and the HTMLParser interact more closely with each other. HTMLParser should be
setting the end range for the token itself to account for buffering that the
HTMLSourceTracker can't know about, but there are a lot of paths that would need
updating. First step is to cover this one path.
https://bugs.webkit.org/show_bug.cgi?id=68281
Patch by Tom Sepez <tsepez@chromium.org> on 2011-09-19
Reviewed by Adam Barth.
Source/WebCore:
Test: http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag.html
* html/parser/HTMLSourceTracker.cpp:
(WebCore::HTMLSourceTracker::end):
* html/parser/HTMLTokenizer.cpp:
(WebCore::HTMLTokenizer::nextToken):
LayoutTests:
* http/tests/security/xssAuditor/resources/echo-intertag.pl:
* http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95451
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2011-09-19 Tom Sepez <tsepez@chromium.org>
+
+ Fix xssauditor bypass with unterminated closing tag by making the HTMLSourceTracker
+ and the HTMLParser interact more closely with each other. HTMLParser should be
+ setting the end range for the token itself to account for buffering that the
+ HTMLSourceTracker can't know about, but there are a lot of paths that would need
+ updating. First step is to cover this one path.
+ https://bugs.webkit.org/show_bug.cgi?id=68281
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/xssAuditor/resources/echo-intertag.pl:
+ * http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag.html: Added.
+
2011-09-19 Dmitry Lomov <dslomov@google.com>
[Chromium] Rebaseline expectations and file WK68372.
}
print "<body>\n";
print $cgi->param('q');
+if ($cgi->param('clutter')) {
+ print $cgi->param('clutter');
+}
if ($cgi->param('notifyDone')) {
print "<script>\n";
print "if (window.layoutTestController)\n";
--- /dev/null
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20<i><b>&q=<script>alert(String.fromCharCode(0x58,0x53,0x53))</script">
+</iframe>
+</body>
+</html>
+2011-09-19 Tom Sepez <tsepez@chromium.org>
+
+ Fix xssauditor bypass with unterminated closing tag by making the HTMLSourceTracker
+ and the HTMLParser interact more closely with each other. HTMLParser should be
+ setting the end range for the token itself to account for buffering that the
+ HTMLSourceTracker can't know about, but there are a lot of paths that would need
+ updating. First step is to cover this one path.
+ https://bugs.webkit.org/show_bug.cgi?id=68281
+
+ Reviewed by Adam Barth.
+
+ Test: http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag.html
+
+ * html/parser/HTMLSourceTracker.cpp:
+ (WebCore::HTMLSourceTracker::end):
+ * html/parser/HTMLTokenizer.cpp:
+ (WebCore::HTMLTokenizer::nextToken):
+
2011-09-19 Peter Rybin <peter.rybin@gmail.com>
TextPosition refactoring: Merge ZeroBasedNumber and OneBasedNumber classes
void HTMLSourceTracker::end(const HTMLInputStream& input, HTMLToken& token)
{
m_cachedSourceForToken = String();
- // FIXME: This work should really be done by the HTMLTokenizer.
- token.end(input.current().numberOfCharactersConsumed());
+
+ // FIXME: This work should really be done by the HTMLTokenizer in all cases,
+ // instead of the few cases where it explicitly steps in to correct values
+ // known to be wrong in face of its internal buffering.
+ if (!token.endIndex())
+ token.end(input.current().numberOfCharactersConsumed());
}
String HTMLSourceTracker::sourceForToken(const HTMLToken& token)
END_STATE()
HTML_BEGIN_STATE(ScriptDataState) {
- if (cc == '<')
+ if (cc == '<') {
+ // Token might end here. If not, we'll come through here again
+ // and update the end location again.
+ m_token->end(source.numberOfCharactersConsumed());
HTML_ADVANCE_TO(ScriptDataLessThanSignState);
+ }
else if (cc == InputStreamPreprocessor::endOfFileMarker)
return emitEndOfFile(source);
else {
git://git.webkit.org / WebKit.git / commitdiff