Issue 1167763002: Make XSSAuditor aware of ECMA6 template strings.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 1167763002: Make XSSAuditor aware of ECMA6 template strings. (Closed)

Created:
4 years, 11 months ago by Tom Sepez

Modified:
4 years, 11 months ago

Reviewers:
Mike West

CC:
blink-reviews, blink-reviews-html_chromium.org, dglazkov+blink

Base URL:
https://chromium.googlesource.com/chromium/blink.git@master

Target Ref:
refs/heads/master

Project:
blink

Visibility:
Public.

Make XSSAuditor aware of ECMA6 template strings. The multi-line nature of these mean that larger sections of the page can be excluded in the same way as a multi-line comment. BUG=495599 R=mkwst@chromium.org Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=196434

Created: 4 years, 11 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+7 lines, -4 lines)			Patch
A +	LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-template-string.html	View		1 chunk	+1 line, -1 line	0 comments	Download
A	LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-template-string-expected.txt	View		1 chunk	+2 lines, -0 lines	0 comments	Download
M	Source/core/html/parser/XSSAuditor.cpp	View	1	2 chunks	+4 lines, -3 lines	0 comments	Download

Total messages: 5 (1 generated)

Tom Sepez

Mike, for review. It's unclear whether this can be exploited without multiple injections, but its ...

4 years, 11 months ago (2015-06-02 19:16:50 UTC) #1

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1167763002/20001

4 years, 11 months ago (2015-06-03 19:09:10 UTC) #4

commit-bot: I haz the power

4 years, 11 months ago (2015-06-03 21:41:46 UTC) #5

Message was sent while issue was closed.

Committed patchset #2 (id:20001) as
https://src.chromium.org/viewvc/blink?view=rev&revision=196434