Reverse order of tests in eraseDangerousAttributeIfInjected().

Source/core/html/parser/XSSAuditor.cpp

Index: Source/core/html/parser/XSSAuditor.cpp
diff --git a/Source/core/html/parser/XSSAuditor.cpp b/Source/core/html/parser/XSSAuditor.cpp
index bef0b2043468ac4f10f94cc2af7824f77a1884d8..5189447af887450821e6a54670ff522c57b362a1 100644
--- a/Source/core/html/parser/XSSAuditor.cpp
+++ b/Source/core/html/parser/XSSAuditor.cpp
@@ -607,9 +607,6 @@ bool XSSAuditor::eraseDangerousAttributesIfInjected(const FilterTokenRequest& re
         // FIXME: Don't create a new String for every attribute.value in the document.
         if (isNameOfInlineEventHandler(attribute.name)) {
             eraseAttribute = isContainedInRequest(canonicalize(snippetFromAttribute(request, attribute), ScriptLikeAttributeTruncation));
-        } else if (protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(String(attribute.value)))) {
-            valueContainsJavaScriptURL = true;
-            eraseAttribute = isContainedInRequest(canonicalize(snippetFromAttribute(request, attribute), ScriptLikeAttributeTruncation));
         } else if (isSemicolonSeparatedAttribute(attribute)) {
             String subValue = semicolonSeparatedValueContainingJavaScriptURL(String(attribute.value));
             if (!subValue.isEmpty()) {
@@ -617,6 +614,9 @@ bool XSSAuditor::eraseDangerousAttributesIfInjected(const FilterTokenRequest& re
                 eraseAttribute = isContainedInRequest(canonicalize(nameFromAttribute(request, attribute), NoTruncation))
                     && isContainedInRequest(canonicalize(subValue, ScriptLikeAttributeTruncation));
             }
+        } else if (protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(String(attribute.value)))) {
+            valueContainsJavaScriptURL = true;
+            eraseAttribute = isContainedInRequest(canonicalize(snippetFromAttribute(request, attribute), ScriptLikeAttributeTruncation));
         }
         if (!eraseAttribute)
             continue;