Script attributes are copied and pasted, making cross-domain attacks possible (30019)
authorenrica@apple.com <enrica@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jan 2010 01:07:49 +0000 (01:07 +0000)
committerenrica@apple.com <enrica@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jan 2010 01:07:49 +0000 (01:07 +0000)
commit3775de67997bd651a88c0b18ed77e6207b0464ba
tree89d7e3956774851fe6dd77c0532071e04a3c1dca
parent1ccd6074fbad9f3347b209413af171574f789fd6
Script attributes are copied and pasted, making cross-domain attacks possible (30019)
<rdar://problem/6008809>
https://bugs.webkit.org/show_bug.cgi?id=30019

Reviewed by Darin Adler.

WebCore:

When we create the document fragment from a markup string,
either to perform a paste operation or a drag and drop, we
want to remove all the event handlers and any attribute that contain
a value that leads to code execution.
The HTMLParser class is now aware of the needs of stripping these attributes.
I've modified the call to createMarkupString for every platform.

Test: editing/pasteboard/paste-noscript.html

* WebCore.base.exp:
* dom/Element.cpp:
(WebCore::isEventHandlerAttribute):
(WebCore::Element::setAttributeMap):
* dom/Element.h:
* dom/MappedAttributeEntry.h:
(WebCore::):
* editing/markup.cpp:
(WebCore::createFragmentFromMarkup):
* editing/markup.h:
* html/HTMLElement.cpp:
(WebCore::HTMLElement::createContextualFragment):
* html/HTMLElement.h:
* html/HTMLParser.cpp:
(WebCore::HTMLParser::HTMLParser):
(WebCore::HTMLParser::parseToken):
* html/HTMLParser.h:
* html/HTMLTokenizer.cpp:
(WebCore::HTMLTokenizer::HTMLTokenizer):
(WebCore::parseHTMLDocumentFragment):
* html/HTMLTokenizer.h:
* platform/chromium/DragDataChromium.cpp:
(WebCore::DragData::asFragment):
* platform/chromium/PasteboardChromium.cpp:
(WebCore::Pasteboard::documentFragment):
* platform/gtk/PasteboardGtk.cpp:
(WebCore::Pasteboard::documentFragment):
* platform/mac/PasteboardMac.mm:
(WebCore::Pasteboard::documentFragment):
* platform/qt/DragDataQt.cpp:
(WebCore::DragData::asFragment):
* platform/qt/PasteboardQt.cpp:
(WebCore::Pasteboard::documentFragment):
* platform/win/ClipboardUtilitiesWin.cpp:
(WebCore::fragmentFromCF_HTML):
(WebCore::fragmentFromHTML):

WebKit/mac:

* WebView/WebFrame.mm:
(-[WebFrame _documentFragmentWithMarkupString:baseURLString:]): Modified the call to createMarkupString.

LayoutTests:

* editing/pasteboard/paste-noscript-expected.txt: Added.
* editing/pasteboard/paste-noscript.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@53442 268f45cc-cd09-0410-ab3c-d52691b4dbfc
25 files changed:
LayoutTests/ChangeLog
LayoutTests/editing/pasteboard/paste-noscript-expected.txt [new file with mode: 0644]
LayoutTests/editing/pasteboard/paste-noscript.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/WebCore.base.exp
WebCore/dom/Element.cpp
WebCore/dom/Element.h
WebCore/dom/MappedAttributeEntry.h
WebCore/editing/markup.cpp
WebCore/editing/markup.h
WebCore/html/HTMLElement.cpp
WebCore/html/HTMLElement.h
WebCore/html/HTMLParser.cpp
WebCore/html/HTMLParser.h
WebCore/html/HTMLTokenizer.cpp
WebCore/html/HTMLTokenizer.h
WebCore/platform/chromium/DragDataChromium.cpp
WebCore/platform/chromium/PasteboardChromium.cpp
WebCore/platform/gtk/PasteboardGtk.cpp
WebCore/platform/mac/PasteboardMac.mm
WebCore/platform/qt/DragDataQt.cpp
WebCore/platform/qt/PasteboardQt.cpp
WebCore/platform/win/ClipboardUtilitiesWin.cpp
WebKit/mac/ChangeLog
WebKit/mac/WebView/WebFrame.mm