[Webkit-unassigned] [Bug 26921] [XSSAuditor] HTML entities can bypass xssAuditor

Fri Jul 10 19:14:18 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=26921

Daniel Bates <dbates at berkeley.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #32602|                            |review?
               Flag|                            |

--- Comment #4 from Daniel Bates <dbates at berkeley.edu>  2009-07-10 19:14:17 PDT ---
Created an attachment (id=32602)
 --> (https://bugs.webkit.org/attachment.cgi?id=32602)
Working patch with tests

Modified initial patch XSSAuditor::decodeHTMLEntities to more closely match the
functionality in HTMLTokenizer for handling illegal entities by not decoding
them (for example: HTMLTokenizer does not substitute '\0' for &#00, &#x00, but
the PreloadScanner, used by XSSAuditor::decodeHTMLEntities, does). To get
similar behavior, I make a copy of SegmentedString |source| called sourceShadow
before calling the PreloadScanner. If the PreloadScanner returns and invalid
entity e == 0xFFFD, then I swap |source| and |sourceShadow|. Maybe there is a
more efficient way to achieve the same result?

The list of parameters to findInRequest, decodeURL are becoming unwieldy. The
code should be cleaned up, but this may be better to do in a separate bug.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.