WebKit Bugzilla
Attachment 358371 Details for
Bug 193155
: Parsed protocol of javascript URLs with embedded newlines and carriage returns do not match parsed protocol in Chrome and Firefox
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-193155-20190104142453.patch (text/plain), 4.33 KB, created by
Brent Fulgham
on 2019-01-04 14:24:54 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Brent Fulgham
Created:
2019-01-04 14:24:54 PST
Size:
4.33 KB
patch
obsolete
>Subversion Revision: 239618 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 9c6713e6cb81a05b27dd3a361c984d754082ef8b..c5a8617e6eb272258797902c7eb56459f635818c 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,20 @@ >+2019-01-04 Brent Fulgham <bfulgham@apple.com> >+ >+ Parsed protocol of javascript URLs with embedded newlines and carriage returns do not match parsed protocol in Chrome and Firefox >+ https://bugs.webkit.org/show_bug.cgi?id=193155 >+ <rdar://problem/40230982> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Test: fast/loader/comment-only-javascript-url.html >+ >+ Make a special case for URLs beginning with 'javascript:'. We should always >+ treat these as JS URLs, even if the content contained within the URL >+ string might match other parts of the URL parsing spec. >+ >+ * html/URLUtils.h: >+ (WebCore::URLUtils<T>::protocol const): >+ > 2019-01-04 Chris Fleizach <cfleizach@apple.com> > > AX: String check: "Rule" does not reflect the meaning of the <hr> html tag >diff --git a/Source/WebCore/html/URLUtils.h b/Source/WebCore/html/URLUtils.h >index 3a8d5413f93148e13f49f968550629f4c09c3404..696c0051bd544723bb48e5f87e1d8703a829027d 100644 >--- a/Source/WebCore/html/URLUtils.h >+++ b/Source/WebCore/html/URLUtils.h >@@ -90,6 +90,8 @@ String URLUtils<T>::origin() const > template <typename T> > String URLUtils<T>::protocol() const > { >+ if (WTF::protocolIsJavaScript(href())) >+ return "javascript:"_s; > return makeString(href().protocol(), ':'); > } > >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 6c934d69ca102d357ac6e6648f09e4b7166575bb..2b7614daa064b13a7ad767966defe7d275b457b6 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,14 @@ >+2019-01-04 Brent Fulgham <bfulgham@apple.com> >+ >+ Parsed protocol of javascript URLs with embedded newlines and carriage returns do not match parsed protocol in Chrome and Firefox >+ https://bugs.webkit.org/show_bug.cgi?id=193155 >+ <rdar://problem/40230982> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * fast/loader/comment-only-javascript-url-expected.txt: Added. >+ * fast/loader/comment-only-javascript-url.html: Added. >+ > 2019-01-04 Chris Fleizach <cfleizach@apple.com> > > AX: String check: "Rule" does not reflect the meaning of the <hr> html tag >diff --git a/LayoutTests/fast/loader/comment-only-javascript-url-expected.txt b/LayoutTests/fast/loader/comment-only-javascript-url-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0e3ffb34b90842b4f6cd614e3277ba044dc1246d >--- /dev/null >+++ b/LayoutTests/fast/loader/comment-only-javascript-url-expected.txt >@@ -0,0 +1,10 @@ >+Tests that we do not allow abuse of URL parsing rules to trick JavaScript code that attempts to recognize JS URLs. This test FAILS if any alerts are generated. >+ >+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >+ >+ >+PASS No JavaScript URLs executed. >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/fast/loader/comment-only-javascript-url.html b/LayoutTests/fast/loader/comment-only-javascript-url.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e5e155e4ad76c697fe2b46c069d1656063f69f95 >--- /dev/null >+++ b/LayoutTests/fast/loader/comment-only-javascript-url.html >@@ -0,0 +1,39 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<script src="../../resources/js-test.js"></script> >+<script> >+if (window.testRunner) { >+ testRunner.waitUntilDone(); >+ testRunner.dumpAsText(); >+} >+jsTestIsAsync = true; >+var count = 0; >+</script> >+</head> >+<body> >+<script> >+function filter(url){ >+ var parser = document.createElement('a'); >+ parser.href = url; >+ if (parser.protocol.indexOf("javascript") == -1) { >+ parser.click(); >+ } >+} >+ >+description("Tests that we do not allow abuse of URL parsing rules to trick JavaScript code that attempts to recognize JS URLs. This test FAILS if any alerts are generated."); >+ >+filter("javascript:alert(1); ++count;"); >+filter("javascript:// A fun test%0aalert(2); ++count;"); >+filter("javascript://:%0aalert(3); ++count;"); >+ >+setTimeout(function () { >+ if (!count) >+ testPassed("No JavaScript URLs executed."); >+ else >+ testFailed("JavaScript URLs were executed.") >+ finishJSTest(); >+}, 0); >+</script> >+</body> >+</html>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=358371">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 193155
:
358355
|
358371
|
358376