Source/core/svg/SVGAnimationElement.cpp - Issue 1171223004: Sanitize SVG animation attributes which could set JavaScript URL values.

Side by Side Diff: Source/core/svg/SVGAnimationElement.cpp

Issue 1171223004: Sanitize SVG animation attributes which could set JavaScript URL values. (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: Thanks for feedback. Created 5 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« no previous file with comments | « Source/core/svg/SVGAnimationElement.h ('k') | Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp » ('j') | no next file with comments »

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2004, 2005 Nikolas Zimmermann <zimmermann@kde.org>	2 * Copyright (C) 2004, 2005 Nikolas Zimmermann <zimmermann@kde.org>

3 * Copyright (C) 2004, 2005, 2006, 2007 Rob Buis <buis@kde.org>	3 * Copyright (C) 2004, 2005, 2006, 2007 Rob Buis <buis@kde.org>

4 * Copyright (C) 2007 Eric Seidel <eric@webkit.org>	4 * Copyright (C) 2007 Eric Seidel <eric@webkit.org>

5 * Copyright (C) 2008 Apple Inc. All rights reserved.	5 * Copyright (C) 2008 Apple Inc. All rights reserved.

6 * Copyright (C) 2009 Cameron McCormack <cam@mcc.id.au>	6 * Copyright (C) 2009 Cameron McCormack <cam@mcc.id.au>

7 * Copyright (C) Research In Motion Limited 2010. All rights reserved.	7 * Copyright (C) Research In Motion Limited 2010. All rights reserved.

8 *	8 *

9 * This library is free software; you can redistribute it and/or	9 * This library is free software; you can redistribute it and/or

10 * modify it under the terms of the GNU Library General Public	10 * modify it under the terms of the GNU Library General Public

(...skipping 34 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
45 , m_toPropertyValueType(RegularPropertyValue)	45 , m_toPropertyValueType(RegularPropertyValue)

46 , m_animationValid(false)	46 , m_animationValid(false)

47 , m_attributeType(AttributeTypeAuto)	47 , m_attributeType(AttributeTypeAuto)

48 , m_hasInvalidCSSAttributeType(false)	48 , m_hasInvalidCSSAttributeType(false)

49 , m_calcMode(CalcModeLinear)	49 , m_calcMode(CalcModeLinear)

50 , m_animationMode(NoAnimation)	50 , m_animationMode(NoAnimation)

51 {	51 {

52 UseCounter::count(document, UseCounter::SVGAnimationElement);	52 UseCounter::count(document, UseCounter::SVGAnimationElement);

53 }	53 }

54	54

55 static bool parseValues(const String& value, Vector<String>& result)	55 bool SVGAnimationElement::parseValues(const String& value, Vector<String>& resul t)

56 {	56 {

57 // Per the SMIL specification, leading and trailing white space,	57 // Per the SMIL specification, leading and trailing white space,

58 // and white space before and after semicolon separators, is allowed and wil l be ignored.	58 // and white space before and after semicolon separators, is allowed and wil l be ignored.

59 // http://www.w3.org/TR/SVG11/animate.html#ValuesAttribute	59 // http://www.w3.org/TR/SVG11/animate.html#ValuesAttribute

60 result.clear();	60 result.clear();

61 Vector<String> parseList;	61 Vector<String> parseList;

62 value.split(';', true, parseList);	62 value.split(';', true, parseList);

63 unsigned last = parseList.size() - 1;	63 unsigned last = parseList.size() - 1;

64 for (unsigned i = 0; i <= last; ++i) {	64 for (unsigned i = 0; i <= last; ++i) {

65 if (parseList[i].isEmpty()) {	65 if (parseList[i].isEmpty()) {

(...skipping 656 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
722 if (!hasInvalidCSSAttributeType)	722 if (!hasInvalidCSSAttributeType)

723 schedule();	723 schedule();

724 }	724 }

725	725

726 // Clear values that may depend on the previous target.	726 // Clear values that may depend on the previous target.

727 if (targetElement())	727 if (targetElement())

728 clearAnimatedType();	728 clearAnimatedType();

729 }	729 }

730	730

731 }	731 }

OLD	NEW