-
commit-queue@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=90667 Patch by Christophe Dumez <christophe.dumez@intel.com> on 2012-11-08 Reviewed by Benjamin Poulain. Source/JavaScriptCore: Escape quotation mark as " in argument values to: - String.prototype.anchor(name) - String.prototype.fontcolor(color) - String.prototype.fontsize(size) - String.prototype.link(href) This behavior matches Chromium/V8 and Firefox/Spidermonkey implementations and is requited by: http://mathias.html5.org/specs/javascript/#escapeattributevalue This also fixes a potential security risk (XSS vector). * runtime/StringPrototype.cpp: (JSC::stringProtoFuncFontcolor): (JSC::stringProtoFuncFontsize): (JSC::stringProtoFuncAnchor): (JSC::stringProtoFuncLink): LayoutTests: Add layout test coverage for the following String.prototype methods: - String.prototype.anchor(name) - String.prototype.fontcolor(color) - String.prototype.fontsize(size) - String.prototype.link(href) Those tests also check that the quotation mark is correctly escaped in argument values to prevent potential exploits. * fast/js/string-anchor-expected.txt: Added. * fast/js/string-anchor.html: Added. * fast/js/string-fontcolor-expected.txt: Added. * fast/js/string-fontcolor.html: Added. * fast/js/string-fontsize-expected.txt: Added. * fast/js/string-fontsize.html: Added. * fast/js/string-link-expected.txt: Added. * fast/js/string-link.html: Added. * platform/chromium/TestExpectations: Skip new tests for chromium port due to http://code.google.com/p/v8/issues/detail?id=2218 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@133966 268f45cc-cd09-0410-ab3c-d52691b4dbfc
5f051eb4