Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(187)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/WebCore/dom/Element.cpp

Issue 14297020: Merge 147281 "Cross-Origin copy&paste / drag&drop allowing XSS v..." (Closed) Base URL: svn://svn.chromium.org/blink/branches/chromium/1453/
Patch Set: Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « Source/WebCore/dom/Element.h ('k') | Source/WebCore/html/HTMLFrameElementBase.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Peter Kelly (pmk@post.com) 4 * (C) 2001 Peter Kelly (pmk@post.com)
5 * (C) 2001 Dirk Mueller (mueller@kde.org) 5 * (C) 2001 Dirk Mueller (mueller@kde.org)
6 * (C) 2007 David Smith (catfish.man@gmail.com) 6 * (C) 2007 David Smith (catfish.man@gmail.com)
7 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012, 2013 Apple Inc. All rights reserved. 7 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012, 2013 Apple Inc. All rights reserved.
8 * (C) 2007 Eric Seidel (eric@webkit.org) 8 * (C) 2007 Eric Seidel (eric@webkit.org)
9 * 9 *
10 * This library is free software; you can redistribute it and/or 10 * This library is free software; you can redistribute it and/or
(...skipping 1021 matching lines...) Expand 10 before | Expand all | Expand 10 after
1032 // Returns true is the given attribute is an event handler. 1032 // Returns true is the given attribute is an event handler.
1033 // We consider an event handler any attribute that begins with "on". 1033 // We consider an event handler any attribute that begins with "on".
1034 // It is a simple solution that has the advantage of not requiring any 1034 // It is a simple solution that has the advantage of not requiring any
1035 // code or configuration change if a new event handler is defined. 1035 // code or configuration change if a new event handler is defined.
1036 1036
1037 static inline bool isEventHandlerAttribute(const Attribute& attribute) 1037 static inline bool isEventHandlerAttribute(const Attribute& attribute)
1038 { 1038 {
1039 return attribute.name().namespaceURI().isNull() && attribute.name().localNam e().startsWith("on"); 1039 return attribute.name().namespaceURI().isNull() && attribute.name().localNam e().startsWith("on");
1040 } 1040 }
1041 1041
1042 bool Element::isJavaScriptURLAttribute(const Attribute& attribute) 1042 bool Element::isJavaScriptURLAttribute(const Attribute& attribute) const
1043 { 1043 {
1044 if (!isURLAttribute(attribute)) 1044 return isURLAttribute(attribute) && protocolIsJavaScript(stripLeadingAndTrai lingHTMLSpaces(attribute.value()));
1045 return false;
1046 if (!protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(attribute.value( ))))
1047 return false;
1048 return true;
1049 } 1045 }
1050 1046
1051 bool Element::isJavaScriptAttribute(const Attribute& attribute) 1047 void Element::stripScriptingAttributes(Vector<Attribute>& attributeVector) const
1052 {
1053 if (isEventHandlerAttribute(attribute))
1054 return true;
1055 if (isJavaScriptURLAttribute(attribute))
1056 return true;
1057 return false;
1058 }
1059
1060 void Element::stripJavaScriptAttributes(Vector<Attribute>& attributeVector)
1061 { 1048 {
1062 size_t destination = 0; 1049 size_t destination = 0;
1063 for (size_t source = 0; source < attributeVector.size(); ++source) { 1050 for (size_t source = 0; source < attributeVector.size(); ++source) {
1064 if (isJavaScriptAttribute(attributeVector[source])) 1051 if (isEventHandlerAttribute(attributeVector[source])
1052 || isJavaScriptURLAttribute(attributeVector[source])
1053 || isHTMLContentAttribute(attributeVector[source]))
1065 continue; 1054 continue;
1066 1055
1067 if (source != destination) 1056 if (source != destination)
1068 attributeVector[destination] = attributeVector[source]; 1057 attributeVector[destination] = attributeVector[source];
1069 1058
1070 ++destination; 1059 ++destination;
1071 } 1060 }
1072 attributeVector.shrink(destination); 1061 attributeVector.shrink(destination);
1073 } 1062 }
1074 1063
(...skipping 2050 matching lines...) Expand 10 before | Expand all | Expand 10 after
3125 return 0; 3114 return 0;
3126 } 3115 }
3127 3116
3128 Attribute* UniqueElementData::attributeItem(unsigned index) 3117 Attribute* UniqueElementData::attributeItem(unsigned index)
3129 { 3118 {
3130 ASSERT_WITH_SECURITY_IMPLICATION(index < length()); 3119 ASSERT_WITH_SECURITY_IMPLICATION(index < length());
3131 return &m_attributeVector.at(index); 3120 return &m_attributeVector.at(index);
3132 } 3121 }
3133 3122
3134 } // namespace WebCore 3123 } // namespace WebCore
OLDNEW
« no previous file with comments | « Source/WebCore/dom/Element.h ('k') | Source/WebCore/html/HTMLFrameElementBase.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698