OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Adam Barth. All Rights Reserved. | 2 * Copyright (C) 2011 Adam Barth. All Rights Reserved. |
3 * Copyright (C) 2011 Daniel Bates (dbates@intudata.com). | 3 * Copyright (C) 2011 Daniel Bates (dbates@intudata.com). |
4 * | 4 * |
5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
6 * modification, are permitted provided that the following conditions | 6 * modification, are permitted provided that the following conditions |
7 * are met: | 7 * are met: |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
189 } while (workingString.length() < oldWorkingStringLength); | 189 } while (workingString.length() < oldWorkingStringLength); |
190 workingString.replace('+', ' '); | 190 workingString.replace('+', ' '); |
191 return workingString; | 191 return workingString; |
192 } | 192 } |
193 | 193 |
194 static void truncateForSrcLikeAttribute(String& decodedSnippet) | 194 static void truncateForSrcLikeAttribute(String& decodedSnippet) |
195 { | 195 { |
196 // In HTTP URLs, characters following the first ?, #, or third slash may com
e from | 196 // In HTTP URLs, characters following the first ?, #, or third slash may com
e from |
197 // the page itself and can be merely ignored by an attacker's server when a
remote | 197 // the page itself and can be merely ignored by an attacker's server when a
remote |
198 // script or script-like resource is requested. In DATA URLS, the payload st
arts at | 198 // script or script-like resource is requested. In DATA URLS, the payload st
arts at |
199 // the first comma, and the the first /*, //, or <!-- may introduce a commen
t. Characters | 199 // the first comma, and the the first /*, //, or <!-- may introduce a commen
t. Also, |
200 // following this may come from the page itself and may be ignored when the
script is | 200 // DATA URLs may use the same string literal tricks as with script content i
tself. |
201 // executed. For simplicity, we don't differentiate based on URL scheme, and
stop at | 201 // In either case, content following this may come from the page and may be
ignored |
202 // the first # or ?, the third slash, or the first slash or < once a comma i
s seen. | 202 // when the script is executed. |
| 203 // For simplicity, we don't differentiate based on URL scheme, and stop at t
he first |
| 204 // # or ?, the third slash, or the first slash, <, ', or " once a comma is s
een. |
203 int slashCount = 0; | 205 int slashCount = 0; |
204 bool commaSeen = false; | 206 bool commaSeen = false; |
205 for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++cu
rrentLength) { | 207 for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++cu
rrentLength) { |
206 UChar currentChar = decodedSnippet[currentLength]; | 208 UChar currentChar = decodedSnippet[currentLength]; |
207 if (currentChar == '?' | 209 if (currentChar == '?' |
208 || currentChar == '#' | 210 || currentChar == '#' |
209 || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++s
lashCount > 2)) | 211 || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++s
lashCount > 2)) |
210 || (currentChar == '<' && commaSeen)) { | 212 || (currentChar == '<' && commaSeen) |
| 213 || (currentChar == '\'' && commaSeen) |
| 214 || (currentChar == '"' && commaSeen)) { |
211 decodedSnippet.truncate(currentLength); | 215 decodedSnippet.truncate(currentLength); |
212 return; | 216 return; |
213 } | 217 } |
214 if (currentChar == ',') | 218 if (currentChar == ',') |
215 commaSeen = true; | 219 commaSeen = true; |
216 } | 220 } |
217 } | 221 } |
218 | 222 |
219 static void truncateForScriptLikeAttribute(String& decodedSnippet) | 223 static void truncateForScriptLikeAttribute(String& decodedSnippet) |
220 { | 224 { |
(...skipping 599 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
820 | 824 |
821 bool XSSAuditor::isSafeToSendToAnotherThread() const | 825 bool XSSAuditor::isSafeToSendToAnotherThread() const |
822 { | 826 { |
823 return m_documentURL.isSafeToSendToAnotherThread() | 827 return m_documentURL.isSafeToSendToAnotherThread() |
824 && m_decodedURL.isSafeToSendToAnotherThread() | 828 && m_decodedURL.isSafeToSendToAnotherThread() |
825 && m_decodedHTTPBody.isSafeToSendToAnotherThread() | 829 && m_decodedHTTPBody.isSafeToSendToAnotherThread() |
826 && m_httpBodyAsString.isSafeToSendToAnotherThread(); | 830 && m_httpBodyAsString.isSafeToSendToAnotherThread(); |
827 } | 831 } |
828 | 832 |
829 } // namespace blink | 833 } // namespace blink |
OLD | NEW |