-
abarth@webkit.org authored
Reviewed by Daniel Bates. Fix xssAuditor/iframe-injection.html https://bugs.webkit.org/show_bug.cgi?id=54591 Update expected results to show that we pass. * http/tests/security/xssAuditor/iframe-injection-expected.txt: 2011-02-19 Adam Barth <abarth@webkit.org> Reviewed by Daniel Bates. Fix xssAuditor/iframe-injection.html https://bugs.webkit.org/show_bug.cgi?id=54591 We should block the iframe src attribute. Although this technically can't be used to run script, it's a pretty easy vector for stealing passwords. * html/parser/XSSFilter.cpp: (WebCore::XSSFilter::filterTokenInitial): (WebCore::XSSFilter::filterIframeToken): * html/parser/XSSFilter.h: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@79106 268f45cc-cd09-0410-ab3c-d52691b4dbfc
cc988496