Remove attributes that contain javascript from MHTML

third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp

Index: third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp
diff --git a/third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp b/third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp
index 9e1caf5b6438832051464a5d05e4d8ee9a5d22ff..468e236bc0b3d303436561a3a4e1741d26c6d2a6 100644
--- a/third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp
+++ b/third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp
@@ -61,6 +61,20 @@ class SimpleWebFrameSerializerClient final : public WebFrameSerializerClient {
   StringBuilder m_builder;
 };
 
+class SimpleMHTMLPartsGenerationDelegate
+    : public WebFrameSerializer::MHTMLPartsGenerationDelegate {
+ private:
+  bool shouldSkipResource(const WebURL&) final { return false; }
+
+  WebString getContentID(WebFrame*) final { return WebString("<cid>"); }
+
+  WebFrameSerializerCacheControlPolicy cacheControlPolicy() final {
+    return WebFrameSerializerCacheControlPolicy::None;
+  }
+
+  bool useBinaryEncoding() final { return false; }
+};
+
 }  // namespace
 
 class WebFrameSerializerTest : public testing::Test {
@@ -164,4 +178,46 @@ TEST_F(WebFrameSerializerTest, FromUrlWithMinusMinus) {
             actualHTML.substring(1, 60));
 }
 
+class WebFrameSerializerSanitizationTest : public WebFrameSerializerTest {
+ protected:
+  WebFrameSerializerSanitizationTest() {}
+
+  ~WebFrameSerializerSanitizationTest() override {}
+
+  String generateMHTMLParts(const String& url, const String& fileName) {
+    KURL parsedURL(ParsedURLString, url);
+    URLTestHelpers::registerMockedURLLoad(parsedURL, fileName,
+                                          "frameserialization/", "text/html");
+    FrameTestHelpers::loadFrame(mainFrameImpl(), url.utf8().data());
+    WebThreadSafeData result = WebFrameSerializer::generateMHTMLParts(
+        WebString("boundary"), mainFrameImpl(), &m_mhtmlDelegate);
+    return String(result.data(), result.size());
+  }
+
+ private:
+  SimpleMHTMLPartsGenerationDelegate m_mhtmlDelegate;
+};
+
+TEST_F(WebFrameSerializerSanitizationTest, RemoveInlineScriptInAttributes) {
+  String mhtml =
+      generateMHTMLParts("http://www.test.com", "script_in_attributes.html");
+
+  // These scripting attributes should be removed.
+  EXPECT_EQ(WTF::kNotFound, mhtml.find("onload="));
+  EXPECT_EQ(WTF::kNotFound, mhtml.find("ONLOAD="));
+  EXPECT_EQ(WTF::kNotFound, mhtml.find("onclick="));
+  EXPECT_EQ(WTF::kNotFound, mhtml.find("href="));
+  EXPECT_EQ(WTF::kNotFound, mhtml.find("from="));
+  EXPECT_EQ(WTF::kNotFound, mhtml.find("to="));
+  EXPECT_EQ(WTF::kNotFound, mhtml.find("javascript:"));
+
+  // These non-scripting attributes should remain intact.
+  EXPECT_NE(WTF::kNotFound, mhtml.find("class="));
+  EXPECT_NE(WTF::kNotFound, mhtml.find("id="));
+
+  // srcdoc attribute of frame element should be replaced with src attribute.
+  EXPECT_EQ(WTF::kNotFound, mhtml.find("srcdoc="));
+  EXPECT_NE(WTF::kNotFound, mhtml.find("src="));
+}
+
 }  // namespace blink