[webkit-reviews] review requested: [Bug 26921] [XSSAuditor] HTML entities can bypass xssAuditor : [Attachment 32602] Working patch with tests
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 10 19:14:17 PDT 2009
Daniel Bates <dbates at berkeley.edu> has asked for review:
Bug 26921: [XSSAuditor] HTML entities can bypass xssAuditor
https://bugs.webkit.org/show_bug.cgi?id=26921
Attachment 32602: Working patch with tests
https://bugs.webkit.org/attachment.cgi?id=32602&action=review
------- Additional Comments from Daniel Bates <dbates at berkeley.edu>
Modified initial patch XSSAuditor::decodeHTMLEntities to more closely match the
functionality in HTMLTokenizer for handling illegal entities by not decoding
them (for example: HTMLTokenizer does not substitute '\0' for �, �, but
the PreloadScanner, used by XSSAuditor::decodeHTMLEntities, does). To get
similar behavior, I make a copy of SegmentedString |source| called sourceShadow
before calling the PreloadScanner. If the PreloadScanner returns and invalid
entity e == 0xFFFD, then I swap |source| and |sourceShadow|. Maybe there is a
more efficient way to achieve the same result?
The list of parameters to findInRequest, decodeURL are becoming unwieldy. The
code should be cleaned up, but this may be better to do in a separate bug.
More information about the webkit-reviews
mailing list