-
abarth@webkit.org authored
Reviewed by Darin Adler. https://bugs.webkit.org/show_bug.cgi?id=29306 Tests that scripts with accented characters do not bypass the XSSAuditor. * http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt: Added. * http/tests/security/xssAuditor/img-onerror-accented-char.html: Added. 2009-09-16 Daniel Bates <dbates@webkit.org> Reviewed by Darin Adler. https://bugs.webkit.org/show_bug.cgi?id=29306 Fixes an issue where an attack that contains accented characters can bypass the XSSAuditor. XSSAuditor::decodeURL used the wrong length for the input string. When the input string was decoded, the decoded result was truncated. Hence, XSSAuditor was comparing the source code of the script to the truncated input parameters. Test: http/tests/security/xssAuditor/img-onerror-accented-char.html * page/XSSAuditor.cpp: (WebCore::XSSAuditor::decodeURL): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48458 268f45cc-cd09-0410-ab3c-d52691b4dbfc
b407e41b