Sanitize SVG animation attributes which could set JavaScript URL values.

Source/core/dom/Element.h

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Peter Kelly (pmk@post.com)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2003-2011, 2013, 2014 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
  * License as published by the Free Software Foundation; either
@@ skipping 336 matching lines @@
     bool isUpgradedCustomElement() { return customElementState() == Upgraded; }
     bool isUnresolvedCustomElement() { return customElementState() == WaitingForUpgrade; }
 
     AtomicString computeInheritedLanguage() const;
     Locale& locale() const;
 
     virtual void accessKeyAction(bool /*sendToAnyEvent*/) { }
 
     virtual bool isURLAttribute(const Attribute&) const { return false; }
     virtual bool isHTMLContentAttribute(const Attribute&) const { return false; }
+    bool isJavaScriptURLAttribute(const Attribute&) const;
+    virtual bool isSVGAnimationAttributeSettingJavaScriptURL(const Attribute&) const { return false; }
 
     virtual bool isLiveLink() const { return false; }
     KURL hrefURL() const;
 
     KURL getURLAttribute(const QualifiedName&) const;
     KURL getNonEmptyURLAttribute(const QualifiedName&) const;
 
     virtual const AtomicString imageSourceURL() const;
     virtual Image* imageContents() { return nullptr; }
 
@@ skipping 165 matching lines @@
     // may use the layoutObject to reason about focusability. This method cannot be
     // moved to LayoutObject because some focusable nodes don't have layoutObjects,
     // e.g., HTMLOptionElement.
     virtual bool layoutObjectIsFocusable() const;
 
     // classAttributeChanged() exists to share code between
     // parseAttribute (called via setAttribute()) and
     // svgAttributeChanged (called when element.className.baseValue is set)
     void classAttributeChanged(const AtomicString& newClassString);
 
+    static bool attributeValueIsJavaScriptURL(const Attribute&);
+
     PassRefPtr<ComputedStyle> originalStyleForLayoutObject();
 
     Node* insertAdjacent(const String& where, Node* newChild, ExceptionState&);
 
     virtual void parserDidSetAttributes() { };
 
     void scrollLayoutBoxBy(const ScrollToOptions&);
     void scrollLayoutBoxTo(const ScrollToOptions&);
     void scrollFrameBy(const ScrollToOptions&);
     void scrollFrameTo(const ScrollToOptions&);
@@ skipping 82 matching lines @@
 
     ElementRareData* elementRareData() const;
     ElementRareData& ensureElementRareData();
 
     AttrNodeList& ensureAttrNodeList();
     void removeAttrNodeList();
     void detachAllAttrNodesFromElement();
     void detachAttrNodeFromElementWithValue(Attr*, const AtomicString& value);
     void detachAttrNodeAtIndex(Attr*, size_t index);
 
-    bool isJavaScriptURLAttribute(const Attribute&) const;
-
     v8::Local<v8::Object> wrapCustomElement(v8::Isolate*, v8::Local<v8::Object> creationContext);
 
     RefPtrWillBeMember<ElementData> m_elementData;
 };
 
 DEFINE_NODE_TYPE_CASTS(Element, isElementNode());
 template <typename T> bool isElementOfType(const Node&);
 template <> inline bool isElementOfType<const Element>(const Node& node) { return node.isElementNode(); }
 template <typename T> inline bool isElementOfType(const Element& element) { return isElementOfType<T>(static_cast<const Node&>(element)); }
 template <> inline bool isElementOfType<const Element>(const Element&) { return true; }
@@ skipping 219 matching lines @@
     static PassRefPtrWillBeRawPtr<T> create(const QualifiedName&, Document&)
 #define DEFINE_ELEMENT_FACTORY_WITH_TAGNAME(T) \
     PassRefPtrWillBeRawPtr<T> T::create(const QualifiedName& tagName, Document& document) \
     { \
         return adoptRefWillBeNoop(new T(tagName, document)); \
     }
 
 } // namespace
 
 #endif // Element_h