<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[194982] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/194982">194982</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2016-01-13 13:45:07 -0800 (Wed, 13 Jan 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Cleanup: XSS Auditor should avoid re-evaluating the parsed script tag
https://bugs.webkit.org/show_bug.cgi?id=152870
Patch by Daniel Bates <dabates@apple.com> on 2016-01-13
Reviewed by Brent Fulgham.
Merged from Blink (patch by Tom Sepez <tsepez@chromium.org>):
<https://src.chromium.org/viewvc/blink?revision=154354&view=revision>
Although the XSS Auditor caches the decoded start tag of a script as an optimization to
avoid decoding it again when filtering the character data of the script, it is sufficient
to cache whether the HTTP response contains the decoded start tag of a script. This
avoids both decoding the start tag of a script and determining whether the HTTP response
contains it again when filtering the character data of the script. Moreover, this removes
the need to cache a string object.
* html/parser/XSSAuditor.cpp:
(WebCore::XSSAuditor::filterCharacterToken):
(WebCore::XSSAuditor::filterScriptToken):
* html/parser/XSSAuditor.h:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorehtmlparserXSSAuditorcpp">trunk/Source/WebCore/html/parser/XSSAuditor.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlparserXSSAuditorh">trunk/Source/WebCore/html/parser/XSSAuditor.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (194981 => 194982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-01-13 21:32:44 UTC (rev 194981)
+++ trunk/Source/WebCore/ChangeLog 2016-01-13 21:45:07 UTC (rev 194982)
</span><span class="lines">@@ -1,3 +1,25 @@
</span><ins>+2016-01-13 Daniel Bates <dabates@apple.com>
+
+ Cleanup: XSS Auditor should avoid re-evaluating the parsed script tag
+ https://bugs.webkit.org/show_bug.cgi?id=152870
+
+ Reviewed by Brent Fulgham.
+
+ Merged from Blink (patch by Tom Sepez <tsepez@chromium.org>):
+ <https://src.chromium.org/viewvc/blink?revision=154354&view=revision>
+
+ Although the XSS Auditor caches the decoded start tag of a script as an optimization to
+ avoid decoding it again when filtering the character data of the script, it is sufficient
+ to cache whether the HTTP response contains the decoded start tag of a script. This
+ avoids both decoding the start tag of a script and determining whether the HTTP response
+ contains it again when filtering the character data of the script. Moreover, this removes
+ the need to cache a string object.
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::filterCharacterToken):
+ (WebCore::XSSAuditor::filterScriptToken):
+ * html/parser/XSSAuditor.h:
+
</ins><span class="cx"> 2016-01-13 Commit Queue <commit-queue@webkit.org>
</span><span class="cx">
</span><span class="cx"> Unreviewed, rolling out r194963.
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlparserXSSAuditorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (194981 => 194982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2016-01-13 21:32:44 UTC (rev 194981)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2016-01-13 21:45:07 UTC (rev 194982)
</span><span class="lines">@@ -388,7 +388,7 @@
</span><span class="cx"> bool XSSAuditor::filterCharacterToken(const FilterTokenRequest& request)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(m_scriptTagNestingLevel);
</span><del>- if (isContainedInRequest(m_cachedDecodedSnippet) && isContainedInRequest(decodedSnippetForJavaScript(request))) {
</del><ins>+ if (m_wasScriptTagFoundInRequest && isContainedInRequest(decodedSnippetForJavaScript(request))) {
</ins><span class="cx"> request.token.clear();
</span><span class="cx"> LChar space = ' ';
</span><span class="cx"> request.token.appendToCharacter(space); // Technically, character tokens can't be empty.
</span><span class="lines">@@ -402,10 +402,10 @@
</span><span class="cx"> ASSERT(request.token.type() == HTMLToken::StartTag);
</span><span class="cx"> ASSERT(hasName(request.token, scriptTag));
</span><span class="cx">
</span><del>- m_cachedDecodedSnippet = decodedSnippetForName(request);
</del><ins>+ m_wasScriptTagFoundInRequest = isContainedInRequest(decodedSnippetForName(request));
</ins><span class="cx">
</span><span class="cx"> bool didBlockScript = false;
</span><del>- if (isContainedInRequest(decodedSnippetForName(request))) {
</del><ins>+ if (m_wasScriptTagFoundInRequest) {
</ins><span class="cx"> didBlockScript |= eraseAttributeIfInjected(request, srcAttr, blankURL().string(), SrcLikeAttribute);
</span><span class="cx"> didBlockScript |= eraseAttributeIfInjected(request, XLinkNames::hrefAttr, blankURL().string(), SrcLikeAttribute);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlparserXSSAuditorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/parser/XSSAuditor.h (194981 => 194982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/parser/XSSAuditor.h 2016-01-13 21:32:44 UTC (rev 194981)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.h 2016-01-13 21:45:07 UTC (rev 194982)
</span><span class="lines">@@ -114,7 +114,7 @@
</span><span class="cx"> std::unique_ptr<SuffixTree<ASCIICodebook>> m_decodedHTTPBodySuffixTree;
</span><span class="cx">
</span><span class="cx"> State m_state;
</span><del>- String m_cachedDecodedSnippet;
</del><ins>+ bool m_wasScriptTagFoundInRequest { false };
</ins><span class="cx"> unsigned m_scriptTagNestingLevel;
</span><span class="cx"> TextEncoding m_encoding;
</span><span class="cx"> };
</span></span></pre>
</div>
</div>
</body>
</html>