Index: third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp |
diff --git a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp |
index 075afe8680b6cde3e4972daa0ce00a0a54157d38..97986825e14c3be3f4a37a2487e899a9baaa28b1 100644 |
--- a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp |
+++ b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp |
@@ -197,14 +197,17 @@ static void truncateForSrcLikeAttribute(String& decodedSnippet) |
// the first comma, and the the first /*, //, or <!-- may introduce a comment. Also, |
// DATA URLs may use the same string literal tricks as with script content itself. |
// In either case, content following this may come from the page and may be ignored |
- // when the script is executed. |
+ // when the script is executed. Also, any of these characters may now be represented |
+ // by the (enlarged) set of html5 entities. |
// For simplicity, we don't differentiate based on URL scheme, and stop at the first |
- // # or ?, the third slash, or the first slash, <, ', or " once a comma is seen. |
+ // & (since it might be part of an entity for any of the subsequent punctuation), the |
+ // first # or ?, the third slash, or the first slash, <, ', or " once a comma is seen. |
int slashCount = 0; |
bool commaSeen = false; |
for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) { |
UChar currentChar = decodedSnippet[currentLength]; |
- if (currentChar == '?' |
+ if (currentChar == '&' |
Mike West
2016/04/26 08:10:38
Hrm. This might end up being a little overagressiv
|
+ || currentChar == '?' |
|| currentChar == '#' |
|| ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2)) |
|| (currentChar == '<' && commaSeen) |
@@ -791,6 +794,7 @@ String XSSAuditor::canonicalizedSnippetForJavaScript(const FilterTokenRequest& r |
bool XSSAuditor::isContainedInRequest(const String& decodedSnippet) |
{ |
+ |
Mike West
2016/04/26 08:10:38
Nit: Newline?
Tom Sepez
2016/04/26 16:00:09
Done.
|
if (decodedSnippet.isEmpty()) |
return false; |
if (m_decodedURL.find(decodedSnippet, 0, TextCaseInsensitive) != kNotFound) |