[webkit-reviews] review granted: [Bug 68281] xssauditor - bypass with unterminated closing script tag : [Attachment 107887] Patch to set end location of token before additional buffering takes place.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Sep 19 11:07:24 PDT 2011
Adam Barth <abarth at webkit.org> has granted Thomas Sepez <tsepez at chromium.org>'s
request for review:
Bug 68281: xssauditor - bypass with unterminated closing script tag
https://bugs.webkit.org/show_bug.cgi?id=68281
Attachment 107887: Patch to set end location of token before additional
buffering takes place.
https://bugs.webkit.org/attachment.cgi?id=107887&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=107887&action=review
> Source/WebCore/html/parser/HTMLTokenizer.cpp:305
> - if (cc == '<')
> + if (cc == '<') {
> + // Token might end here. If not, we'll come through here again
> + // and update the end location again.
> + m_token->end(source.numberOfCharactersConsumed());
> HTML_ADVANCE_TO(ScriptDataLessThanSignState);
> + }
Interesting. We have this same problem for CDATA and RCDATA. For example, the
<title> and the <style> tags. It would be good to apply this kind of fix in
those cases too, maybe in a follow-up patch.
This patch feels a little bit like a hack because we're only doing this in one
case, but I do agree that this patch is moving us in the right direction
because the tokenizer should be setting the end marker for the token.
More information about the webkit-reviews
mailing list