[Webkit-unassigned] [Bug 26708] XSSAuditor false negatives
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 26 00:38:10 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=26708
------- Comment #3 from dbates at berkeley.edu 2009-06-26 00:38 PDT -------
I will clean up the patch.
I could not find an equivalent function to XSSAuditor::decodeURLHTMLEntities.
(In reply to comment #2)
> In general, we shouldn't be duplicating code from other source files. You
> should modify the other files to expose the functions you need in their header
> files. For example, fixUpChar could be moved to HTMLTokenizer.h (and possibly
> renamed) and similarly hexDigitValue.
>
> I also wish we didn't have to write our own XSSAuditor::decodeURLHTMLEntities.
> Does this function not exist elsewhere? If not, we should add it to the right
> file instead of adding it to the auditor directly. Also for
> XSSAuditor::findInRequest, we should only search the parent frame if the
> current frame's URL is about:blank. That should cover the <iframe
> src="javascript:..."> case.
>
> Finally, we should do the XSS_AUDITOR_PAGE_HEADERS work in a separate bug /
> patch because it's not related to these false negatives.
>
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list