| Index: third_party/WebKit/Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp
|
| diff --git a/third_party/WebKit/Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp b/third_party/WebKit/Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp
|
| index 2aabde5f091cd2e9a1afeb43d6448a4a66895e6d..6b9e52289bffc771b0183d4af628eec2bb971214 100644
|
| --- a/third_party/WebKit/Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp
|
| +++ b/third_party/WebKit/Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp
|
| @@ -34,7 +34,7 @@
|
| //
|
| // There are two vectors for JavaScript URLs in SVG content:
|
| //
|
| -// 1. Attributes, for example xlink:href in an <svg:a> element.
|
| +// 1. Attributes, for example xlink:href/href in an <svg:a> element.
|
| // 2. Animations which set those attributes, for example
|
| // <animate attributeName="xlink:href" values="javascript:...
|
| //
|
| @@ -79,6 +79,28 @@ TEST(
|
| OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| static const char unsafeContent[] =
|
| "<svg xmlns='http://www.w3.org/2000/svg' "
|
| + " width='1cm' height='1cm'>"
|
| + " <a href='javascript:alert()'></a>"
|
| + "</svg>";
|
| + String sanitizedContent =
|
| + contentAfterPastingHTML(pageHolder.get(), unsafeContent);
|
| +
|
| + EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
|
| + "We should have pasted *something*; the document is: " <<
|
| + sanitizedContent.utf8().data();
|
| + EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
|
| + "The JavaScript URL is unsafe and should have been stripped; "
|
| + "instead: " <<
|
| + sanitizedContent.utf8().data();
|
| +}
|
| +
|
| +TEST(
|
| + UnsafeSVGAttributeSanitizationTest,
|
| + pasteAnchor_javaScriptXlinkHrefIsStripped)
|
| +{
|
| + OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| + static const char unsafeContent[] =
|
| + "<svg xmlns='http://www.w3.org/2000/svg' "
|
| " xmlns:xlink='http://www.w3.org/1999/xlink'"
|
| " width='1cm' height='1cm'>"
|
| " <a xlink:href='javascript:alert()'></a>"
|
| @@ -102,6 +124,28 @@ TEST(
|
| OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| static const char unsafeContent[] =
|
| "<svg xmlns='http://www.w3.org/2000/svg' "
|
| + " width='1cm' height='1cm'>"
|
| + " <a href='jAvascriPT:alert()'></a>"
|
| + "</svg>";
|
| + String sanitizedContent =
|
| + contentAfterPastingHTML(pageHolder.get(), unsafeContent);
|
| +
|
| + EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
|
| + "We should have pasted *something*; the document is: " <<
|
| + sanitizedContent.utf8().data();
|
| + EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
|
| + "The JavaScript URL is unsafe and should have been stripped; "
|
| + "instead: " <<
|
| + sanitizedContent.utf8().data();
|
| +}
|
| +
|
| +TEST(
|
| + UnsafeSVGAttributeSanitizationTest,
|
| + pasteAnchor_javaScriptXlinkHrefIsStripped_caseAndEntityInProtocol)
|
| +{
|
| + OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| + static const char unsafeContent[] =
|
| + "<svg xmlns='http://www.w3.org/2000/svg' "
|
| " xmlns:xlink='http://www.w3.org/1999/xlink'"
|
| " width='1cm' height='1cm'>"
|
| " <a xlink:href='jAvascriPT:alert()'></a>"
|
| @@ -125,6 +169,28 @@ TEST(
|
| OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| static const char unsafeContent[] =
|
| "<svg xmlns='http://www.w3.org/2000/svg' "
|
| + " width='1cm' height='1cm'>"
|
| + " <a href='javascript:alert()'></a>"
|
| + "</svg>";
|
| + String sanitizedContent =
|
| + contentAfterPastingHTML(pageHolder.get(), unsafeContent);
|
| +
|
| + EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
|
| + "We should have pasted *something*; the document is: " <<
|
| + sanitizedContent.utf8().data();
|
| + EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
|
| + "The JavaScript URL is unsafe and should have been stripped; "
|
| + "instead: " <<
|
| + sanitizedContent.utf8().data();
|
| +}
|
| +
|
| +TEST(
|
| + UnsafeSVGAttributeSanitizationTest,
|
| + pasteAnchor_javaScriptXlinkHrefIsStripped_entityWithoutSemicolonInProtocol)
|
| +{
|
| + OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| + static const char unsafeContent[] =
|
| + "<svg xmlns='http://www.w3.org/2000/svg' "
|
| " xmlns:xlink='http://www.w3.org/1999/xlink'"
|
| " width='1cm' height='1cm'>"
|
| " <a xlink:href='javascript:alert()'></a>"
|
| @@ -153,6 +219,30 @@ TEST(
|
| OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| static const char unsafeContent[] =
|
| "<svg xmlns='http://www.w3.org/2000/svg' "
|
| + " width='1cm' height='1cm'>"
|
| + " <a href='https://www.google.com/'>"
|
| + " <animate attributeName='href' values='evil;JaVaSCRIpT:alert()'>"
|
| + " </a>"
|
| + "</svg>";
|
| + String sanitizedContent =
|
| + contentAfterPastingHTML(pageHolder.get(), unsafeContent);
|
| +
|
| + EXPECT_TRUE(sanitizedContent.contains("<a href=\"https://www.goo")) <<
|
| + "We should have pasted *something*; the document is: " <<
|
| + sanitizedContent.utf8().data();
|
| + EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
|
| + "The JavaScript URL is unsafe and should have been stripped; "
|
| + "instead: " <<
|
| + sanitizedContent.utf8().data();
|
| +}
|
| +
|
| +TEST(
|
| + UnsafeSVGAttributeSanitizationTest,
|
| + pasteAnimatedAnchor_javaScriptXlinkHrefIsStripped_caseAndEntityInProtocol)
|
| +{
|
| + OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| + static const char unsafeContent[] =
|
| + "<svg xmlns='http://www.w3.org/2000/svg' "
|
| " xmlns:xlink='http://www.w3.org/1999/xlink'"
|
| " width='1cm' height='1cm'>"
|
| " <a xlink:href='https://www.google.com/'>"
|
| @@ -191,6 +281,13 @@ TEST(UnsafeSVGAttributeSanitizationTest, stringsShouldNotSupportAddition)
|
| EXPECT_EQ(AnimatedString, element->animatedPropertyType());
|
|
|
| EXPECT_FALSE(element->animatedPropertyTypeSupportsAddition());
|
| +
|
| + element->setAttributeName(SVGNames::hrefAttr);
|
| +
|
| + // Sanity check that href was identified as a "string" attribute
|
| + EXPECT_EQ(AnimatedString, element->animatedPropertyType());
|
| +
|
| + EXPECT_FALSE(element->animatedPropertyTypeSupportsAddition());
|
| }
|
|
|
| TEST(
|
| @@ -199,6 +296,7 @@ TEST(
|
| {
|
| Vector<Attribute> attributes;
|
| attributes.append(Attribute(XLinkNames::hrefAttr, "javascript:alert()"));
|
| + attributes.append(Attribute(SVGNames::hrefAttr, "javascript:alert()"));
|
| attributes.append(Attribute(SVGNames::fromAttr, "/home"));
|
| attributes.append(Attribute(SVGNames::toAttr, "javascript:own3d()"));
|
|
|
| @@ -206,18 +304,34 @@ TEST(
|
| RefPtrWillBeRawPtr<Element> element = SVGAnimateElement::create(*document);
|
| element->stripScriptingAttributes(attributes);
|
|
|
| - EXPECT_EQ(2ul, attributes.size()) <<
|
| + EXPECT_EQ(3ul, attributes.size()) <<
|
| "One of the attributes should have been stripped.";
|
| EXPECT_EQ(XLinkNames::hrefAttr, attributes[0].name()) <<
|
| "The 'xlink:href' attribute should not have been stripped from "
|
| "<animate> because it is not a URL attribute of <animate>.";
|
| - EXPECT_EQ(SVGNames::fromAttr, attributes[1].name()) <<
|
| + EXPECT_EQ(SVGNames::hrefAttr, attributes[1].name()) <<
|
| + "The 'href' attribute should not have been stripped from "
|
| + "<animate> because it is not a URL attribute of <animate>.";
|
| + EXPECT_EQ(SVGNames::fromAttr, attributes[2].name()) <<
|
| "The 'from' attribute should not have been strippef from <animate> "
|
| "because its value is innocuous.";
|
| }
|
|
|
| TEST(
|
| UnsafeSVGAttributeSanitizationTest,
|
| + isJavaScriptURLAttribute_hrefContainingJavascriptURL)
|
| +{
|
| + Attribute attribute(SVGNames::hrefAttr, "javascript:alert()");
|
| + RefPtrWillBeRawPtr<Document> document = Document::create();
|
| + RefPtrWillBeRawPtr<Element> element = SVGAElement::create(*document);
|
| + EXPECT_TRUE(
|
| + element->isJavaScriptURLAttribute(attribute)) <<
|
| + "The 'a' element should identify an 'href' attribute with a "
|
| + "JavaScript URL value as a JavaScript URL attribute";
|
| +}
|
| +
|
| +TEST(
|
| + UnsafeSVGAttributeSanitizationTest,
|
| isJavaScriptURLAttribute_xlinkHrefContainingJavascriptURL)
|
| {
|
| Attribute attribute(XLinkNames::hrefAttr, "javascript:alert()");
|
|
|
Chromium Code Reviews
Issue 1681553002:
Add support for 'href' (w/o XLink NS) for various SVG elements (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master