Remove attributes that contain javascript from MHTML

third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp

 /*
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 43 matching lines @@
 
  private:
   void didSerializeDataForFrame(const WebCString& data,
                                 FrameSerializationStatus) final {
     m_builder.append(data.data(), data.length());
   }
 
   StringBuilder m_builder;
 };
 
+class SimpleMHTMLPartsGenerationDelegate
+    : public WebFrameSerializer::MHTMLPartsGenerationDelegate {
+ private:
+  bool shouldSkipResource(const WebURL&) final { return false; }
+
+  WebString getContentID(WebFrame*) final { return WebString(); }
+
+  WebFrameSerializerCacheControlPolicy cacheControlPolicy() final {
+    return WebFrameSerializerCacheControlPolicy::None;
+  }
+
+  bool useBinaryEncoding() final { return false; }
+};
+
 }  // namespace
 
 class WebFrameSerializerTest : public testing::Test {
  protected:
   WebFrameSerializerTest() { m_helper.initialize(); }
 
   ~WebFrameSerializerTest() override {
     Platform::current()->getURLLoaderMockFactory()->unregisterAllURLs();
     WebCache::clear();
   }
@@ skipping 83 matching lines @@
   EXPECT_EQ(expectedHTML, actualHTML);
 }
 
 TEST_F(WebFrameSerializerTest, FromUrlWithMinusMinus) {
   String actualHTML =
       serializeFile("http://www.test.com?--x--", "text_only_page.html");
   EXPECT_EQ("<!-- saved from url=(0030)http://www.test.com/?-%2Dx-%2D -->",
             actualHTML.substring(1, 60));
 }
 
+class WebFrameSerializerSanitizationTest : public WebFrameSerializerTest {
+ protected:
+  WebFrameSerializerSanitizationTest() {}
+
+  ~WebFrameSerializerSanitizationTest() override {}
+
+  String generateMHTMLParts(const String& url, const String& fileName) {
+    KURL parsedURL(ParsedURLString, url);
+    URLTestHelpers::registerMockedURLLoad(parsedURL, fileName,
+                                          "frameserialization/", "text/html");
+    FrameTestHelpers::loadFrame(mainFrameImpl(), url.utf8().data());
+    WebThreadSafeData result = WebFrameSerializer::generateMHTMLParts(
+        WebString("boundary"), mainFrameImpl(), &m_mhtmlDelegate);
+    return String(result.data(), result.size());
+  }
+
+ private:
+  SimpleMHTMLPartsGenerationDelegate m_mhtmlDelegate;
+};
+
+TEST_F(WebFrameSerializerSanitizationTest, RemoveInlineScriptInAttributes) {
+  String mhtml =
+      generateMHTMLParts("http://www.test.com", "script_in_attributes.html");
+  EXPECT_EQ(std::string::npos, mhtml.find("onload="));
+  EXPECT_EQ(std::string::npos, mhtml.find("onclick="));
+  EXPECT_EQ(std::string::npos, mhtml.find("href="));
+  EXPECT_EQ(std::string::npos, mhtml.find("from="));
+  EXPECT_EQ(std::string::npos, mhtml.find("to="));
+  EXPECT_EQ(std::string::npos, mhtml.find("javascript:"));

[carlosk, 2016/11/30 01:03:16]

I think you should also test a few positive cases here, where attributes are
expected to not be removed. There might be some "edgy" cases you are aware of?

Currently if SimpleMHTMLPartsGenerationDelegate should override
shouldIgnoreAttribute to always return |false| this test would succeed.

[jianli, 2016/11/30 01:35:37]

Done.

+}
+
 }  // namespace blink