Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(382)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

Issue 1689223003: XSSAuditor: script src=data URLs need truncation at quotes (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: I can't spell today at all. Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
diff --git a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
index 39a5b57030bd66af99de2d67a89606f54686c9bc..a09ce165049c3201d0bfd4b732cdf8470926cd0c 100644
--- a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
+++ b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
@@ -196,10 +196,12 @@ static void truncateForSrcLikeAttribute(String& decodedSnippet)
// In HTTP URLs, characters following the first ?, #, or third slash may come from
// the page itself and can be merely ignored by an attacker's server when a remote
// script or script-like resource is requested. In DATA URLS, the payload starts at
- // the first comma, and the the first /*, //, or <!-- may introduce a comment. Characters
- // following this may come from the page itself and may be ignored when the script is
- // executed. For simplicity, we don't differentiate based on URL scheme, and stop at
- // the first # or ?, the third slash, or the first slash or < once a comma is seen.
+ // the first comma, and the the first /*, //, or <!-- may introduce a comment. Also,
+ // DATA URLs may use the same string literal tricks as with script content itself.
+ // In either case, content following this may come from the page and may be ignored
+ // when the script is executed.
+ // For simplicity, we don't differentiate based on URL scheme, and stop at the first
+ // # or ?, the third slash, or the first slash, <, ', or " once a comma is seen.
int slashCount = 0;
bool commaSeen = false;
for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
@@ -207,7 +209,9 @@ static void truncateForSrcLikeAttribute(String& decodedSnippet)
if (currentChar == '?'
|| currentChar == '#'
|| ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))
- || (currentChar == '<' && commaSeen)) {
+ || (currentChar == '<' && commaSeen)
+ || (currentChar == '\'' && commaSeen)
+ || (currentChar == '"' && commaSeen)) {
decodedSnippet.truncate(currentLength);
return;
}
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698