third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp - Issue 2663433002: XSSAuditor: Include equals-sign for final unquoted empty attributes.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

Issue 2663433002: XSSAuditor: Include equals-sign for final unquoted empty attributes. (Closed)

Patch Set: strange error, rebase and try again. Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

diff --git a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

index a6be932cbf045507ec240848f507dd2eb5d22389..58909e1374c0532149d5f397826341c08f4fd720 100644

--- a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

+++ b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

@@ -779,13 +779,19 @@ String XSSAuditor::nameFromAttribute(const FilterTokenRequest& request,

String XSSAuditor::snippetFromAttribute(const FilterTokenRequest& request,

const HTMLToken::Attribute& attribute) {

// The range doesn't include the character which terminates the value. So,

- // for an input of |name="value"|, the snippet is |name="value|. For an

- // unquoted input of |name=value |, the snippet is |name=value|.

+ // for an input of |name="value"|, the snippet is |name="value|. For a space

+ // terminated unquoted input of |name=value |, the snippet is |name=value|.

+ // Beware of empty unquoted values at the end of a token, we need to make sure

+ // we don't clip off the equals-sign as there is no trailing space.

// FIXME: We should grab one character before the name also.

- int start = attribute.nameRange().start - request.token.startIndex();

- int end = attribute.valueRange().end - request.token.startIndex();

+ int nameStart = attribute.nameRange().start - request.token.startIndex();

+ int valueStart = attribute.valueRange().start - request.token.startIndex();

+ int valueEnd = attribute.valueRange().end - request.token.startIndex();

+ int length = valueEnd - nameStart;

+ if (valueStart == valueEnd)

+ length += 1;

return request.sourceTracker.sourceForToken(request.token)

- .substring(start, end - start);

+ .substring(nameStart, length);

}

String XSSAuditor::canonicalize(String snippet, TruncationKind treatment) {