Reformat comments in core/html/parser

third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

 /*
  * Copyright (C) 2011 Adam Barth. All Rights Reserved.
  * Copyright (C) 2011 Daniel Bates (dbates@intudata.com).
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
@@ skipping 32 matching lines @@
 #include "core/loader/DocumentLoader.h"
 #include "core/loader/MixedContentChecker.h"
 #include "platform/network/EncodedFormData.h"
 #include "platform/text/DecodeEscapeSequences.h"
 #include "wtf/ASCIICType.h"
 #include "wtf/PtrUtil.h"
 #include <memory>
 
 namespace {
 
-// SecurityOrigin::urlWithUniqueSecurityOrigin() can't be used cross-thread, or we'd use it instead.
+// SecurityOrigin::urlWithUniqueSecurityOrigin() can't be used cross-thread, or
+// we'd use it instead.
 const char kURLWithUniqueOrigin[] = "data:,";
 
 const char kSafeJavaScriptURL[] = "javascript:void(0)";
 
 }  // namespace
 
 namespace blink {
 
 using namespace HTMLNames;
 
 static bool isNonCanonicalCharacter(UChar c) {
-  // We remove all non-ASCII characters, including non-printable ASCII characters.
+  // We remove all non-ASCII characters, including non-printable ASCII
+  // characters.
   //
-  // Note, we don't remove backslashes like PHP stripslashes(), which among other things converts "\\0" to the \0 character.
-  // Instead, we remove backslashes and zeros (since the string "\\0" =(remove backslashes)=> "0"). However, this has the
-  // adverse effect that we remove any legitimate zeros from a string.
+  // Note, we don't remove backslashes like PHP stripslashes(), which among
+  // other things converts "\\0" to the \0 character. Instead, we remove
+  // backslashes and zeros (since the string "\\0" =(remove backslashes)=> "0").
+  // However, this has the adverse effect that we remove any legitimate zeros
+  // from a string.
   //
-  // We also remove forward-slash, because it is common for some servers to collapse successive path components, eg,
-  // a//b becomes a/b.
+  // We also remove forward-slash, because it is common for some servers to
+  // collapse successive path components, eg, a//b becomes a/b.
   //
-  // We also remove the questionmark character, since some severs replace invalid high-bytes with a questionmark. We
-  // are already stripping the high-bytes so we also strip the questionmark to match.
+  // We also remove the questionmark character, since some severs replace
+  // invalid high-bytes with a questionmark. We are already stripping the
+  // high-bytes so we also strip the questionmark to match.
   //
-  // We also move the percent character, since some servers strip it when there's a malformed sequence.
+  // We also move the percent character, since some servers strip it when
+  // there's a malformed sequence.
   //
-  // For instance: new String("http://localhost:8000?x") => new String("http:localhost:8x").
+  // For instance: new String("http://localhost:8000?x") => new
+  // String("http:localhost:8x").
   return (c == '\\' || c == '0' || c == '\0' || c == '/' || c == '?' ||
           c == '%' || c >= 127);
 }
 
 static bool isRequiredForInjection(UChar c) {
   return (c == '\'' || c == '"' || c == '<' || c == '>');
 }
 
 static bool isTerminatingCharacter(UChar c) {
   return (c == '&' || c == '/' || c == '"' || c == '\'' || c == '<' ||
@@ skipping 27 matching lines @@
 
 static bool startsOpeningScriptTagAt(const String& string, size_t start) {
   if (start + 6 >= string.length())
     return false;
   // TODO(esprehn): StringView should probably have startsWith.
   StringView script("<script");
   return equalIgnoringASCIICase(StringView(string, start, script.length()),
                                 script);
 }
 
-// If other files need this, we should move this to core/html/parser/HTMLParserIdioms.h
+// If other files need this, we should move this to
+// core/html/parser/HTMLParserIdioms.h
 template <size_t inlineCapacity>
 bool threadSafeMatch(const Vector<UChar, inlineCapacity>& vector,
                      const QualifiedName& qname) {
   return equalIgnoringNullity(vector, qname.localName().impl());
 }
 
 static bool hasName(const HTMLToken& token, const QualifiedName& name) {
   return threadSafeMatch(token.name(), name);
 }
 
 static bool findAttributeWithName(const HTMLToken& token,
                                   const QualifiedName& name,
                                   size_t& indexOfMatchingAttribute) {
-  // Notice that we're careful not to ref the StringImpl here because we might be on a background thread.
+  // Notice that we're careful not to ref the StringImpl here because we might
+  // be on a background thread.
   const String& attrName = name.namespaceURI() == XLinkNames::xlinkNamespaceURI
                                ? "xlink:" + name.localName().getString()
                                : name.localName().getString();
 
   for (size_t i = 0; i < token.attributes().size(); ++i) {
     if (equalIgnoringNullity(token.attributes().at(i).nameAsVector(),
                              attrName)) {
       indexOfMatchingAttribute = i;
       return true;
     }
   }
   return false;
 }
 
 static bool isNameOfInlineEventHandler(const Vector<UChar, 32>& name) {
   const size_t lengthOfShortestInlineEventHandlerName = 5;  // To wit: oncut.
   if (name.size() < lengthOfShortestInlineEventHandlerName)
     return false;
   return name[0] == 'o' && name[1] == 'n';
 }
 
 static bool isDangerousHTTPEquiv(const String& value) {
   String equiv = value.stripWhiteSpace();
   return equalIgnoringCase(equiv, "refresh") ||
          equalIgnoringCase(equiv, "set-cookie");
 }
 
 static inline String decode16BitUnicodeEscapeSequences(const String& string) {
-  // Note, the encoding is ignored since each %u-escape sequence represents a UTF-16 code unit.
+  // Note, the encoding is ignored since each %u-escape sequence represents a
+  // UTF-16 code unit.
   return decodeEscapeSequences<Unicode16BitEscapeSequence>(string,
                                                            UTF8Encoding());
 }
 
 static inline String decodeStandardURLEscapeSequences(
     const String& string,
     const WTF::TextEncoding& encoding) {
-  // We use decodeEscapeSequences() instead of decodeURLEscapeSequences() (declared in weborigin/KURL.h) to
-  // avoid platform-specific URL decoding differences (e.g. KURLGoogle).
+  // We use decodeEscapeSequences() instead of decodeURLEscapeSequences()
+  // (declared in weborigin/KURL.h) to avoid platform-specific URL decoding
+  // differences (e.g. KURLGoogle).
   return decodeEscapeSequences<URLEscapeSequence>(string, encoding);
 }
 
 static String fullyDecodeString(const String& string,
                                 const WTF::TextEncoding& encoding) {
   size_t oldWorkingStringLength;
   String workingString = string;
   do {
     oldWorkingStringLength = workingString.length();
     workingString = decode16BitUnicodeEscapeSequences(
         decodeStandardURLEscapeSequences(workingString, encoding));
   } while (workingString.length() < oldWorkingStringLength);
   workingString.replace('+', ' ');
   return workingString;
 }
 
 static void truncateForSrcLikeAttribute(String& decodedSnippet) {
-  // In HTTP URLs, characters following the first ?, #, or third slash may come from
-  // the page itself and can be merely ignored by an attacker's server when a remote
-  // script or script-like resource is requested. In DATA URLS, the payload starts at
-  // the first comma, and the the first /*, //, or <!-- may introduce a comment. Also,
-  // DATA URLs may use the same string literal tricks as with script content itself.
-  // In either case, content following this may come from the page and may be ignored
-  // when the script is executed. Also, any of these characters may now be represented
-  // by the (enlarged) set of html5 entities.
-  // For simplicity, we don't differentiate based on URL scheme, and stop at the first
-  // & (since it might be part of an entity for any of the subsequent punctuation), the
-  // first # or ?, the third slash, or the first slash, <, ', or " once a comma is seen.
+  // In HTTP URLs, characters following the first ?, #, or third slash may come
+  // from the page itself and can be merely ignored by an attacker's server when
+  // a remote script or script-like resource is requested. In DATA URLS, the
+  // payload starts at the first comma, and the the first /*, //, or <!-- may
+  // introduce a comment.
+  //
+  // Also, DATA URLs may use the same string literal tricks as with script
+  // content itself. In either case, content following this may come from the
+  // page and may be ignored when the script is executed. Also, any of these
+  // characters may now be represented by the (enlarged) set of html5 entities.
+  //
+  // For simplicity, we don't differentiate based on URL scheme, and stop at the
+  // first & (since it might be part of an entity for any of the subsequent
+  // punctuation), the first # or ?, the third slash, or the first slash, <, ',
+  // or " once a comma is seen.
   int slashCount = 0;
   bool commaSeen = false;
   for (size_t currentLength = 0; currentLength < decodedSnippet.length();
        ++currentLength) {
     UChar currentChar = decodedSnippet[currentLength];
     if (currentChar == '&' || currentChar == '?' || currentChar == '#' ||
         ((currentChar == '/' || currentChar == '\\') &&
          (commaSeen || ++slashCount > 2)) ||
         (currentChar == '<' && commaSeen) ||
         (currentChar == '\'' && commaSeen) ||
         (currentChar == '"' && commaSeen)) {
       decodedSnippet.truncate(currentLength);
       return;
     }
     if (currentChar == ',')
       commaSeen = true;
   }
 }
 
 static void truncateForScriptLikeAttribute(String& decodedSnippet) {
   // Beware of trailing characters which came from the page itself, not the
   // injected vector. Excluding the terminating character covers common cases
   // where the page immediately ends the attribute, but doesn't cover more
   // complex cases where there is other page data following the injection.
+  //
   // Generally, these won't parse as javascript, so the injected vector
   // typically excludes them from consideration via a single-line comment or
   // by enclosing them in a string literal terminated later by the page's own
   // closing punctuation. Since the snippet has not been parsed, the vector
   // may also try to introduce these via entities. As a result, we'd like to
   // stop before the first "//", the first <!--, the first entity, or the first
   // quote not immediately following the first equals sign (taking whitespace
-  // into consideration). To keep things simpler, we don't try to distinguish
-  // between entity-introducing amperands vs. other uses, nor do we bother to
-  // check for a second slash for a comment, nor do we bother to check for
-  // !-- following a less-than sign. We stop instead on any ampersand
-  // slash, or less-than sign.
+  // into consideration).
+  //
+  // To keep things simpler, we don't try to distinguish between
+  // entity-introducing amperands vs. other uses, nor do we bother to check for
+  // a second slash for a comment, nor do we bother to check for !-- following a
+  // less-than sign. We stop instead on any ampersand slash, or less-than sign.
   size_t position = 0;
   if ((position = decodedSnippet.find("=")) != kNotFound &&
       (position = decodedSnippet.find(isNotHTMLSpace<UChar>, position + 1)) !=
           kNotFound &&
       (position = decodedSnippet.find(
            isTerminatingCharacter,
            isHTMLQuote(decodedSnippet[position]) ? position + 1 : position)) !=
           kNotFound) {
     decodedSnippet.truncate(position);
   }
@@ skipping 65 matching lines @@
   m_documentURL = document->url().copy();
 
   // In theory, the Document could have detached from the LocalFrame after the
   // XSSAuditor was constructed.
   if (!document->frame()) {
     m_isEnabled = false;
     return;
   }
 
   if (m_documentURL.isEmpty()) {
-    // The URL can be empty when opening a new browser window or calling window.open("").
+    // The URL can be empty when opening a new browser window or calling
+    // window.open("").
     m_isEnabled = false;
     return;
   }
 
   if (m_documentURL.protocolIsData()) {
     m_isEnabled = false;
     return;
   }
 
   if (document->encoding().isValid())
@@ skipping 165 matching lines @@
 
   if (m_state == FilteringTokens && m_scriptTagFoundInRequest) {
     String snippet = canonicalizedSnippetForJavaScript(request);
     if (isContainedInRequest(snippet))
       m_state = SuppressingAdjacentCharacterTokens;
     else if (!snippet.isEmpty())
       m_state = PermittingAdjacentCharacterTokens;
   }
   if (m_state == SuppressingAdjacentCharacterTokens) {
     request.token.eraseCharacters();
-    request.token.appendToCharacter(
-        ' ');  // Technically, character tokens can't be empty.
+    // Technically, character tokens can't be empty.
+    request.token.appendToCharacter(' ');
     return true;
   }
   return false;
 }
 
 bool XSSAuditor::filterScriptToken(const FilterTokenRequest& request) {
   ASSERT(request.token.type() == HTMLToken::StartTag);
   ASSERT(hasName(request.token, scriptTag));
 
   bool didBlockScript = false;
@@ skipping 128 matching lines @@
                                   AllowSameOriginHref);
 }
 
 bool XSSAuditor::eraseDangerousAttributesIfInjected(
     const FilterTokenRequest& request) {
   bool didBlockScript = false;
   for (size_t i = 0; i < request.token.attributes().size(); ++i) {
     bool eraseAttribute = false;
     bool valueContainsJavaScriptURL = false;
     const HTMLToken::Attribute& attribute = request.token.attributes().at(i);
-    // FIXME: Don't create a new String for every attribute.value in the document.
+    // FIXME: Don't create a new String for every attribute.value in the
+    // document.
     if (isNameOfInlineEventHandler(attribute.nameAsVector())) {
       eraseAttribute = isContainedInRequest(
           canonicalize(snippetFromAttribute(request, attribute),
                        ScriptLikeAttributeTruncation));
     } else if (isSemicolonSeparatedAttribute(attribute)) {
       String subValue =
           semicolonSeparatedValueContainingJavaScriptURL(attribute.value());
       if (!subValue.isEmpty()) {
         valueContainsJavaScriptURL = true;
         eraseAttribute =
@@ skipping 46 matching lines @@
 
   request.token.eraseValueOfAttribute(indexOfAttribute);
   if (!replacementValue.isEmpty())
     request.token.appendToAttributeValue(indexOfAttribute, replacementValue);
 
   return true;
 }
 
 String XSSAuditor::canonicalizedSnippetForTagName(
     const FilterTokenRequest& request) {
-  // Grab a fixed number of characters equal to the length of the token's name plus one (to account for the "<").
+  // Grab a fixed number of characters equal to the length of the token's name
+  // plus one (to account for the "<").
   return canonicalize(request.sourceTracker.sourceForToken(request.token)
                           .substring(0, request.token.name().size() + 1),
                       NoTruncation);
 }
 
 String XSSAuditor::nameFromAttribute(const FilterTokenRequest& request,
                                      const HTMLToken::Attribute& attribute) {
   // The range inlcudes the character which terminates the name. So,
   // for an input of |name="value"|, the snippet is |name=|.
   int start = attribute.nameRange().start - request.token.startIndex();
@@ skipping 12 matching lines @@
   int end = attribute.valueRange().end - request.token.startIndex();
   return request.sourceTracker.sourceForToken(request.token)
       .substring(start, end - start);
 }
 
 String XSSAuditor::canonicalize(String snippet, TruncationKind treatment) {
   String decodedSnippet = fullyDecodeString(snippet, m_encoding);
 
   if (treatment != NoTruncation) {
     if (decodedSnippet.length() > kMaximumFragmentLengthTarget) {
-      // Let the page influence the stopping point to avoid disclosing leading fragments.
-      // Stop when we hit whitespace, since that is unlikely to be part a leading fragment.
+      // Let the page influence the stopping point to avoid disclosing leading
+      // fragments. Stop when we hit whitespace, since that is unlikely to be
+      // part a leading fragment.
       size_t position = kMaximumFragmentLengthTarget;
       while (position < decodedSnippet.length() &&
              !isHTMLSpace(decodedSnippet[position]))
         ++position;
       decodedSnippet.truncate(position);
     }
     if (treatment == SrcLikeAttributeTruncation)
       truncateForSrcLikeAttribute(decodedSnippet);
     else if (treatment == ScriptLikeAttributeTruncation)
       truncateForScriptLikeAttribute(decodedSnippet);
   }
 
   return decodedSnippet.removeCharacters(&isNonCanonicalCharacter);
 }
 
 String XSSAuditor::canonicalizedSnippetForJavaScript(
     const FilterTokenRequest& request) {
   String string = request.sourceTracker.sourceForToken(request.token);
   size_t startPosition = 0;
   size_t endPosition = string.length();
   size_t foundPosition = kNotFound;
   size_t lastNonSpacePosition = kNotFound;
 
   // Skip over initial comments to find start of code.
   while (startPosition < endPosition) {
     while (startPosition < endPosition &&
            isHTMLSpace<UChar>(string[startPosition]))
       startPosition++;
 
-    // Under SVG/XML rules, only HTML comment syntax matters and the parser returns
-    // these as a separate comment tokens. Having consumed whitespace, we need not look
-    // further for these.
+    // Under SVG/XML rules, only HTML comment syntax matters and the parser
+    // returns these as a separate comment tokens. Having consumed whitespace,
+    // we need not look further for these.
     if (request.shouldAllowCDATA)
       break;
 
-    // Under HTML rules, both the HTML and JS comment synatx matters, and the HTML
-    // comment ends at the end of the line, not with -->.
+    // Under HTML rules, both the HTML and JS comment synatx matters, and the
+    // HTML comment ends at the end of the line, not with -->.
     if (startsHTMLCommentAt(string, startPosition) ||
         startsSingleLineCommentAt(string, startPosition)) {
       while (startPosition < endPosition && !isJSNewline(string[startPosition]))
         startPosition++;
     } else if (startsMultiLineCommentAt(string, startPosition)) {
       if (startPosition + 2 < endPosition &&
           (foundPosition = string.find("*/", startPosition + 2)) != kNotFound)
         startPosition = foundPosition + 2;
       else
         startPosition = endPosition;
     } else
       break;
   }
 
   String result;
   while (startPosition < endPosition && !result.length()) {
-    // Stop at next comment (using the same rules as above for SVG/XML vs HTML), when we encounter a comma,
-    // when we encoutner a backtick, when we hit an opening <script> tag, or when we exceed the maximum length
-    // target. The comma rule covers a common parameter concatenation case performed by some web servers. The
-    // backtick rule covers the ECMA6 multi-line template string feature.
+    // Stop at next comment (using the same rules as above for SVG/XML vs HTML),
+    // when we encounter a comma, when we encoutner a backtick, when we hit an
+    // opening <script> tag, or when we exceed the maximum length target. The
+    // comma rule covers a common parameter concatenation case performed by some
+    // web servers. The backtick rule covers the ECMA6 multi-line template
+    // string feature.
     lastNonSpacePosition = kNotFound;
     for (foundPosition = startPosition; foundPosition < endPosition;
          foundPosition++) {
       if (!request.shouldAllowCDATA) {
         if (startsSingleLineCommentAt(string, foundPosition) ||
             startsMultiLineCommentAt(string, foundPosition) ||
             startsHTMLCommentAt(string, foundPosition)) {
           break;
         }
       }
       if (string[foundPosition] == ',' || string[foundPosition] == '`')
         break;
 
       if (lastNonSpacePosition != kNotFound &&
           startsOpeningScriptTagAt(string, foundPosition)) {
         foundPosition = lastNonSpacePosition + 1;
         break;
       }
       if (foundPosition > startPosition + kMaximumFragmentLengthTarget) {
-        // After hitting the length target, we can only stop at a point where we know we are
-        // not in the middle of a %-escape sequence. For the sake of simplicity, approximate
-        // not stopping inside a (possibly multiply encoded) %-escape sequence by breaking on
-        // whitespace only. We should have enough text in these cases to avoid false positives.
+        // After hitting the length target, we can only stop at a point where we
+        // know we are not in the middle of a %-escape sequence. For the sake of
+        // simplicity, approximate not stopping inside a (possibly multiply
+        // encoded) %-escape sequence by breaking on whitespace only. We should
+        // have enough text in these cases to avoid false positives.
         if (isHTMLSpace<UChar>(string[foundPosition]))
           break;
       }
       if (!isHTMLSpace<UChar>(string[foundPosition]))
         lastNonSpacePosition = foundPosition;
     }
     result = canonicalize(
         string.substring(startPosition, foundPosition - startPosition),
         NoTruncation);
     startPosition = foundPosition + 1;
@@ skipping 36 matching lines @@
 }
 
 bool XSSAuditor::isSafeToSendToAnotherThread() const {
   return m_documentURL.isSafeToSendToAnotherThread() &&
          m_decodedURL.isSafeToSendToAnotherThread() &&
          m_decodedHTTPBody.isSafeToSendToAnotherThread() &&
          m_httpBodyAsString.isSafeToSendToAnotherThread();
 }
 
 }  // namespace blink