+
+ Make XSSAuditor extract meaningful snippet from script blocks for comparison
+ against the URL when checking for reflection. Avoids getting caugh up in
+ trailing comments.
+ https://bugs.webkit.org/show_bug.cgi?id=68094
+
+ Reviewed by Adam Barth.
+
+ Tests: http/tests/security/xssAuditor/script-tag-with-trailing-comment.html
+ http/tests/security/xssAuditor/script-tag-with-trailing-comment2.html
+ http/tests/security/xssAuditor/script-tag-with-trailing-comment3.html
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::filterTokenAfterScriptStartTag):
+ (WebCore::XSSAuditor::extractCodeFragment):
+ * html/parser/XSSAuditor.h:
+
2011-09-22 Nate Chapin <japhet@chromium.org>
Remove didReceiveAuthenticationChallenge() from SubresourceLoaderClient.
return (c == '"' || c == '\'');
}
+static bool isHTMLNewline(UChar c)
+{
+ return (c == '\n' || c == '\r');
+}
+
+static bool startsHTMLCommentAt(const String& string, size_t start)
+{
+ return (start + 3 < string.length() && string[start] == '<' && string[start+1] == '!' && string[start+2] == '-' && string[start+3] == '-');
+}
+
+static bool startsSingleLineCommentAt(const String& string, size_t start)
+{
+ return (start + 1 < string.length() && string[start] == '/' && string[start+1] == '/');
+}
+
+static bool startsMultiLineCommentAt(const String& string, size_t start)
+{
+ return (start + 1 < string.length() && string[start] == '/' && string[start+1] == '*');
+}
+
static bool hasName(const HTMLToken& token, const QualifiedName& name)
{
return equalIgnoringNullity(token.name(), static_cast<const String&>(name.localName()));
return false;
}
- int start = 0;
- // FIXME: We probably want to grab only the first few characters of the
- // contents of the script element.
- int end = token.endIndex() - token.startIndex();
- String snippet = m_cachedSnippet + snippetForRange(token, start, end);
- if (isContainedInRequest(fullyDecodeString(snippet, m_parser->document()->decoder()))) {
- token.eraseCharacters();
- token.appendToCharacter(' '); // Technically, character tokens can't be empty.
- return true;
+ TextResourceDecoder* decoder = m_parser->document()->decoder();
+ if (isContainedInRequest(fullyDecodeString(m_cachedSnippet, decoder))) {
+ int start = 0;
+ int end = token.endIndex() - token.startIndex();
+ String snippet = snippetForJavaScript(snippetForRange(token, start, end));
+ if (isContainedInRequest(fullyDecodeString(snippet, decoder))) {
+ token.eraseCharacters();
+ token.appendToCharacter(' '); // Technically, character tokens can't be empty.
+ return true;
+ }
}
return false;
}
return (m_parser->document()->url().host() == resourceURL.host() && resourceURL.query().isEmpty());
}
+
+String XSSAuditor::snippetForJavaScript(const String& string)
+{
+ const size_t kMaximumFragmentLengthTarget = 100;
+
+ size_t startPosition = 0;
+ size_t endPosition = string.length();
+ size_t foundPosition = notFound;
+
+ // Skip over initial comments to find start of code.
+ while (startPosition < endPosition) {
+ while (startPosition < endPosition && isHTMLSpace(string[startPosition]))
+ startPosition++;
+ if (startsHTMLCommentAt(string, startPosition) || startsSingleLineCommentAt(string, startPosition)) {
+ while (startPosition < endPosition && !isHTMLNewline(string[startPosition]))
+ startPosition++;
+ } else if (startsMultiLineCommentAt(string, startPosition)) {
+ if ((foundPosition = string.find("*/", startPosition)) != notFound)
+ startPosition = foundPosition + 2;
+ else
+ startPosition = endPosition;
+ } else
+ break;
+ }
+
+ // Stop at next comment or when we exceed the maximum length target. After hitting the
+ // length target, we can only stop at a point where we know we are not in the middle of
+ // a %-escape sequence. A simple way to do this is to break on whitespace only.
+ for (foundPosition = startPosition; foundPosition < endPosition; foundPosition++) {
+ if (startsSingleLineCommentAt(string, foundPosition) || startsMultiLineCommentAt(string, foundPosition)) {
+ endPosition = foundPosition + 2;
+ break;
+ }
+ if (startsHTMLCommentAt(string, foundPosition)) {
+ endPosition = foundPosition + 4;
+ break;
+ }
+ if (foundPosition > startPosition + kMaximumFragmentLengthTarget && isHTMLSpace(string[foundPosition])) {
+ endPosition = foundPosition;
+ break;
+ }
+ }
+
+ return string.substring(startPosition, endPosition - startPosition);
}
+
+} // namespace WebCore