Fix XSSAuditor handling of semicolon-separated attributes.

Source/core/html/parser/XSSAuditor.cpp

 /*
  * Copyright (C) 2011 Adam Barth. All Rights Reserved.
  * Copyright (C) 2011 Daniel Bates (dbates@intudata.com).
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
@@ skipping 231 matching lines @@
         return FilterReflectedXSS;
 
     return result;
 }
 
 static bool isSemicolonSeparatedAttribute(const HTMLToken::Attribute& attribute)
 {
     return threadSafeMatch(attribute.name, SVGNames::valuesAttr);
 }
 
-static bool semicolonSeparatedValueContainsJavaScriptURL(const String& value)
+static String semicolonSeparatedValueContainingJavaScriptURL(const String& value)
 {
     Vector<String> valueList;
     value.split(';', valueList);
     for (size_t i = 0; i < valueList.size(); ++i) {
-        if (protocolIsJavaScript(valueList[i]))
-            return true;
+        String stripped = stripLeadingAndTrailingHTMLSpaces(valueList[i]);
+        if (protocolIsJavaScript(stripped))
+            return stripped;
     }
-    return false;
+    return emptyString();
 }
 
 XSSAuditor::XSSAuditor()
     : m_isEnabled(false)
     , m_xssProtection(FilterReflectedXSS)
     , m_didSendValidCSPHeader(false)
     , m_didSendValidXSSProtectionHeader(false)
     , m_state(Uninitialized)
     , m_scriptTagFoundInRequest(false)
     , m_scriptTagNestingLevel(0)
@@ skipping 322 matching lines @@
 
     return eraseAttributeIfInjected(request, formactionAttr, kURLWithUniqueOrigin, SrcLikeAttributeTruncation);
 }
 
 bool XSSAuditor::eraseDangerousAttributesIfInjected(const FilterTokenRequest& request)
 {
     DEFINE_STATIC_LOCAL(String, safeJavaScriptURL, ("javascript:void(0)"));
 
     bool didBlockScript = false;
     for (size_t i = 0; i < request.token.attributes().size(); ++i) {
+        bool eraseAttribute = false;
+        bool valueContainsJavaScriptURL = false;
         const HTMLToken::Attribute& attribute = request.token.attributes().at(i);
-        bool isInlineEventHandler = isNameOfInlineEventHandler(attribute.name);
-        // FIXME: It would be better if we didn't create a new String for every attribute in the document.
-        String strippedValue = stripLeadingAndTrailingHTMLSpaces(String(attribute.value));
-        bool valueContainsJavaScriptURL = (!isInlineEventHandler && protocolIsJavaScript(strippedValue)) || (isSemicolonSeparatedAttribute(attribute) && semicolonSeparatedValueContainsJavaScriptURL(strippedValue));
-        if (!isInlineEventHandler && !valueContainsJavaScriptURL)
-            continue;
-        if (!isContainedInRequest(canonicalize(snippetFromAttribute(request, attribute), ScriptLikeAttributeTruncation)))
+        // FIXME: Don't create a new String for every attribute.value in the document.
+        if (isNameOfInlineEventHandler(attribute.name)) {
+            eraseAttribute = isContainedInRequest(canonicalize(snippetFromAttribute(request, attribute), ScriptLikeAttributeTruncation));
+        } else if (protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(String(attribute.value)))) {
+            valueContainsJavaScriptURL = true;
+            eraseAttribute = isContainedInRequest(canonicalize(snippetFromAttribute(request, attribute), ScriptLikeAttributeTruncation));
+        } else if (isSemicolonSeparatedAttribute(attribute)) {
+            String subValue = semicolonSeparatedValueContainingJavaScriptURL(String(attribute.value));
+            if (!subValue.isEmpty()) {
+                valueContainsJavaScriptURL = true;
+                eraseAttribute = isContainedInRequest(canonicalize(nameFromAttribute(request, attribute), NoTruncation))
+                    && isContainedInRequest(canonicalize(subValue, ScriptLikeAttributeTruncation));
+            }
+        }
+        if (!eraseAttribute)
             continue;
         request.token.eraseValueOfAttribute(i);
         if (valueContainsJavaScriptURL)
             request.token.appendToAttributeValue(i, safeJavaScriptURL);
         didBlockScript = true;
     }
     return didBlockScript;
 }
 
 bool XSSAuditor::eraseAttributeIfInjected(const FilterTokenRequest& request, const QualifiedName& attributeName, const String& replacementValue, TruncationKind treatment)
@@ skipping 20 matching lines @@
 
     return true;
 }
 
 String XSSAuditor::canonicalizedSnippetForTagName(const FilterTokenRequest& request)
 {
     // Grab a fixed number of characters equal to the length of the token's name plus one (to account for the "<").
     return canonicalize(request.sourceTracker.sourceForToken(request.token).substring(0, request.token.name().size() + 1), NoTruncation);
 }
 
+String XSSAuditor::nameFromAttribute(const FilterTokenRequest& request, const HTMLToken::Attribute& attribute)
+{
+    // The range inlcudes the character which terminates the name. So,
+    // for an input of |name="value"|, the snippet is |name=|.
+    int start = attribute.nameRange.start - request.token.startIndex();
+    int end = attribute.valueRange.start - request.token.startIndex();
+    return request.sourceTracker.sourceForToken(request.token).substring(start, end - start);
+}
+
 String XSSAuditor::snippetFromAttribute(const FilterTokenRequest& request, const HTMLToken::Attribute& attribute)
 {
-    // The range doesn't inlcude the character which terminates the value. So,
+    // The range doesn't include the character which terminates the value. So,
     // for an input of |name="value"|, the snippet is |name="value|. For an
     // unquoted input of |name=value |, the snippet is |name=value|.
     // FIXME: We should grab one character before the name also.
     int start = attribute.nameRange.start - request.token.startIndex();
     int end = attribute.valueRange.end - request.token.startIndex();
     return request.sourceTracker.sourceForToken(request.token).substring(start, end - start);
 }
 
 String XSSAuditor::canonicalize(String snippet, TruncationKind treatment)
 {
@@ skipping 116 matching lines @@
 
 bool XSSAuditor::isSafeToSendToAnotherThread() const
 {
     return m_documentURL.isSafeToSendToAnotherThread()
         && m_decodedURL.isSafeToSendToAnotherThread()
         && m_decodedHTTPBody.isSafeToSendToAnotherThread()
         && m_httpBodyAsString.isSafeToSendToAnotherThread();
 }
 
 } // namespace WebCore