https://bugs.webkit.org/show_bug.cgi?id=90667

Patch by Christophe Dumez <christophe.dumez@intel.com> on 2012-11-08
Reviewed by Benjamin Poulain.

Source/JavaScriptCore:

Escape quotation mark as &quot; in argument values to:
- String.prototype.anchor(name)
- String.prototype.fontcolor(color)
- String.prototype.fontsize(size)
- String.prototype.link(href)

This behavior matches Chromium/V8 and Firefox/Spidermonkey
implementations and is requited by:
http://mathias.html5.org/specs/javascript/#escapeattributevalue

This also fixes a potential security risk (XSS vector).

* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncFontcolor):
(JSC::stringProtoFuncFontsize):
(JSC::stringProtoFuncAnchor):
(JSC::stringProtoFuncLink):

LayoutTests:

Add layout test coverage for the following String.prototype methods:
- String.prototype.anchor(name)
- String.prototype.fontcolor(color)
- String.prototype.fontsize(size)
- String.prototype.link(href)

Those tests also check that the quotation mark is correctly escaped
in argument values to prevent potential exploits.

* fast/js/string-anchor-expected.txt: Added.
* fast/js/string-anchor.html: Added.
* fast/js/string-fontcolor-expected.txt: Added.
* fast/js/string-fontcolor.html: Added.
* fast/js/string-fontsize-expected.txt: Added.
* fast/js/string-fontsize.html: Added.
* fast/js/string-link-expected.txt: Added.
* fast/js/string-link.html: Added.
* platform/chromium/TestExpectations: Skip new tests for chromium port due
to http://code.google.com/p/v8/issues/detail?id=2218

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@133966 268f45cc-cd09-0410-ab3c-d52691b4dbfc