| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // FIXME(dominicc): Poor confused check-webkit-style demands Attribute.h here. | 5 // FIXME(dominicc): Poor confused check-webkit-style demands Attribute.h here. |
| 6 #include "core/dom/Attribute.h" | 6 #include "core/dom/Attribute.h" |
| 7 | 7 |
| 8 #include "core/HTMLNames.h" | 8 #include "core/HTMLNames.h" |
| 9 #include "core/SVGNames.h" | 9 #include "core/SVGNames.h" |
| 10 #include "core/XLinkNames.h" | 10 #include "core/XLinkNames.h" |
| (...skipping 253 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 264 | 264 |
| 265 // Unit tests | 265 // Unit tests |
| 266 | 266 |
| 267 // stripScriptingAttributes inspects animation attributes for | 267 // stripScriptingAttributes inspects animation attributes for |
| 268 // javascript: URLs. This check could be defeated if strings supported | 268 // javascript: URLs. This check could be defeated if strings supported |
| 269 // addition. If this test starts failing you must strengthen | 269 // addition. If this test starts failing you must strengthen |
| 270 // Element::stripScriptingAttributes, perhaps to strip all | 270 // Element::stripScriptingAttributes, perhaps to strip all |
| 271 // SVG animation attributes. | 271 // SVG animation attributes. |
| 272 TEST(UnsafeSVGAttributeSanitizationTest, stringsShouldNotSupportAddition) | 272 TEST(UnsafeSVGAttributeSanitizationTest, stringsShouldNotSupportAddition) |
| 273 { | 273 { |
| 274 RefPtrWillBeRawPtr<Document> document = Document::create(); | 274 RawPtr<Document> document = Document::create(); |
| 275 RefPtrWillBeRawPtr<SVGElement> target = SVGAElement::create(*document); | 275 RawPtr<SVGElement> target = SVGAElement::create(*document); |
| 276 RefPtrWillBeRawPtr<SVGAnimateElement> element = SVGAnimateElement::create(*d
ocument); | 276 RawPtr<SVGAnimateElement> element = SVGAnimateElement::create(*document); |
| 277 element->setTargetElement(target.get()); | 277 element->setTargetElement(target.get()); |
| 278 element->setAttributeName(XLinkNames::hrefAttr); | 278 element->setAttributeName(XLinkNames::hrefAttr); |
| 279 | 279 |
| 280 // Sanity check that xlink:href was identified as a "string" attribute | 280 // Sanity check that xlink:href was identified as a "string" attribute |
| 281 EXPECT_EQ(AnimatedString, element->animatedPropertyType()); | 281 EXPECT_EQ(AnimatedString, element->animatedPropertyType()); |
| 282 | 282 |
| 283 EXPECT_FALSE(element->animatedPropertyTypeSupportsAddition()); | 283 EXPECT_FALSE(element->animatedPropertyTypeSupportsAddition()); |
| 284 | 284 |
| 285 element->setAttributeName(SVGNames::hrefAttr); | 285 element->setAttributeName(SVGNames::hrefAttr); |
| 286 | 286 |
| 287 // Sanity check that href was identified as a "string" attribute | 287 // Sanity check that href was identified as a "string" attribute |
| 288 EXPECT_EQ(AnimatedString, element->animatedPropertyType()); | 288 EXPECT_EQ(AnimatedString, element->animatedPropertyType()); |
| 289 | 289 |
| 290 EXPECT_FALSE(element->animatedPropertyTypeSupportsAddition()); | 290 EXPECT_FALSE(element->animatedPropertyTypeSupportsAddition()); |
| 291 } | 291 } |
| 292 | 292 |
| 293 TEST( | 293 TEST( |
| 294 UnsafeSVGAttributeSanitizationTest, | 294 UnsafeSVGAttributeSanitizationTest, |
| 295 stripScriptingAttributes_animateElement) | 295 stripScriptingAttributes_animateElement) |
| 296 { | 296 { |
| 297 Vector<Attribute> attributes; | 297 Vector<Attribute> attributes; |
| 298 attributes.append(Attribute(XLinkNames::hrefAttr, "javascript:alert()")); | 298 attributes.append(Attribute(XLinkNames::hrefAttr, "javascript:alert()")); |
| 299 attributes.append(Attribute(SVGNames::hrefAttr, "javascript:alert()")); | 299 attributes.append(Attribute(SVGNames::hrefAttr, "javascript:alert()")); |
| 300 attributes.append(Attribute(SVGNames::fromAttr, "/home")); | 300 attributes.append(Attribute(SVGNames::fromAttr, "/home")); |
| 301 attributes.append(Attribute(SVGNames::toAttr, "javascript:own3d()")); | 301 attributes.append(Attribute(SVGNames::toAttr, "javascript:own3d()")); |
| 302 | 302 |
| 303 RefPtrWillBeRawPtr<Document> document = Document::create(); | 303 RawPtr<Document> document = Document::create(); |
| 304 RefPtrWillBeRawPtr<Element> element = SVGAnimateElement::create(*document); | 304 RawPtr<Element> element = SVGAnimateElement::create(*document); |
| 305 element->stripScriptingAttributes(attributes); | 305 element->stripScriptingAttributes(attributes); |
| 306 | 306 |
| 307 EXPECT_EQ(3ul, attributes.size()) << | 307 EXPECT_EQ(3ul, attributes.size()) << |
| 308 "One of the attributes should have been stripped."; | 308 "One of the attributes should have been stripped."; |
| 309 EXPECT_EQ(XLinkNames::hrefAttr, attributes[0].name()) << | 309 EXPECT_EQ(XLinkNames::hrefAttr, attributes[0].name()) << |
| 310 "The 'xlink:href' attribute should not have been stripped from " | 310 "The 'xlink:href' attribute should not have been stripped from " |
| 311 "<animate> because it is not a URL attribute of <animate>."; | 311 "<animate> because it is not a URL attribute of <animate>."; |
| 312 EXPECT_EQ(SVGNames::hrefAttr, attributes[1].name()) << | 312 EXPECT_EQ(SVGNames::hrefAttr, attributes[1].name()) << |
| 313 "The 'href' attribute should not have been stripped from " | 313 "The 'href' attribute should not have been stripped from " |
| 314 "<animate> because it is not a URL attribute of <animate>."; | 314 "<animate> because it is not a URL attribute of <animate>."; |
| 315 EXPECT_EQ(SVGNames::fromAttr, attributes[2].name()) << | 315 EXPECT_EQ(SVGNames::fromAttr, attributes[2].name()) << |
| 316 "The 'from' attribute should not have been strippef from <animate> " | 316 "The 'from' attribute should not have been strippef from <animate> " |
| 317 "because its value is innocuous."; | 317 "because its value is innocuous."; |
| 318 } | 318 } |
| 319 | 319 |
| 320 TEST( | 320 TEST( |
| 321 UnsafeSVGAttributeSanitizationTest, | 321 UnsafeSVGAttributeSanitizationTest, |
| 322 isJavaScriptURLAttribute_hrefContainingJavascriptURL) | 322 isJavaScriptURLAttribute_hrefContainingJavascriptURL) |
| 323 { | 323 { |
| 324 Attribute attribute(SVGNames::hrefAttr, "javascript:alert()"); | 324 Attribute attribute(SVGNames::hrefAttr, "javascript:alert()"); |
| 325 RefPtrWillBeRawPtr<Document> document = Document::create(); | 325 RawPtr<Document> document = Document::create(); |
| 326 RefPtrWillBeRawPtr<Element> element = SVGAElement::create(*document); | 326 RawPtr<Element> element = SVGAElement::create(*document); |
| 327 EXPECT_TRUE( | 327 EXPECT_TRUE( |
| 328 element->isJavaScriptURLAttribute(attribute)) << | 328 element->isJavaScriptURLAttribute(attribute)) << |
| 329 "The 'a' element should identify an 'href' attribute with a " | 329 "The 'a' element should identify an 'href' attribute with a " |
| 330 "JavaScript URL value as a JavaScript URL attribute"; | 330 "JavaScript URL value as a JavaScript URL attribute"; |
| 331 } | 331 } |
| 332 | 332 |
| 333 TEST( | 333 TEST( |
| 334 UnsafeSVGAttributeSanitizationTest, | 334 UnsafeSVGAttributeSanitizationTest, |
| 335 isJavaScriptURLAttribute_xlinkHrefContainingJavascriptURL) | 335 isJavaScriptURLAttribute_xlinkHrefContainingJavascriptURL) |
| 336 { | 336 { |
| 337 Attribute attribute(XLinkNames::hrefAttr, "javascript:alert()"); | 337 Attribute attribute(XLinkNames::hrefAttr, "javascript:alert()"); |
| 338 RefPtrWillBeRawPtr<Document> document = Document::create(); | 338 RawPtr<Document> document = Document::create(); |
| 339 RefPtrWillBeRawPtr<Element> element = SVGAElement::create(*document); | 339 RawPtr<Element> element = SVGAElement::create(*document); |
| 340 EXPECT_TRUE( | 340 EXPECT_TRUE( |
| 341 element->isJavaScriptURLAttribute(attribute)) << | 341 element->isJavaScriptURLAttribute(attribute)) << |
| 342 "The 'a' element should identify an 'xlink:href' attribute with a " | 342 "The 'a' element should identify an 'xlink:href' attribute with a " |
| 343 "JavaScript URL value as a JavaScript URL attribute"; | 343 "JavaScript URL value as a JavaScript URL attribute"; |
| 344 } | 344 } |
| 345 | 345 |
| 346 TEST( | 346 TEST( |
| 347 UnsafeSVGAttributeSanitizationTest, | 347 UnsafeSVGAttributeSanitizationTest, |
| 348 isJavaScriptURLAttribute_xlinkHrefContainingJavascriptURL_alternatePrefix) | 348 isJavaScriptURLAttribute_xlinkHrefContainingJavascriptURL_alternatePrefix) |
| 349 { | 349 { |
| 350 QualifiedName hrefAlternatePrefix( | 350 QualifiedName hrefAlternatePrefix( |
| 351 "foo", "href", XLinkNames::xlinkNamespaceURI); | 351 "foo", "href", XLinkNames::xlinkNamespaceURI); |
| 352 Attribute evilAttribute(hrefAlternatePrefix, "javascript:alert()"); | 352 Attribute evilAttribute(hrefAlternatePrefix, "javascript:alert()"); |
| 353 RefPtrWillBeRawPtr<Document> document = Document::create(); | 353 RawPtr<Document> document = Document::create(); |
| 354 RefPtrWillBeRawPtr<Element> element = SVGAElement::create(*document); | 354 RawPtr<Element> element = SVGAElement::create(*document); |
| 355 EXPECT_TRUE(element->isJavaScriptURLAttribute(evilAttribute)) << | 355 EXPECT_TRUE(element->isJavaScriptURLAttribute(evilAttribute)) << |
| 356 "The XLink 'href' attribute with a JavaScript URL value should be " | 356 "The XLink 'href' attribute with a JavaScript URL value should be " |
| 357 "identified as a JavaScript URL attribute, even if the attribute " | 357 "identified as a JavaScript URL attribute, even if the attribute " |
| 358 "doesn't use the typical 'xlink' prefix."; | 358 "doesn't use the typical 'xlink' prefix."; |
| 359 } | 359 } |
| 360 | 360 |
| 361 TEST( | 361 TEST( |
| 362 UnsafeSVGAttributeSanitizationTest, | 362 UnsafeSVGAttributeSanitizationTest, |
| 363 isSVGAnimationAttributeSettingJavaScriptURL_fromContainingJavaScriptURL) | 363 isSVGAnimationAttributeSettingJavaScriptURL_fromContainingJavaScriptURL) |
| 364 { | 364 { |
| 365 Attribute evilAttribute(SVGNames::fromAttr, "javascript:alert()"); | 365 Attribute evilAttribute(SVGNames::fromAttr, "javascript:alert()"); |
| 366 RefPtrWillBeRawPtr<Document> document = Document::create(); | 366 RawPtr<Document> document = Document::create(); |
| 367 RefPtrWillBeRawPtr<Element> element = SVGAnimateElement::create(*document); | 367 RawPtr<Element> element = SVGAnimateElement::create(*document); |
| 368 EXPECT_TRUE( | 368 EXPECT_TRUE( |
| 369 element->isSVGAnimationAttributeSettingJavaScriptURL(evilAttribute)) << | 369 element->isSVGAnimationAttributeSettingJavaScriptURL(evilAttribute)) << |
| 370 "The animate element should identify a 'from' attribute with a " | 370 "The animate element should identify a 'from' attribute with a " |
| 371 "JavaScript URL value as setting a JavaScript URL."; | 371 "JavaScript URL value as setting a JavaScript URL."; |
| 372 } | 372 } |
| 373 | 373 |
| 374 TEST( | 374 TEST( |
| 375 UnsafeSVGAttributeSanitizationTest, | 375 UnsafeSVGAttributeSanitizationTest, |
| 376 isSVGAnimationAttributeSettingJavaScriptURL_toContainingJavaScripURL) | 376 isSVGAnimationAttributeSettingJavaScriptURL_toContainingJavaScripURL) |
| 377 { | 377 { |
| 378 Attribute evilAttribute(SVGNames::toAttr, "javascript:window.close()"); | 378 Attribute evilAttribute(SVGNames::toAttr, "javascript:window.close()"); |
| 379 RefPtrWillBeRawPtr<Document> document = Document::create(); | 379 RawPtr<Document> document = Document::create(); |
| 380 RefPtrWillBeRawPtr<Element> element = SVGSetElement::create(*document); | 380 RawPtr<Element> element = SVGSetElement::create(*document); |
| 381 EXPECT_TRUE( | 381 EXPECT_TRUE( |
| 382 element->isSVGAnimationAttributeSettingJavaScriptURL(evilAttribute)) << | 382 element->isSVGAnimationAttributeSettingJavaScriptURL(evilAttribute)) << |
| 383 "The set element should identify a 'to' attribute with a JavaScript " | 383 "The set element should identify a 'to' attribute with a JavaScript " |
| 384 "URL value as setting a JavaScript URL."; | 384 "URL value as setting a JavaScript URL."; |
| 385 } | 385 } |
| 386 | 386 |
| 387 TEST( | 387 TEST( |
| 388 UnsafeSVGAttributeSanitizationTest, | 388 UnsafeSVGAttributeSanitizationTest, |
| 389 isSVGAnimationAttributeSettingJavaScriptURL_valuesContainingJavaScriptURL) | 389 isSVGAnimationAttributeSettingJavaScriptURL_valuesContainingJavaScriptURL) |
| 390 { | 390 { |
| 391 Attribute evilAttribute(SVGNames::valuesAttr, "hi!; javascript:confirm()"); | 391 Attribute evilAttribute(SVGNames::valuesAttr, "hi!; javascript:confirm()"); |
| 392 RefPtrWillBeRawPtr<Document> document = Document::create(); | 392 RawPtr<Document> document = Document::create(); |
| 393 RefPtrWillBeRawPtr<Element> element = SVGAnimateElement::create(*document); | 393 RawPtr<Element> element = SVGAnimateElement::create(*document); |
| 394 element = SVGAnimateElement::create(*document); | 394 element = SVGAnimateElement::create(*document); |
| 395 EXPECT_TRUE( | 395 EXPECT_TRUE( |
| 396 element->isSVGAnimationAttributeSettingJavaScriptURL(evilAttribute)) << | 396 element->isSVGAnimationAttributeSettingJavaScriptURL(evilAttribute)) << |
| 397 "The animate element should identify a 'values' attribute with a " | 397 "The animate element should identify a 'values' attribute with a " |
| 398 "JavaScript URL value as setting a JavaScript URL."; | 398 "JavaScript URL value as setting a JavaScript URL."; |
| 399 } | 399 } |
| 400 | 400 |
| 401 TEST( | 401 TEST( |
| 402 UnsafeSVGAttributeSanitizationTest, | 402 UnsafeSVGAttributeSanitizationTest, |
| 403 isSVGAnimationAttributeSettingJavaScriptURL_innocuousAnimationAttribute) | 403 isSVGAnimationAttributeSettingJavaScriptURL_innocuousAnimationAttribute) |
| 404 { | 404 { |
| 405 Attribute fineAttribute(SVGNames::fromAttr, "hello, world!"); | 405 Attribute fineAttribute(SVGNames::fromAttr, "hello, world!"); |
| 406 RefPtrWillBeRawPtr<Document> document = Document::create(); | 406 RawPtr<Document> document = Document::create(); |
| 407 RefPtrWillBeRawPtr<Element> element = SVGSetElement::create(*document); | 407 RawPtr<Element> element = SVGSetElement::create(*document); |
| 408 EXPECT_FALSE( | 408 EXPECT_FALSE( |
| 409 element->isSVGAnimationAttributeSettingJavaScriptURL(fineAttribute)) << | 409 element->isSVGAnimationAttributeSettingJavaScriptURL(fineAttribute)) << |
| 410 "The animate element should not identify a 'from' attribute with an " | 410 "The animate element should not identify a 'from' attribute with an " |
| 411 "innocuous value as setting a JavaScript URL."; | 411 "innocuous value as setting a JavaScript URL."; |
| 412 } | 412 } |
| 413 | 413 |
| 414 } // namespace blink | 414 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1686483002:
Oilpan: Remove most WillBe types from the code base (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master