| Index: Source/core/html/parser/XSSAuditor.cpp
|
| diff --git a/Source/core/html/parser/XSSAuditor.cpp b/Source/core/html/parser/XSSAuditor.cpp
|
| index ccae51ca3072363c37573e4775617e1cdc501a26..a7646ac9ac33a9b89801446641a9ea1989aff1e5 100644
|
| --- a/Source/core/html/parser/XSSAuditor.cpp
|
| +++ b/Source/core/html/parser/XSSAuditor.cpp
|
| @@ -353,8 +353,8 @@ bool XSSAuditor::filterStartToken(const FilterTokenRequest& request)
|
| didBlockScript |= filterEmbedToken(request);
|
| else if (hasName(request.token, appletTag))
|
| didBlockScript |= filterAppletToken(request);
|
| - else if (hasName(request.token, iframeTag))
|
| - didBlockScript |= filterIframeToken(request);
|
| + else if (hasName(request.token, iframeTag) || hasName(request.token, frameTag))
|
| + didBlockScript |= filterFrameToken(request);
|
| else if (hasName(request.token, metaTag))
|
| didBlockScript |= filterMetaToken(request);
|
| else if (hasName(request.token, baseTag))
|
| @@ -460,10 +460,10 @@ bool XSSAuditor::filterAppletToken(const FilterTokenRequest& request)
|
| return didBlockScript;
|
| }
|
|
|
| -bool XSSAuditor::filterIframeToken(const FilterTokenRequest& request)
|
| +bool XSSAuditor::filterFrameToken(const FilterTokenRequest& request)
|
| {
|
| ASSERT(request.token.type() == HTMLToken::StartTag);
|
| - ASSERT(hasName(request.token, iframeTag));
|
| + ASSERT(hasName(request.token, iframeTag) || hasName(request.token, frameTag));
|
|
|
| bool didBlockScript = false;
|
| if (isContainedInRequest(decodedSnippetForName(request))) {
|
|
|
Chromium Code Reviews
Issue 23441066:
XSSAuditor bypass with frameset tags. (Closed)
Base URL: svn://svn.chromium.org/blink/trunk