OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Adam Barth. All Rights Reserved. | 2 * Copyright (C) 2011 Adam Barth. All Rights Reserved. |
3 * Copyright (C) 2011 Daniel Bates (dbates@intudata.com). | 3 * Copyright (C) 2011 Daniel Bates (dbates@intudata.com). |
4 * | 4 * |
5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
6 * modification, are permitted provided that the following conditions | 6 * modification, are permitted provided that the following conditions |
7 * are met: | 7 * are met: |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 179 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
190 } | 190 } |
191 | 191 |
192 static void truncateForSrcLikeAttribute(String& decodedSnippet) | 192 static void truncateForSrcLikeAttribute(String& decodedSnippet) |
193 { | 193 { |
194 // In HTTP URLs, characters following the first ?, #, or third slash may com
e from | 194 // In HTTP URLs, characters following the first ?, #, or third slash may com
e from |
195 // the page itself and can be merely ignored by an attacker's server when a
remote | 195 // the page itself and can be merely ignored by an attacker's server when a
remote |
196 // script or script-like resource is requested. In DATA URLS, the payload st
arts at | 196 // script or script-like resource is requested. In DATA URLS, the payload st
arts at |
197 // the first comma, and the the first /*, //, or <!-- may introduce a commen
t. Also, | 197 // the first comma, and the the first /*, //, or <!-- may introduce a commen
t. Also, |
198 // DATA URLs may use the same string literal tricks as with script content i
tself. | 198 // DATA URLs may use the same string literal tricks as with script content i
tself. |
199 // In either case, content following this may come from the page and may be
ignored | 199 // In either case, content following this may come from the page and may be
ignored |
200 // when the script is executed. | 200 // when the script is executed. Also, any of these characters may now be rep
resented |
| 201 // by the (enlarged) set of html5 entities. |
201 // For simplicity, we don't differentiate based on URL scheme, and stop at t
he first | 202 // For simplicity, we don't differentiate based on URL scheme, and stop at t
he first |
202 // # or ?, the third slash, or the first slash, <, ', or " once a comma is s
een. | 203 // & (since it might be part of an entity for any of the subsequent punctuat
ion), the |
| 204 // first # or ?, the third slash, or the first slash, <, ', or " once a comm
a is seen. |
203 int slashCount = 0; | 205 int slashCount = 0; |
204 bool commaSeen = false; | 206 bool commaSeen = false; |
205 for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++cu
rrentLength) { | 207 for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++cu
rrentLength) { |
206 UChar currentChar = decodedSnippet[currentLength]; | 208 UChar currentChar = decodedSnippet[currentLength]; |
207 if (currentChar == '?' | 209 if (currentChar == '&' |
| 210 || currentChar == '?' |
208 || currentChar == '#' | 211 || currentChar == '#' |
209 || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++s
lashCount > 2)) | 212 || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++s
lashCount > 2)) |
210 || (currentChar == '<' && commaSeen) | 213 || (currentChar == '<' && commaSeen) |
211 || (currentChar == '\'' && commaSeen) | 214 || (currentChar == '\'' && commaSeen) |
212 || (currentChar == '"' && commaSeen)) { | 215 || (currentChar == '"' && commaSeen)) { |
213 decodedSnippet.truncate(currentLength); | 216 decodedSnippet.truncate(currentLength); |
214 return; | 217 return; |
215 } | 218 } |
216 if (currentChar == ',') | 219 if (currentChar == ',') |
217 commaSeen = true; | 220 commaSeen = true; |
(...skipping 605 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
823 | 826 |
824 bool XSSAuditor::isSafeToSendToAnotherThread() const | 827 bool XSSAuditor::isSafeToSendToAnotherThread() const |
825 { | 828 { |
826 return m_documentURL.isSafeToSendToAnotherThread() | 829 return m_documentURL.isSafeToSendToAnotherThread() |
827 && m_decodedURL.isSafeToSendToAnotherThread() | 830 && m_decodedURL.isSafeToSendToAnotherThread() |
828 && m_decodedHTTPBody.isSafeToSendToAnotherThread() | 831 && m_decodedHTTPBody.isSafeToSendToAnotherThread() |
829 && m_httpBodyAsString.isSafeToSendToAnotherThread(); | 832 && m_httpBodyAsString.isSafeToSendToAnotherThread(); |
830 } | 833 } |
831 | 834 |
832 } // namespace blink | 835 } // namespace blink |
OLD | NEW |