[webkit-reviews] review granted: [Bug 27895] [XSSAuditor] Inline Event Handler with single-line JavaScript comment can bypass XSSAuditor : [Attachment 107229] Patch simplified.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 13 15:19:07 PDT 2011
Adam Barth <abarth at webkit.org> has granted Thomas Sepez <tsepez at chromium.org>'s
request for review:
Bug 27895: [XSSAuditor] Inline Event Handler with single-line JavaScript
comment can bypass XSSAuditor
https://bugs.webkit.org/show_bug.cgi?id=27895
Attachment 107229: Patch simplified.
https://bugs.webkit.org/attachment.cgi?id=107229&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=107229&action=review
This looks like a great start. We might need to iterate on the ordering
between the truncation and the canonicalization, but we can do that in a
separate patch. I'd like to hear your answers to the questions in my last
review before landing.
> Source/WebCore/html/parser/XSSAuditor.cpp:492
> + // Limit the length of the fragment to avoid comparing very long
strings.
> + snippet.truncate(kMaximumSnippetLength);
Will this cause a problem if we truncate in the middle of a %-escape sequence
of a UTF-16 surrogate? I'm worried that the canonicalization step will end up
with a different result. Maybe we should canonicalize before trimming the
snippet?
More information about the webkit-reviews
mailing list