XSS Auditor bypass via script tag src=data:, URLS.
authortsepez@chromium.org <tsepez@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 23 Mar 2012 02:13:24 +0000 (02:13 +0000)
committertsepez@chromium.org <tsepez@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 23 Mar 2012 02:13:24 +0000 (02:13 +0000)
commite112efc654658e8d465869b90b263e14ab9cfa08
tree5c846c4ff72adfe783bf995c7c05074ae346f5fe
parentc7431da30d6421755bcb4098eb9facbba9d244c0
XSS Auditor bypass via script tag src=data:, URLS.
https://bugs.webkit.org/show_bug.cgi?id=81948

Reviewed by Adam Barth.

Source/WebCore:

This change fixes an XSSAuditor bypass wherby a script with a data: URL src
attribute could evade detection by using characters from the page to create
a snippet for matching not found in the URL's reflected vector.  This change
terminates the snippet for matching earlier in these cases.

Test: http/tests/security/xssAuditor/script-tag-with-source-data-url2.html

* html/parser/XSSAuditor.cpp:
(WebCore::XSSAuditor::decodedSnippetForAttribute):

LayoutTests:

Add a test that data: URLs can't bypass xssauditor with trailing comments.

* http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-source-data-url2.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@111808 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSAuditor.cpp