Commit 631b400f authored by apavlov@chromium.org's avatar apavlov@chromium.org

Web Inspector: inspector follows javascript: hrefs as relative

https://bugs.webkit.org/show_bug.cgi?id=72373

Source/WebCore:

javascript: hrefs should never be linkified for security.

Reviewed by Yury Semikhatsky.

* inspector/front-end/ElementsTreeOutline.js:
(WebInspector.ElementsTreeElement.prototype._buildAttributeDOM):
* inspector/front-end/ResourceUtils.js:
(WebInspector.completeURL):

LayoutTests:

Reviewed by Yury Semikhatsky.

* inspector/styles/styles-url-linkify-expected.txt:
* inspector/styles/styles-url-linkify.html:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@100588 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent ad1471d5
2011-11-16 Alexander Pavlov <apavlov@chromium.org>
Web Inspector: inspector follows javascript: hrefs as relative
https://bugs.webkit.org/show_bug.cgi?id=72373
Reviewed by Yury Semikhatsky.
* inspector/styles/styles-url-linkify-expected.txt:
* inspector/styles/styles-url-linkify.html:
2011-11-17 Dominic Mazzoni <dmazzoni@google.com>
Accessibility: Chromium requires an AX notification when an iframe loads.
Tests that URLs are linked to and completed correctly. Bugs 51663, 53171, 62643
Tests that URLs are linked to and completed correctly. Bugs 51663, 53171, 62643, 72373
URLs completed:
......@@ -13,6 +13,8 @@ http://example.com/moo
http://example.com/foo?a=b
http://example.com/foo?a=b
data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEIAAABCAgMAAACeOuh7AAAABGdBTUEAAK/INwWK6QAAAAlQTFRF////AAAA////fu+PTwAAAAF0Uk5TAEDm2GYAAACHSURBVDjLxdLbDYAgDAVQGELn0R3oEHYf2KGdUqtE46OFRCP3oyTng1xCnWsaD5JRRtCkQ2YmkBkHRXqWJBn0j0TICbrsWVoWhRShCdcGyZCtHxMaUnVPRZ9KSbmBJdsX2vJVnwqRD0Rb4rpzgIbE/AI5NTnWAMvy5l0dXrfuLh5OCe5BmmYGXhTUxlQ5xJ8AAAAASUVORK5CYII=
javascript:alert('foo');
null
Link for a URI from CSS document:
webkit-html-resource-link inspector/styles/resources/fromcss.png
Link for a URI from iframe inline stylesheet:
......
......@@ -27,6 +27,8 @@ function test()
const dataURL = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEIAAABCAgMAAACeOuh7AAAABGdBTUEAAK/INwWK6QAAAAlQTFRF////AAAA////fu+PTwAAAAF0Uk5TAEDm2GYAAACHSURBVDjLxdLbDYAgDAVQGELn0R3oEHYf2KGdUqtE46OFRCP3oyTng1xCnWsaD5JRRtCkQ2YmkBkHRXqWJBn0j0TICbrsWVoWhRShCdcGyZCtHxMaUnVPRZ9KSbmBJdsX2vJVnwqRD0Rb4rpzgIbE/AI5NTnWAMvy5l0dXrfuLh5OCe5BmmYGXhTUxlQ5xJ8AAAAASUVORK5CYII=";
completeURL("https://example.com/foo", dataURL);
completeURL("http://example.com/foo", "javascript:alert('foo');");
InspectorTest.addResult(WebInspector.resourceURLForRelatedNode(null, " javascript:alert('foo'); "));
function dumpHref(dumpLinkClass)
{
......@@ -81,7 +83,7 @@ function test()
</head>
<body onload="runAfterIframeIsLoaded()">
<p>
Tests that URLs are linked to and completed correctly. Bugs <a href="http://bugs.webkit.org/show_bug.cgi?id=51663">51663</a>, <a href="http://bugs.webkit.org/show_bug.cgi?id=53171">53171</a>, <a href="http://bugs.webkit.org/show_bug.cgi?id=62643">62643</a>
Tests that URLs are linked to and completed correctly. Bugs <a href="http://bugs.webkit.org/show_bug.cgi?id=51663">51663</a>, <a href="http://bugs.webkit.org/show_bug.cgi?id=53171">53171</a>, <a href="http://bugs.webkit.org/show_bug.cgi?id=62643">62643</a>, <a href="http://bugs.webkit.org/show_bug.cgi?id=72373">72373</a>
</p>
<div id="local"></div>
<iframe src="resources/styles-url-linkify-iframe.html"></iframe>
......
2011-11-16 Alexander Pavlov <apavlov@chromium.org>
Web Inspector: inspector follows javascript: hrefs as relative
https://bugs.webkit.org/show_bug.cgi?id=72373
javascript: hrefs should never be linkified for security.
Reviewed by Yury Semikhatsky.
* inspector/front-end/ElementsTreeOutline.js:
(WebInspector.ElementsTreeElement.prototype._buildAttributeDOM):
* inspector/front-end/ResourceUtils.js:
(WebInspector.completeURL):
2011-11-17 Nikolas Zimmermann <nzimmermann@rim.com>
Not reviewed. Fix 32bit builds.
......@@ -1467,7 +1467,11 @@ WebInspector.ElementsTreeElement.prototype = {
if (linkify && (name === "src" || name === "href")) {
var rewrittenHref = WebInspector.resourceURLForRelatedNode(node, value);
value = value.replace(/([\/;:\)\]\}])/g, "$1\u200B");
attrSpanElement.appendChild(linkify(rewrittenHref, value, "webkit-html-attribute-value", node.nodeName().toLowerCase() === "a"));
if (rewrittenHref === null) {
var attrValueElement = attrSpanElement.createChild("span", "webkit-html-attribute-value");
attrValueElement.textContent = value;
} else
attrSpanElement.appendChild(linkify(rewrittenHref, value, "webkit-html-attribute-value", node.nodeName().toLowerCase() === "a"));
} else {
value = value.replace(/([\/;:\)\]\}])/g, "$1\u200B");
var attrValueElement = attrSpanElement.createChild("span", "webkit-html-attribute-value");
......
......@@ -220,11 +220,17 @@ WebInspector.linkifyResourceAsNode = function(url, lineNumber, classes, tooltipT
return anchor;
}
/**
* @return {?string} null if the specified resource MUST NOT have a URL (e.g. "javascript:...")
*/
WebInspector.resourceURLForRelatedNode = function(node, url)
{
if (!url || url.indexOf("://") > 0)
return url;
if (url.trim().indexOf("javascript:") === 0)
return null; // Do not provide a resource URL for security.
for (var frameOwnerCandidate = node; frameOwnerCandidate; frameOwnerCandidate = frameOwnerCandidate.parentNode) {
if (frameOwnerCandidate.documentURL) {
var result = WebInspector.completeURL(frameOwnerCandidate.documentURL, url);
......@@ -280,7 +286,12 @@ WebInspector.completeURL = function(baseURL, href)
if (href) {
// Return absolute URLs as-is.
var parsedHref = href.asParsedURL();
if ((parsedHref && parsedHref.scheme) || href.indexOf("data:") === 0)
if (parsedHref && parsedHref.scheme)
return href;
// Return special URLs as-is.
var trimmedHref = href.trim();
if (trimmedHref.indexOf("data:") === 0 || trimmedHref.indexOf("javascript:") === 0)
return href;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment