Fix xssauditor bypass with unterminated closing tag by making the HTMLSourceTracker
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 19 Sep 2011 18:59:21 +0000 (18:59 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 19 Sep 2011 18:59:21 +0000 (18:59 +0000)
commitea0a0fabb5b4a317f7ef528f2ee0d57e0f6b1e94
treeb5adabeb78bf878da99263197e771c254d836873
parent90283c61ed7f3516ddbc1b765e2888a87c9fb032
Fix xssauditor bypass with unterminated closing tag by making the HTMLSourceTracker
and the HTMLParser interact more closely with each other.  HTMLParser should be
setting the end range for the token itself to account for buffering that the
HTMLSourceTracker can't know about, but there are a lot of paths that would need
updating. First step is to cover this one path.
https://bugs.webkit.org/show_bug.cgi?id=68281

Patch by Tom Sepez <tsepez@chromium.org> on 2011-09-19
Reviewed by Adam Barth.

Source/WebCore:

Test: http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag.html

* html/parser/HTMLSourceTracker.cpp:
(WebCore::HTMLSourceTracker::end):
* html/parser/HTMLTokenizer.cpp:
(WebCore::HTMLTokenizer::nextToken):

LayoutTests:

* http/tests/security/xssAuditor/resources/echo-intertag.pl:
* http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95451 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl
LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/HTMLSourceTracker.cpp
Source/WebCore/html/parser/HTMLTokenizer.cpp