[Autofill] Sanitize all data that comes in over IPC.

components/autofill/content/renderer/autofill_agent.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/autofill/content/renderer/autofill_agent.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/message_loop/message_loop.h"
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/time/time.h"
 #include "components/autofill/content/common/autofill_messages.h"
 #include "components/autofill/content/renderer/form_autofill_util.h"
 #include "components/autofill/content/renderer/page_click_tracker.h"
 #include "components/autofill/content/renderer/password_autofill_agent.h"
 #include "components/autofill/core/common/autofill_constants.h"
+#include "components/autofill/core/common/autofill_data_validation.h"
 #include "components/autofill/core/common/autofill_switches.h"
 #include "components/autofill/core/common/form_data.h"
 #include "components/autofill/core/common/form_data_predictions.h"
 #include "components/autofill/core/common/form_field_data.h"
 #include "components/autofill/core/common/password_form.h"
 #include "components/autofill/core/common/web_element_descriptor.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/ssl_status.h"
 #include "content/public/common/url_constants.h"
 #include "content/public/renderer/render_view.h"
@@ skipping 18 matching lines @@
 using blink::WebFormControlElement;
 using blink::WebFormElement;
 using blink::WebFrame;
 using blink::WebInputElement;
 using blink::WebKeyboardEvent;
 using blink::WebNode;
 using blink::WebNodeCollection;
 using blink::WebOptionElement;
 using blink::WebString;
 
+namespace autofill {
+
 namespace {
 
-// The size above which we stop triggering autofill for an input text field
-// (so to avoid sending long strings through IPC).
-const size_t kMaximumTextSizeForAutofill = 1000;
-
-// The maximum number of data list elements to send to the browser process
-// via IPC (to prevent long IPC messages).
-const size_t kMaximumDataListSizeForAutofill = 30;
-
-
 // Gets all the data list values (with corresponding label) for the given
 // element.
 void GetDataListSuggestions(const blink::WebInputElement& element,
                             bool ignore_current_value,
                             std::vector<base::string16>* values,
                             std::vector<base::string16>* labels) {
   WebNodeCollection options = element.dataListOptions();
   if (options.isNull())
     return;
 
@@ skipping 20 matching lines @@
       labels->push_back(option.label());
     else
       labels->push_back(base::string16());
   }
 }
 
 // Trim the vector before sending it to the browser process to ensure we
 // don't send too much data through the IPC.
 void TrimStringVectorForIPC(std::vector<base::string16>* strings) {
   // Limit the size of the vector.
-  if (strings->size() > kMaximumDataListSizeForAutofill)
-    strings->resize(kMaximumDataListSizeForAutofill);
+  if (strings->size() > kMaxListSize)
+    strings->resize(kMaxListSize);
 
   // Limit the size of the strings in the vector.
   for (size_t i = 0; i < strings->size(); ++i) {
-    if ((*strings)[i].length() > kMaximumTextSizeForAutofill)
-      (*strings)[i].resize(kMaximumTextSizeForAutofill);
+    if ((*strings)[i].length() > kMaxDataLength)
+      (*strings)[i].resize(kMaxDataLength);
   }
 }
 
 gfx::RectF GetScaledBoundingBox(float scale, WebInputElement* element) {
   gfx::Rect bounding_box(element->boundsInViewportSpace());
   return gfx::RectF(bounding_box.x() * scale,
                     bounding_box.y() * scale,
                     bounding_box.width() * scale,
                     bounding_box.height() * scale);
 }
 
 }  // namespace
 
-namespace autofill {
-
 AutofillAgent::AutofillAgent(content::RenderView* render_view,
                              PasswordAutofillAgent* password_autofill_agent)
     : content::RenderViewObserver(render_view),
       password_autofill_agent_(password_autofill_agent),
       autofill_query_id_(0),
       autofill_action_(AUTOFILL_NONE),
       web_view_(render_view->GetWebView()),
       display_warning_if_disabled_(false),
       was_query_node_autofilled_(false),
       has_shown_autofill_popup_for_current_edit_(false),
@@ skipping 365 matching lines @@
   if (!element.isEnabled() || element.isReadOnly() || !element.isTextField() ||
       element.isPasswordField())
     return;
   if (!datalist_only && !element.suggestedValue().isEmpty())
     return;
 
   // Don't attempt to autofill with values that are too large or if filling
   // criteria are not met.
   WebString value = element.editingValue();
   if (!datalist_only &&
-      (value.length() > kMaximumTextSizeForAutofill ||
+      (value.length() > kMaxDataLength ||
        (!autofill_on_empty_values && value.isEmpty()) ||
        (requires_caret_at_end &&
         (element.selectionStart() != element.selectionEnd() ||
          element.selectionEnd() != static_cast<int>(value.length()))))) {
     // Any popup currently showing is obsolete.
     HideAutofillUI();
     return;
   }
 
   element_ = element;
@@ skipping 109 matching lines @@
     // Only monitors dynamic forms created in the top frame. Dynamic forms
     // inserted in iframes are not captured yet.
     if (!frame->parent()) {
       password_autofill_agent_->OnDynamicFormsSeen(frame);
       return;
     }
   }
 }
 
 }  // namespace autofill