XSSAuditor should strip formaction attributes from input and button elements.
[WebKit-https.git] / Source / WebCore / html / parser / XSSAuditor.cpp
index b6b346d..7848c26 100644 (file)
@@ -343,6 +343,10 @@ bool XSSAuditor::filterStartToken(const FilterTokenRequest& request)
         didBlockScript |= filterBaseToken(request);
     else if (hasName(request.token, formTag))
         didBlockScript |= filterFormToken(request);
+    else if (hasName(request.token, inputTag))
+        didBlockScript |= filterInputToken(request);
+    else if (hasName(request.token, buttonTag))
+        didBlockScript |= filterButtonToken(request);
 
     return didBlockScript;
 }
@@ -477,6 +481,22 @@ bool XSSAuditor::filterFormToken(const FilterTokenRequest& request)
     return eraseAttributeIfInjected(request, actionAttr, blankURL().string());
 }
 
+bool XSSAuditor::filterInputToken(const FilterTokenRequest& request)
+{
+    ASSERT(request.token.type() == HTMLToken::StartTag);
+    ASSERT(hasName(request.token, inputTag));
+
+    return eraseAttributeIfInjected(request, formactionAttr, blankURL().string(), SrcLikeAttribute);
+}
+
+bool XSSAuditor::filterButtonToken(const FilterTokenRequest& request)
+{
+    ASSERT(request.token.type() == HTMLToken::StartTag);
+    ASSERT(hasName(request.token, buttonTag));
+
+    return eraseAttributeIfInjected(request, formactionAttr, blankURL().string(), SrcLikeAttribute);
+}
+
 bool XSSAuditor::eraseDangerousAttributesIfInjected(const FilterTokenRequest& request)
 {
     DEFINE_STATIC_LOCAL(String, safeJavaScriptURL, (ASCIILiteral("javascript:void(0)")));