[XSS Auditor] Truncate data URLs at quotes
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Sep 2016 21:33:20 +0000 (21:33 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Sep 2016 21:33:20 +0000 (21:33 +0000)
commite4a4d7849314ebf45e79cb7c52ff1f32826fddd2
tree5dd3ab06ac5ee0071c877b860905de08163aede4
parentb25355dc46f0ab5766e1de881a6e29d1d475eaf5
[XSS Auditor] Truncate data URLs at quotes
https://bugs.webkit.org/show_bug.cgi?id=161937

Reviewed by David Kilzer.

Source/WebCore:

Merged from Blink:
<https://chromium.googlesource.com/chromium/src/+/c6d6331190dd43f09459e2341c3111e796f9de12/>

Truncate a data URL at the first single or double quote character to avoid considering
characters that may come from the page content following an injected data URL.

Test: http/tests/security/xssAuditor/script-tag-with-source-data-url4.html

* html/parser/XSSAuditor.cpp:
(WebCore::truncateForSrcLikeAttribute):

LayoutTests:

* http/tests/security/xssAuditor/resources/echo-property.pl:
* http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-source-data-url4.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@206276 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSAuditor.cpp