Script attributes are copied and pasted, making cross-domain attacks possible (30019)
authorsteveblock@google.com <steveblock@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jan 2010 01:12:43 +0000 (01:12 +0000)
committersteveblock@google.com <steveblock@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jan 2010 01:12:43 +0000 (01:12 +0000)
commit5fd45c774a2d517e1c9ceab4068f9576f27465e1
treeabea3bead26196346d93f954770a2de8a74d743f
parent3775de67997bd651a88c0b18ed77e6207b0464ba
Script attributes are copied and pasted, making cross-domain attacks possible (30019)
<rdar://problem/6008809>
https://bugs.webkit.org/show_bug.cgi?id=30019

Patch by Enrica Casucci <enrica@apple.com> on 2010-01-18
Reviewed by Darin Adler.

When we create the document fragment from a markup string,
either to perform a paste operation or a drag and drop, we
want to remove all the event handlers and any attribute that contain
a value that leads to code execution.
The HTMLParser class is now aware of the needs of stripping these attributes.
I've modified the call to createMarkupString for every platform.

Test: editing/pasteboard/paste-noscript.html

* WebCore.base.exp:
* dom/Element.cpp:
(WebCore::isEventHandlerAttribute):
(WebCore::Element::setAttributeMap):
* dom/Element.h:
* dom/MappedAttributeEntry.h:
(WebCore::):
* editing/markup.cpp:
(WebCore::createFragmentFromMarkup):
* editing/markup.h:
* html/HTMLElement.cpp:
(WebCore::HTMLElement::createContextualFragment):
* html/HTMLElement.h:
* html/HTMLParser.cpp:
(WebCore::HTMLParser::HTMLParser):
(WebCore::HTMLParser::parseToken):
* html/HTMLParser.h:
* html/HTMLTokenizer.cpp:
(WebCore::HTMLTokenizer::HTMLTokenizer):
(WebCore::parseHTMLDocumentFragment):
* html/HTMLTokenizer.h:
* platform/chromium/DragDataChromium.cpp:
(WebCore::DragData::asFragment):
* platform/chromium/PasteboardChromium.cpp:
(WebCore::Pasteboard::documentFragment):
* platform/gtk/PasteboardGtk.cpp:
(WebCore::Pasteboard::documentFragment):
* platform/mac/PasteboardMac.mm:
(WebCore::Pasteboard::documentFragment):
* platform/qt/DragDataQt.cpp:
(WebCore::DragData::asFragment):
* platform/qt/PasteboardQt.cpp:
(WebCore::Pasteboard::documentFragment):
* platform/win/ClipboardUtilitiesWin.cpp:
(WebCore::fragmentFromCF_HTML):
(WebCore::fragmentFromHTML):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@53443 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebCore/Android.jscbindings.mk
WebCore/ChangeLog
WebCore/GNUmakefile.am
WebCore/WebCore.xcodeproj/project.pbxproj
WebCore/bridge/jni/jsc/JavaClassJSC.cpp [moved from WebCore/bridge/jni/jni_class.cpp with 99% similarity]
WebCore/bridge/jni/jsc/JavaClassJSC.h [moved from WebCore/bridge/jni/jni_class.h with 96% similarity]
WebCore/bridge/jni/jsc/JavaInstanceJSC.cpp