third_party/WebKit/Source/core/dom/Element.h - Issue 2531163004: Remove attributes that contain javascript from MHTML

Unified Diff: third_party/WebKit/Source/core/dom/Element.h

Issue 2531163004: Remove attributes that contain javascript from MHTML (Closed)

Patch Set: Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: third_party/WebKit/Source/core/dom/Element.h

diff --git a/third_party/WebKit/Source/core/dom/Element.h b/third_party/WebKit/Source/core/dom/Element.h

index 208585d7af83e48a1ed63bc2b1436893cec7586d..e5b4e34ca26b9f6df20b1072d77e1d1ad612ddc0 100644

--- a/third_party/WebKit/Source/core/dom/Element.h

+++ b/third_party/WebKit/Source/core/dom/Element.h

@@ -476,6 +476,15 @@ class CORE_EXPORT Element : public ContainerNode {

return false;

}

+ // Returns true is the given attribute is an event handler.

Łukasz Anforowicz 2016/11/29 18:59:55 typo: s/is/if/

jianli 2016/11/30 00:46:26 Done.

+ // We consider an event handler any attribute that begins with "on".

+ // It is a simple solution that has the advantage of not requiring any

+ // code or configuration change if a new event handler is defined.

+ static inline bool isEventHandlerAttribute(const Attribute& attribute) {

Łukasz Anforowicz 2016/11/29 18:59:55 Shouldn't this be a method of Attribute? (Law of

jianli 2016/11/30 00:46:26 Found out we have more cases to cover. Indeed the

+ return attribute.name().namespaceURI().isNull() &&

Łukasz Anforowicz 2016/11/29 18:59:55 Will this work when attributes are qualified with

jianli 2016/11/30 00:46:26 I am not an expert on this. Could tkent comment on

tkent 2016/11/30 08:10:17 All of HTML attributes have no namespace. An attr

+ attribute.name().localName().startsWith("on");

+ }

virtual bool isLiveLink() const { return false; }

KURL hrefURL() const;