Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(102)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/Element.cpp

Issue 1171223004: Sanitize SVG animation attributes which could set JavaScript URL values. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« Source/core/clipboard/Pasteboard.h ('K') | « Source/core/dom/Element.h ('k') | Source/core/editing/Editor.h » ('j') | Source/core/svg/SVGAnimateElement.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Peter Kelly (pmk@post.com) 4 * (C) 2001 Peter Kelly (pmk@post.com)
5 * (C) 2001 Dirk Mueller (mueller@kde.org) 5 * (C) 2001 Dirk Mueller (mueller@kde.org)
6 * (C) 2007 David Smith (catfish.man@gmail.com) 6 * (C) 2007 David Smith (catfish.man@gmail.com)
7 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012, 2013 Apple Inc. All rights reserved. 7 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012, 2013 Apple Inc. All rights reserved.
8 * (C) 2007 Eric Seidel (eric@webkit.org) 8 * (C) 2007 Eric Seidel (eric@webkit.org)
9 * 9 *
10 * This library is free software; you can redistribute it and/or 10 * This library is free software; you can redistribute it and/or
(...skipping 1227 matching lines...) Expand 10 before | Expand all | Expand 10 after
1238 // Returns true is the given attribute is an event handler. 1238 // Returns true is the given attribute is an event handler.
1239 // We consider an event handler any attribute that begins with "on". 1239 // We consider an event handler any attribute that begins with "on".
1240 // It is a simple solution that has the advantage of not requiring any 1240 // It is a simple solution that has the advantage of not requiring any
1241 // code or configuration change if a new event handler is defined. 1241 // code or configuration change if a new event handler is defined.
1242 1242
1243 static inline bool isEventHandlerAttribute(const Attribute& attribute) 1243 static inline bool isEventHandlerAttribute(const Attribute& attribute)
1244 { 1244 {
1245 return attribute.name().namespaceURI().isNull() && attribute.name().localNam e().startsWith("on"); 1245 return attribute.name().namespaceURI().isNull() && attribute.name().localNam e().startsWith("on");
1246 } 1246 }
1247 1247
1248 bool Element::attributeValueIsJavaScriptURL(const Attribute& attribute)
1249 {
1250 return protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(attribute.valu e()));
1251 }
1252
1248 bool Element::isJavaScriptURLAttribute(const Attribute& attribute) const 1253 bool Element::isJavaScriptURLAttribute(const Attribute& attribute) const
1249 { 1254 {
1250 return isURLAttribute(attribute) && protocolIsJavaScript(stripLeadingAndTrai lingHTMLSpaces(attribute.value())); 1255 return isURLAttribute(attribute) && attributeValueIsJavaScriptURL(attribute) ;
1251 } 1256 }
1252 1257
1253 void Element::stripScriptingAttributes(Vector<Attribute>& attributeVector) const 1258 void Element::stripScriptingAttributes(Vector<Attribute>& attributeVector) const
1254 { 1259 {
1255 size_t destination = 0; 1260 size_t destination = 0;
1256 for (size_t source = 0; source < attributeVector.size(); ++source) { 1261 for (size_t source = 0; source < attributeVector.size(); ++source) {
1257 if (isEventHandlerAttribute(attributeVector[source]) 1262 if (isEventHandlerAttribute(attributeVector[source])
1258 || isJavaScriptURLAttribute(attributeVector[source]) 1263 || isJavaScriptURLAttribute(attributeVector[source])
1259 || isHTMLContentAttribute(attributeVector[source])) 1264 || isHTMLContentAttribute(attributeVector[source])
1265 || isSVGAnimationAttributeSettingJavaScriptURL(attributeVector[sourc e]))
1260 continue; 1266 continue;
1261 1267
1262 if (source != destination) 1268 if (source != destination)
1263 attributeVector[destination] = attributeVector[source]; 1269 attributeVector[destination] = attributeVector[source];
1264 1270
1265 ++destination; 1271 ++destination;
1266 } 1272 }
1267 attributeVector.shrink(destination); 1273 attributeVector.shrink(destination);
1268 } 1274 }
1269 1275
(...skipping 2118 matching lines...) Expand 10 before | Expand all | Expand 10 after
3388 { 3394 {
3389 #if ENABLE(OILPAN) 3395 #if ENABLE(OILPAN)
3390 if (hasRareData()) 3396 if (hasRareData())
3391 visitor->trace(elementRareData()); 3397 visitor->trace(elementRareData());
3392 visitor->trace(m_elementData); 3398 visitor->trace(m_elementData);
3393 #endif 3399 #endif
3394 ContainerNode::trace(visitor); 3400 ContainerNode::trace(visitor);
3395 } 3401 }
3396 3402
3397 } // namespace blink 3403 } // namespace blink
OLDNEW
« Source/core/clipboard/Pasteboard.h ('K') | « Source/core/dom/Element.h ('k') | Source/core/editing/Editor.h » ('j') | Source/core/svg/SVGAnimateElement.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698