Commit cc988496 authored by abarth@webkit.org's avatar abarth@webkit.org

2011-02-19 Adam Barth <abarth@webkit.org>

        Reviewed by Daniel Bates.

        Fix xssAuditor/iframe-injection.html
        https://bugs.webkit.org/show_bug.cgi?id=54591

        Update expected results to show that we pass.

        * http/tests/security/xssAuditor/iframe-injection-expected.txt:
2011-02-19  Adam Barth  <abarth@webkit.org>

        Reviewed by Daniel Bates.

        Fix xssAuditor/iframe-injection.html
        https://bugs.webkit.org/show_bug.cgi?id=54591

        We should block the iframe src attribute.  Although this technically
        can't be used to run script, it's a pretty easy vector for stealing
        passwords.

        * html/parser/XSSFilter.cpp:
        (WebCore::XSSFilter::filterTokenInitial):
        (WebCore::XSSFilter::filterIframeToken):
        * html/parser/XSSFilter.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@79106 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent c2d86fcc
2011-02-19 Adam Barth <abarth@webkit.org>
Reviewed by Daniel Bates.
Fix xssAuditor/iframe-injection.html
https://bugs.webkit.org/show_bug.cgi?id=54591
Update expected results to show that we pass.
* http/tests/security/xssAuditor/iframe-injection-expected.txt:
2011-02-18 Andrew Wilson <atwilson@chromium.org>
Unreviewed test expectations fix.
......
CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
2011-02-19 Adam Barth <abarth@webkit.org>
Reviewed by Daniel Bates.
Fix xssAuditor/iframe-injection.html
https://bugs.webkit.org/show_bug.cgi?id=54591
We should block the iframe src attribute. Although this technically
can't be used to run script, it's a pretty easy vector for stealing
passwords.
* html/parser/XSSFilter.cpp:
(WebCore::XSSFilter::filterTokenInitial):
(WebCore::XSSFilter::filterIframeToken):
* html/parser/XSSFilter.h:
2011-02-18 Tony Gentilcore <tonyg@chromium.org>
Reviewed by Eric Seidel.
......
......@@ -245,6 +245,8 @@ bool XSSFilter::filterTokenInitial(HTMLToken& token)
didBlockScript |= filterEmbedToken(token);
else if (hasName(token, appletTag))
didBlockScript |= filterAppletToken(token);
else if (hasName(token, iframeTag))
didBlockScript |= filterIframeToken(token);
else if (hasName(token, metaTag))
didBlockScript |= filterMetaToken(token);
else if (hasName(token, baseTag))
......@@ -353,6 +355,15 @@ bool XSSFilter::filterAppletToken(HTMLToken& token)
return didBlockScript;
}
bool XSSFilter::filterIframeToken(HTMLToken& token)
{
ASSERT(m_state == Initial);
ASSERT(token.type() == HTMLToken::StartTag);
ASSERT(hasName(token, iframeTag));
return eraseAttributeIfInjected(token, srcAttr);
}
bool XSSFilter::filterMetaToken(HTMLToken& token)
{
ASSERT(m_state == Initial);
......
......@@ -58,6 +58,7 @@ private:
bool filterParamToken(HTMLToken&);
bool filterEmbedToken(HTMLToken&);
bool filterAppletToken(HTMLToken&);
bool filterIframeToken(HTMLToken&);
bool filterMetaToken(HTMLToken&);
bool filterBaseToken(HTMLToken&);
bool filterFormToken(HTMLToken&);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment