XSS Auditor bypass via svg tags and xlink:href
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 4 Feb 2013 19:48:42 +0000 (19:48 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 4 Feb 2013 19:48:42 +0000 (19:48 +0000)
commit0fef11c1a0e65160fc3c582f074efc04f73c400d
tree64cb715a5dfcda43560b91969c26f131bc290837
parentd1088d982c3b5793d940ed2939bfb996071cb61c
XSS Auditor bypass via svg tags and xlink:href
https://bugs.webkit.org/show_bug.cgi?id=84158

Source/WebCore:

This patch adds a test for the xlink:href attribute inside of
script tokens. The test is complicated by the namespacing; the
xlink hrefAttr qualified name does not contain a literal "xlink"
prefix but only the URI of the namespace.

Patch by Tom Sepez <tsepez@chromiium.org> on 2013-02-04
Reviewed by Adam Barth.

Test: http/tests/security/xssAuditor/svg-script-tag.html

* html/parser/XSSAuditor.cpp:
(WebCore::findAttributeWithName):
(WebCore::XSSAuditor::filterScriptToken):

LayoutTests:

Patch by Tom Sepez <tsepez@chromiium.org> on 2013-02-04
Reviewed by Adam Barth.

* http/tests/security/xssAuditor/svg-script-tag-expected.txt: Added.
* http/tests/security/xssAuditor/svg-script-tag.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@141791 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/svg-script-tag.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSAuditor.cpp