-
dbates@webkit.org authored
Reviewed by Adam Barth. https://bugs.webkit.org/show_bug.cgi?id=29944 Reduces false positives in the XSSAuditor by explicitly allowing requests that do not contain illegal URI characters. As a side effect of this change, the tests property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html fail because these attacks do not contain any illegal URI characters and thus are now allowed by the XSSAuditor, where previously they weren't. A future change may reinstate this functionality. Tests: http/tests/security/xssAuditor/script-tag-safe2.html http/tests/security/xssAuditor/script-tag-safe3.html * page/XSSAuditor.cpp: (WebCore::isIllegalURICharacter): Added method. (WebCore::XSSAuditor::canEvaluate): (WebCore::XSSAuditor::canCreateInlineEventListener): (WebCore::XSSAuditor::findInRequest): Added parameter allowRequestIfNoIllegalURICharacters. * page/XSSAuditor.h: 2009-09-30 Daniel Bates <dbates@webkit.org> Reviewed by Adam Barth. https://bugs.webkit.org/show_bug.cgi?id=29944 Tests that the XSSAuditor allows requests that do not contain illegal URI characters. Added a notice regarding the failure of tests property-inject.html, property-escape-noquotes.html and property-escape-noquotes-tab-slash-chars.html, and rebased the expected results of these tests. * http/tests/security/xssAuditor/property-escape-noquotes-expected.txt: * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt: * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html: * http/tests/security/xssAuditor/property-escape-noquotes.html: * http/tests/security/xssAuditor/property-inject-expected.txt: * http/tests/security/xssAuditor/property-inject.html: * http/tests/security/xssAuditor/resources/safe-script-noquotes.js: Added. * http/tests/security/xssAuditor/resources/script-tag-safe2.html: Added. * http/tests/security/xssAuditor/resources/script-tag-safe3.html: Added. * http/tests/security/xssAuditor/script-tag-safe2-expected.txt: Added. * http/tests/security/xssAuditor/script-tag-safe2.html: Added. * http/tests/security/xssAuditor/script-tag-safe3-expected.txt: Added. * http/tests/security/xssAuditor/script-tag-safe3.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48961 268f45cc-cd09-0410-ab3c-d52691b4dbfc
c1377e2a