Skip to content
  • abarth@webkit.org's avatar
    2009-09-16 Daniel Bates <dbates@webkit.org> · b407e41b
    abarth@webkit.org authored
            Reviewed by Darin Adler.
    
            https://bugs.webkit.org/show_bug.cgi?id=29306
    
            Tests that scripts with accented characters do not bypass the XSSAuditor.
    
            * http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt: Added.
            * http/tests/security/xssAuditor/img-onerror-accented-char.html: Added.
    2009-09-16  Daniel Bates  <dbates@webkit.org>
    
            Reviewed by Darin Adler.
    
            https://bugs.webkit.org/show_bug.cgi?id=29306
    
            Fixes an issue where an attack that contains accented characters can
            bypass the XSSAuditor.
    
            XSSAuditor::decodeURL used the wrong length for the input string.
            When the input string was decoded, the decoded result was truncated.
            Hence, XSSAuditor was comparing the source code of the script to the
            truncated input parameters.
    
            Test: http/tests/security/xssAuditor/img-onerror-accented-char.html
    
            * page/XSSAuditor.cpp:
            (WebCore::XSSAuditor::decodeURL):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48458 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    b407e41b