third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp - Issue 1906603003: XSSAuditor doesn't handle full set of html5 entities for punctuation.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

Issue 1906603003: XSSAuditor doesn't handle full set of html5 entities for punctuation. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

diff --git a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

index 075afe8680b6cde3e4972daa0ce00a0a54157d38..97986825e14c3be3f4a37a2487e899a9baaa28b1 100644

--- a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

+++ b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

@@ -197,14 +197,17 @@ static void truncateForSrcLikeAttribute(String& decodedSnippet)

// the first comma, and the the first /*, //, or <!-- may introduce a comment. Also,

// DATA URLs may use the same string literal tricks as with script content itself.

// In either case, content following this may come from the page and may be ignored

- // when the script is executed.

+ // when the script is executed. Also, any of these characters may now be represented

+ // by the (enlarged) set of html5 entities.

// For simplicity, we don't differentiate based on URL scheme, and stop at the first

- // # or ?, the third slash, or the first slash, <, ', or " once a comma is seen.

+ // & (since it might be part of an entity for any of the subsequent punctuation), the

+ // first # or ?, the third slash, or the first slash, <, ', or " once a comma is seen.

int slashCount = 0;

bool commaSeen = false;

for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {

UChar currentChar = decodedSnippet[currentLength];

- if (currentChar == '?'

+ if (currentChar == '&'

Mike West 2016/04/26 08:10:38 Hrm. This might end up being a little overagressiv

+ || currentChar == '?'

|| currentChar == '#'

|| ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))

|| (currentChar == '<' && commaSeen)

@@ -791,6 +794,7 @@ String XSSAuditor::canonicalizedSnippetForJavaScript(const FilterTokenRequest& r

bool XSSAuditor::isContainedInRequest(const String& decodedSnippet)

{

Mike West 2016/04/26 08:10:38 Nit: Newline?

Tom Sepez 2016/04/26 16:00:09 Done.

if (decodedSnippet.isEmpty())

return false;

if (m_decodedURL.find(decodedSnippet, 0, TextCaseInsensitive) != kNotFound)