[webkit-reviews] review requested: [Bug 26899] XSSAuditor shouldn't strip control characters : [Attachment 32165] Patch with test
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 1 17:35:09 PDT 2009
Daniel Bates <dbates at berkeley.edu> has asked for review:
Bug 26899: XSSAuditor shouldn't strip control characters
https://bugs.webkit.org/show_bug.cgi?id=26899
Attachment 32165: Patch with test
https://bugs.webkit.org/attachment.cgi?id=32165&action=review
------- Additional Comments from Daniel Bates <dbates at berkeley.edu>
Upon further investigation, we need to remove null characters, since the
HTMLTokenizer does in processing scripts (i.e. the contents of
<script>al\0ert(1)</script> becomes alert(1) by the time it is passed to
XSSAuditor). Let me know if this change is better addressed in a separate bug.
More information about the webkit-reviews
mailing list