https://bugs.webkit.org/show_bug.cgi?id=78732
Reviewed by Adam Barth.
Source/WebCore:
Test: http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html
* html/parser/XSSAuditor.cpp:
(WebCore::isJSNewline):
(WebCore::XSSAuditor::snippetForJavaScript):
LayoutTests:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@107967
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2012-02-16 Tom Sepez <tsepez@chromium.org>
+
+ XSS Auditor bypass with U+2028/2029
+ https://bugs.webkit.org/show_bug.cgi?id=78732
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html: Added.
+
2012-02-16 Abhishek Arya <inferno@chromium.org>
Fix clone() function to handle descendant classes of RenderBlock.
--- /dev/null
+CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
+
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=<script>//%e2%80%a8alert(String.fromCharCode(0x58,0x53,0x53))</script>">
+</iframe>
+</body>
+</html>
+2012-02-16 Tom Sepez <tsepez@chromium.org>
+
+ XSS Auditor bypass with U+2028/2029
+ https://bugs.webkit.org/show_bug.cgi?id=78732
+
+ Reviewed by Adam Barth.
+
+ Test: http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::isJSNewline):
+ (WebCore::XSSAuditor::snippetForJavaScript):
+
2012-02-15 Mark Rowe <mrowe@apple.com>
NPN_GetValueForURL / NPNURLVProxy returns DIRECT when proxy configured via PAC
return (c == '"' || c == '\'');
}
-static bool isHTMLNewline(UChar c)
+static bool isJSNewline(UChar c)
{
- return (c == '\n' || c == '\r');
+ // Per ecma-262 section 7.3 Line Terminators.
+ return (c == '\n' || c == '\r' || c == 0x2028 || c == 0x2029);
}
static bool startsHTMLEndTagAt(const String& string, size_t start)
while (startPosition < endPosition && isHTMLSpace(string[startPosition]))
startPosition++;
if (startsHTMLCommentAt(string, startPosition) || startsSingleLineCommentAt(string, startPosition)) {
- while (startPosition < endPosition && !isHTMLNewline(string[startPosition]))
+ while (startPosition < endPosition && !isJSNewline(string[startPosition]))
startPosition++;
} else if (startsMultiLineCommentAt(string, startPosition)) {
if ((foundPosition = string.find("*/", startPosition)) != notFound)