| Index: third_party/WebKit/Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp
|
| diff --git a/third_party/WebKit/Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp b/third_party/WebKit/Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp
|
| index 6b9e52289bffc771b0183d4af628eec2bb971214..2aabde5f091cd2e9a1afeb43d6448a4a66895e6d 100644
|
| --- a/third_party/WebKit/Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp
|
| +++ b/third_party/WebKit/Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp
|
| @@ -34,7 +34,7 @@
|
| //
|
| // There are two vectors for JavaScript URLs in SVG content:
|
| //
|
| -// 1. Attributes, for example xlink:href/href in an <svg:a> element.
|
| +// 1. Attributes, for example xlink:href in an <svg:a> element.
|
| // 2. Animations which set those attributes, for example
|
| // <animate attributeName="xlink:href" values="javascript:...
|
| //
|
| @@ -79,28 +79,6 @@
|
| OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| static const char unsafeContent[] =
|
| "<svg xmlns='http://www.w3.org/2000/svg' "
|
| - " width='1cm' height='1cm'>"
|
| - " <a href='javascript:alert()'></a>"
|
| - "</svg>";
|
| - String sanitizedContent =
|
| - contentAfterPastingHTML(pageHolder.get(), unsafeContent);
|
| -
|
| - EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
|
| - "We should have pasted *something*; the document is: " <<
|
| - sanitizedContent.utf8().data();
|
| - EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
|
| - "The JavaScript URL is unsafe and should have been stripped; "
|
| - "instead: " <<
|
| - sanitizedContent.utf8().data();
|
| -}
|
| -
|
| -TEST(
|
| - UnsafeSVGAttributeSanitizationTest,
|
| - pasteAnchor_javaScriptXlinkHrefIsStripped)
|
| -{
|
| - OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| - static const char unsafeContent[] =
|
| - "<svg xmlns='http://www.w3.org/2000/svg' "
|
| " xmlns:xlink='http://www.w3.org/1999/xlink'"
|
| " width='1cm' height='1cm'>"
|
| " <a xlink:href='javascript:alert()'></a>"
|
| @@ -120,28 +98,6 @@
|
| TEST(
|
| UnsafeSVGAttributeSanitizationTest,
|
| pasteAnchor_javaScriptHrefIsStripped_caseAndEntityInProtocol)
|
| -{
|
| - OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| - static const char unsafeContent[] =
|
| - "<svg xmlns='http://www.w3.org/2000/svg' "
|
| - " width='1cm' height='1cm'>"
|
| - " <a href='jAvascriPT:alert()'></a>"
|
| - "</svg>";
|
| - String sanitizedContent =
|
| - contentAfterPastingHTML(pageHolder.get(), unsafeContent);
|
| -
|
| - EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
|
| - "We should have pasted *something*; the document is: " <<
|
| - sanitizedContent.utf8().data();
|
| - EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
|
| - "The JavaScript URL is unsafe and should have been stripped; "
|
| - "instead: " <<
|
| - sanitizedContent.utf8().data();
|
| -}
|
| -
|
| -TEST(
|
| - UnsafeSVGAttributeSanitizationTest,
|
| - pasteAnchor_javaScriptXlinkHrefIsStripped_caseAndEntityInProtocol)
|
| {
|
| OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| static const char unsafeContent[] =
|
| @@ -169,28 +125,6 @@
|
| OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| static const char unsafeContent[] =
|
| "<svg xmlns='http://www.w3.org/2000/svg' "
|
| - " width='1cm' height='1cm'>"
|
| - " <a href='javascript:alert()'></a>"
|
| - "</svg>";
|
| - String sanitizedContent =
|
| - contentAfterPastingHTML(pageHolder.get(), unsafeContent);
|
| -
|
| - EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
|
| - "We should have pasted *something*; the document is: " <<
|
| - sanitizedContent.utf8().data();
|
| - EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
|
| - "The JavaScript URL is unsafe and should have been stripped; "
|
| - "instead: " <<
|
| - sanitizedContent.utf8().data();
|
| -}
|
| -
|
| -TEST(
|
| - UnsafeSVGAttributeSanitizationTest,
|
| - pasteAnchor_javaScriptXlinkHrefIsStripped_entityWithoutSemicolonInProtocol)
|
| -{
|
| - OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| - static const char unsafeContent[] =
|
| - "<svg xmlns='http://www.w3.org/2000/svg' "
|
| " xmlns:xlink='http://www.w3.org/1999/xlink'"
|
| " width='1cm' height='1cm'>"
|
| " <a xlink:href='javascript:alert()'></a>"
|
| @@ -215,30 +149,6 @@
|
| TEST(
|
| UnsafeSVGAttributeSanitizationTest,
|
| pasteAnimatedAnchor_javaScriptHrefIsStripped_caseAndEntityInProtocol)
|
| -{
|
| - OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| - static const char unsafeContent[] =
|
| - "<svg xmlns='http://www.w3.org/2000/svg' "
|
| - " width='1cm' height='1cm'>"
|
| - " <a href='https://www.google.com/'>"
|
| - " <animate attributeName='href' values='evil;JaVaSCRIpT:alert()'>"
|
| - " </a>"
|
| - "</svg>";
|
| - String sanitizedContent =
|
| - contentAfterPastingHTML(pageHolder.get(), unsafeContent);
|
| -
|
| - EXPECT_TRUE(sanitizedContent.contains("<a href=\"https://www.goo")) <<
|
| - "We should have pasted *something*; the document is: " <<
|
| - sanitizedContent.utf8().data();
|
| - EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
|
| - "The JavaScript URL is unsafe and should have been stripped; "
|
| - "instead: " <<
|
| - sanitizedContent.utf8().data();
|
| -}
|
| -
|
| -TEST(
|
| - UnsafeSVGAttributeSanitizationTest,
|
| - pasteAnimatedAnchor_javaScriptXlinkHrefIsStripped_caseAndEntityInProtocol)
|
| {
|
| OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
|
| static const char unsafeContent[] =
|
| @@ -281,13 +191,6 @@
|
| EXPECT_EQ(AnimatedString, element->animatedPropertyType());
|
|
|
| EXPECT_FALSE(element->animatedPropertyTypeSupportsAddition());
|
| -
|
| - element->setAttributeName(SVGNames::hrefAttr);
|
| -
|
| - // Sanity check that href was identified as a "string" attribute
|
| - EXPECT_EQ(AnimatedString, element->animatedPropertyType());
|
| -
|
| - EXPECT_FALSE(element->animatedPropertyTypeSupportsAddition());
|
| }
|
|
|
| TEST(
|
| @@ -296,7 +199,6 @@
|
| {
|
| Vector<Attribute> attributes;
|
| attributes.append(Attribute(XLinkNames::hrefAttr, "javascript:alert()"));
|
| - attributes.append(Attribute(SVGNames::hrefAttr, "javascript:alert()"));
|
| attributes.append(Attribute(SVGNames::fromAttr, "/home"));
|
| attributes.append(Attribute(SVGNames::toAttr, "javascript:own3d()"));
|
|
|
| @@ -304,30 +206,14 @@
|
| RefPtrWillBeRawPtr<Element> element = SVGAnimateElement::create(*document);
|
| element->stripScriptingAttributes(attributes);
|
|
|
| - EXPECT_EQ(3ul, attributes.size()) <<
|
| + EXPECT_EQ(2ul, attributes.size()) <<
|
| "One of the attributes should have been stripped.";
|
| EXPECT_EQ(XLinkNames::hrefAttr, attributes[0].name()) <<
|
| "The 'xlink:href' attribute should not have been stripped from "
|
| "<animate> because it is not a URL attribute of <animate>.";
|
| - EXPECT_EQ(SVGNames::hrefAttr, attributes[1].name()) <<
|
| - "The 'href' attribute should not have been stripped from "
|
| - "<animate> because it is not a URL attribute of <animate>.";
|
| - EXPECT_EQ(SVGNames::fromAttr, attributes[2].name()) <<
|
| + EXPECT_EQ(SVGNames::fromAttr, attributes[1].name()) <<
|
| "The 'from' attribute should not have been strippef from <animate> "
|
| "because its value is innocuous.";
|
| -}
|
| -
|
| -TEST(
|
| - UnsafeSVGAttributeSanitizationTest,
|
| - isJavaScriptURLAttribute_hrefContainingJavascriptURL)
|
| -{
|
| - Attribute attribute(SVGNames::hrefAttr, "javascript:alert()");
|
| - RefPtrWillBeRawPtr<Document> document = Document::create();
|
| - RefPtrWillBeRawPtr<Element> element = SVGAElement::create(*document);
|
| - EXPECT_TRUE(
|
| - element->isJavaScriptURLAttribute(attribute)) <<
|
| - "The 'a' element should identify an 'href' attribute with a "
|
| - "JavaScript URL value as a JavaScript URL attribute";
|
| }
|
|
|
| TEST(
|
|
|
Chromium Code Reviews
Issue 1692673004:
Revert of Add support for 'href' (w/o XLink NS) for various SVG elements (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master