53664 2011-02-03 00:20:58 -0800 XSSFilter shouldn't bother to analyze pages without "injection" characters in the request 2011-02-03 15:35:13 -0800 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Other OS X 10.5 RESOLVED FIXED P2 Normal --- 49845 1 abarth abarth dbates eric oldest_to_newest 344555 0 abarth 2011-02-03 00:20:58 -0800 XSSFilter shouldn't bother to analyze pages without "injection" characters in the request 344556 1 81037 abarth 2011-02-03 00:26:40 -0800 Created attachment 81037 Patch 344560 2 81037 dbates 2011-02-03 00:40:59 -0800 Comment on attachment 81037 Patch r=me 344562 3 81037 eric 2011-02-03 00:46:10 -0800 Comment on attachment 81037 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=81037&action=review > Source/WebCore/html/parser/XSSFilter.h:73 > + bool m_isInitialized; I'm always suspicious of these types of bools. should this just be part of the state machine? Is there a better bool name than "initialzed"? m_hasParsedURL? 344563 4 eric 2011-02-03 00:46:20 -0800 Oops. Didn't mean to clear dan's r+. 344565 5 abarth 2011-02-03 00:47:55 -0800 (In reply to comment #3) > (From update of attachment 81037 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=81037&action=review > > > Source/WebCore/html/parser/XSSFilter.h:73 > > + bool m_isInitialized; > > I'm always suspicious of these types of bools. should this just be part of the state machine? Is there a better bool name than "initialzed"? m_hasParsedURL? We could move it into the state machine. I originally thought the state machine would have more states, but didn't turn out to need very many. 345014 6 81037 dbates 2011-02-03 14:24:29 -0800 Comment on attachment 81037 Patch Thank you Eric for looking over this patch. I was also not very satisfied with the m_isInitialized, but its presence isn't terrible. Moreover, I envisioned that we will perform some clean up iterations on this code once all the major pieces have been moved into place. If you see any correctness issues with this patch then feel free to override my review and help improve the code. 345044 7 abarth 2011-02-03 15:12:48 -0800 Generally speaking, I'm happy to do things in the most clean way the first time around. I'll try to fix this issue on landing. 345064 8 abarth 2011-02-03 15:35:13 -0800 Committed r77545: <http://trac.webkit.org/changeset/77545> 81037 2011-02-03 00:26:40 -0800 2011-02-03 14:24:29 -0800 Patch bug-53664-20110203002639.patch text/plain 5369 abarth ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCAyMGVjZmZhY2U5Y2VmZWMwMjVmYzE4ODc4NWI4NzAyYWU1ZmRhYWRiLi44 MjhmNTE4NzI1OTI0MjBlZGYyNmEyMDI5YWQzYzIwODIxNWQ4Nzg1IDEwMDY0NAotLS0gYS9Tb3Vy Y2UvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0x LDMgKzEsMjYgQEAKKzIwMTEtMDItMDMgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9yZz4K KworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBYU1NGaWx0 ZXIgc2hvdWxkbid0IGJvdGhlciB0byBhbmFseXplIHBhZ2VzIHdpdGhvdXQgImluamVjdGlvbiIK KyAgICAgICAgY2hhcmFjdGVycyBpbiB0aGUgcmVxdWVzdAorICAgICAgICBodHRwczovL2J1Z3Mu d2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NTM2NjQKKworICAgICAgICBJZiB0aGUgcmVxdWVz dCBsYWNrcyB0aGVzZSAiaW5qZWN0aW9uIiBjaGFyYWN0ZXJzLCB0aGVuIGl0J3MgdW5saWtlbHkK KyAgICAgICAgdGhhdCB0aGVyZSdzIGEgcmVmbGVjdGl2ZSBYU1MgYXR0YWNrIGhhcHBlbmluZy4g IFRoaXMgaHVlcmlzdGljIGxldHMgdXMKKyAgICAgICAgYXZvaWQgYW5hbHl6aW5nIHRoZSB2YXN0 IG1ham9yaXR5IG9mIHJlc3BvbnNlcyBmb3IgWFNTLiAgT2YgY291cnNlLCB0aGUKKyAgICAgICAg aHVlcmlzdGljIGlzbid0IHBlcmZlY3QuICBCZWNhdXNlIG9mIHRoaXMgaHVlcnN0aWMsIHdlIG1p c3Mgb3V0IG9uCisgICAgICAgIGluamVjdGlvbnMgaW50byB1bnF1b3RlZCBhdHRyaWJ1dGVzLiAg SG93ZXZlciwgaXQncyBhIHRyYWRlLW9mZiB0aGF0J3MKKyAgICAgICAgd29ya2VkIHdlbGwgaW4g dGhlIFhTU0F1ZGl0b3IuCisKKyAgICAgICAgKiBodG1sL3BhcnNlci9YU1NGaWx0ZXIuY3BwOgor ICAgICAgICAoV2ViQ29yZTo6SFRNTE5hbWVzOjppc1JlcXVpcmVkRm9ySW5qZWN0aW9uKToKKyAg ICAgICAgKFdlYkNvcmU6OlhTU0ZpbHRlcjo6WFNTRmlsdGVyKToKKyAgICAgICAgKFdlYkNvcmU6 OlhTU0ZpbHRlcjo6aW5pdCk6CisgICAgICAgIChXZWJDb3JlOjpYU1NGaWx0ZXI6OmZpbHRlclRv a2VuKToKKyAgICAgICAgKFdlYkNvcmU6OlhTU0ZpbHRlcjo6aXNDb250YWluZWRJblJlcXVlc3Qp OgorICAgICAgICAqIGh0bWwvcGFyc2VyL1hTU0ZpbHRlci5oOgorCiAyMDExLTAyLTAyICBBZGFt IEJhcnRoICA8YWJhcnRoQHdlYmtpdC5vcmc+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZ IChPT1BTISkuCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9odG1sL3BhcnNlci9YU1NGaWx0 ZXIuY3BwIGIvU291cmNlL1dlYkNvcmUvaHRtbC9wYXJzZXIvWFNTRmlsdGVyLmNwcAppbmRleCAy NmRhYTdhOThlODAzZDUzMDRlN2VlZTFiNjAyMTE2Njg2NWU1ZTBhLi40MmNkZjU0MjdjZDI2YWYx NWQwMTg5NjdlMzhmMzI3MTUwMjcwNDlhIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9odG1s L3BhcnNlci9YU1NGaWx0ZXIuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL2h0bWwvcGFyc2VyL1hT U0ZpbHRlci5jcHAKQEAgLTY0LDYgKzY0LDExIEBAIFN0cmluZyBjYW5vbmljYWxpemUoY29uc3Qg U3RyaW5nJiBzdHJpbmcpCiAgICAgcmV0dXJuIHN0cmluZy5yZW1vdmVDaGFyYWN0ZXJzKCZpc05v bkNhbm9uaWNhbENoYXJhY3Rlcik7CiB9CiAKK2Jvb2wgaXNSZXF1aXJlZEZvckluamVjdGlvbihV Q2hhciBjKQoreworICAgIHJldHVybiAoYyA9PSAnXCcnIHx8IGMgPT0gJyInIHx8IGMgPT0gJzwn IHx8IGMgPT0gJz4nKTsKK30KKwogYm9vbCBoYXNOYW1lKGNvbnN0IEhUTUxUb2tlbiYgdG9rZW4s IGNvbnN0IFF1YWxpZmllZE5hbWUmIG5hbWUpCiB7CiAgICAgcmV0dXJuIGVxdWFsSWdub3JpbmdO dWxsaXR5KHRva2VuLm5hbWUoKSwgc3RhdGljX2Nhc3Q8Y29uc3QgU3RyaW5nJj4obmFtZS5sb2Nh bE5hbWUoKSkpOwpAQCAtMTIzLDYgKzEyOCw3IEBAIFN0cmluZyBkZWNvZGVVUkwoY29uc3QgU3Ry aW5nJiBzdHJpbmcsIGNvbnN0IFRleHRFbmNvZGluZyYgZW5jb2RpbmcpCiBYU1NGaWx0ZXI6OlhT U0ZpbHRlcihIVE1MRG9jdW1lbnRQYXJzZXIqIHBhcnNlcikKICAgICA6IG1fcGFyc2VyKHBhcnNl cikKICAgICAsIG1faXNFbmFibGVkKGZhbHNlKQorICAgICwgbV9pc0luaXRpYWxpemVkKGZhbHNl KQogICAgICwgbV94c3NQcm90ZWN0aW9uKFhTU1Byb3RlY3Rpb25FbmFibGVkKQogICAgICwgbV9z dGF0ZShJbml0aWFsKQogewpAQCAtMTM3LDcgKzE0MywxOSBAQCBYU1NGaWx0ZXI6OlhTU0ZpbHRl cihIVE1MRG9jdW1lbnRQYXJzZXIqIHBhcnNlcikKIAogdm9pZCBYU1NGaWx0ZXI6OmluaXQoKQog ewotICAgIEFTU0VSVChtX2lzRW5hYmxlZCk7CisgICAgQVNTRVJUKCFtX2lzSW5pdGlhbGl6ZWQp OworICAgIEFTU0VSVChtX3N0YXRlID09IEluaXRpYWwpOworICAgIG1faXNJbml0aWFsaXplZCA9 IHRydWU7CisKKyAgICBpZiAoIW1faXNFbmFibGVkKQorICAgICAgICByZXR1cm47CisgICAgCisg ICAgLy8gSW4gdGhlb3J5LCB0aGUgRG9jdW1lbnQgY291bGQgaGF2ZSBkZXRhY2hlZCBmcm9tIHRo ZSBGcmFtZSBhZnRlciB0aGUKKyAgICAvLyBYU1NGaWx0ZXIgd2FzIGNvbnN0cnVjdGVkLgorICAg IGlmICghbV9wYXJzZXItPmRvY3VtZW50KCktPmZyYW1lKCkpIHsKKyAgICAgICAgbV9pc0VuYWJs ZWQgPSBmYWxzZTsKKyAgICAgICAgcmV0dXJuOworICAgIH0KIAogICAgIGNvbnN0IFRleHRFbmNv ZGluZyYgZW5jb2RpbmcgPSBtX3BhcnNlci0+ZG9jdW1lbnQoKS0+ZGVjb2RlcigpLT5lbmNvZGlu ZygpOwogICAgIGNvbnN0IEtVUkwmIHVybCA9IG1fcGFyc2VyLT5kb2N1bWVudCgpLT51cmwoKTsK QEAgLTE0NiwyMCArMTY0LDIzIEBAIHZvaWQgWFNTRmlsdGVyOjppbml0KCkKICAgICAgICAgcmV0 dXJuOwogICAgIH0KICAgICBtX2RlY29kZWRVUkwgPSBkZWNvZGVVUkwodXJsLnN0cmluZygpLCBl bmNvZGluZyk7Ci0KLSAgICAvLyBJbiB0aGVvcnksIHRoZSBEb2N1bWVudCBjb3VsZCBoYXZlIGRl dGFjaGVkIGZyb20gdGhlIEZyYW1lIGFmdGVyIHRoZQotICAgIC8vIFhTU0ZpbHRlciB3YXMgY29u c3RydWN0ZWQuCi0gICAgaWYgKCFtX3BhcnNlci0+ZG9jdW1lbnQoKS0+ZnJhbWUoKSkKLSAgICAg ICAgcmV0dXJuOworICAgIGlmIChtX2RlY29kZWRVUkwuZmluZChpc1JlcXVpcmVkRm9ySW5qZWN0 aW9uLCAwKSA9PSBub3RGb3VuZCkKKyAgICAgICAgbV9kZWNvZGVkVVJMID0gU3RyaW5nKCk7CiAK ICAgICBpZiAoRG9jdW1lbnRMb2FkZXIqIGRvY3VtZW50TG9hZGVyID0gbV9wYXJzZXItPmRvY3Vt ZW50KCktPmZyYW1lKCktPmxvYWRlcigpLT5kb2N1bWVudExvYWRlcigpKSB7CiAgICAgICAgIERF RklORV9TVEFUSUNfTE9DQUwoU3RyaW5nLCBYU1NQcm90ZWN0aW9uSGVhZGVyLCAoIlgtWFNTLVBy b3RlY3Rpb24iKSk7CiAgICAgICAgIG1feHNzUHJvdGVjdGlvbiA9IHBhcnNlWFNTUHJvdGVjdGlv bkhlYWRlcihkb2N1bWVudExvYWRlci0+cmVzcG9uc2UoKS5odHRwSGVhZGVyRmllbGQoWFNTUHJv dGVjdGlvbkhlYWRlcikpOwogCiAgICAgICAgIEZvcm1EYXRhKiBodHRwQm9keSA9IGRvY3VtZW50 TG9hZGVyLT5vcmlnaW5hbFJlcXVlc3QoKS5odHRwQm9keSgpOwotICAgICAgICBpZiAoaHR0cEJv ZHkgJiYgIWh0dHBCb2R5LT5pc0VtcHR5KCkpCisgICAgICAgIGlmIChodHRwQm9keSAmJiAhaHR0 cEJvZHktPmlzRW1wdHkoKSkgewogICAgICAgICAgICAgbV9kZWNvZGVkSFRUUEJvZHkgPSBkZWNv ZGVVUkwoaHR0cEJvZHktPmZsYXR0ZW5Ub1N0cmluZygpLCBlbmNvZGluZyk7CisgICAgICAgICAg ICBpZiAobV9kZWNvZGVkSFRUUEJvZHkuZmluZChpc1JlcXVpcmVkRm9ySW5qZWN0aW9uLCAwKSA9 PSBub3RGb3VuZCkKKyAgICAgICAgICAgICAgICBtX2RlY29kZWRIVFRQQm9keSA9IFN0cmluZygp OworICAgICAgICB9CiAgICAgfQorCisgICAgaWYgKG1fZGVjb2RlZFVSTC5pc0VtcHR5KCkgJiYg bV9kZWNvZGVkSFRUUEJvZHkuaXNFbXB0eSgpKQorICAgICAgICBtX2lzRW5hYmxlZCA9IGZhbHNl OwogfQogCiB2b2lkIFhTU0ZpbHRlcjo6ZmlsdGVyVG9rZW4oSFRNTFRva2VuJiB0b2tlbikKQEAg LTE2OCw3ICsxODksNyBAQCB2b2lkIFhTU0ZpbHRlcjo6ZmlsdGVyVG9rZW4oSFRNTFRva2VuJiB0 b2tlbikKICAgICBBU1NFUlRfVU5VU0VEKHRva2VuLCAmdG9rZW4pOwogICAgIHJldHVybjsKICNl bHNlCi0gICAgaWYgKG1faXNFbmFibGVkICYmIG1fZGVjb2RlZFVSTC5pc0VtcHR5KCkpCisgICAg aWYgKCFtX2lzSW5pdGlhbGl6ZWQpCiAgICAgICAgIGluaXQoKTsKIAogICAgIGlmICghbV9pc0Vu YWJsZWQgfHwgbV94c3NQcm90ZWN0aW9uID09IFhTU1Byb3RlY3Rpb25EaXNhYmxlZCkKQEAgLTQw MCw3ICs0MjEsOSBAQCBTdHJpbmcgWFNTRmlsdGVyOjpzbmlwcGV0Rm9yQXR0cmlidXRlKGNvbnN0 IEhUTUxUb2tlbiYgdG9rZW4sIGNvbnN0IEhUTUxUb2tlbjo6QQogCiBib29sIFhTU0ZpbHRlcjo6 aXNDb250YWluZWRJblJlcXVlc3QoY29uc3QgU3RyaW5nJiBzbmlwcGV0KQogeworICAgIEFTU0VS VCghc25pcHBldC5pc0VtcHR5KCkpOwogICAgIFN0cmluZyBjYW5vbmljYWxpemVkU25pcHBldCA9 IGNhbm9uaWNhbGl6ZShzbmlwcGV0KTsKKyAgICBBU1NFUlQoIWNhbm9uaWNhbGl6ZWRTbmlwcGV0 LmlzRW1wdHkoKSk7CiAgICAgcmV0dXJuIG1fZGVjb2RlZFVSTC5maW5kKGNhbm9uaWNhbGl6ZWRT bmlwcGV0LCAwLCBmYWxzZSkgIT0gbm90Rm91bmQKICAgICAgICAgfHwgbV9kZWNvZGVkSFRUUEJv ZHkuZmluZChjYW5vbmljYWxpemVkU25pcHBldCwgMCwgZmFsc2UpICE9IG5vdEZvdW5kOwogfQpk aWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvaHRtbC9wYXJzZXIvWFNTRmlsdGVyLmggYi9Tb3Vy Y2UvV2ViQ29yZS9odG1sL3BhcnNlci9YU1NGaWx0ZXIuaAppbmRleCAwOGJjMWRkODMwMzM0MDBi MTk4NDc5OTBkOGY3MmY0NDI2MDFkYmYyLi5mN2JjMDIwNmZiYTZiZDRlM2U1YThiMzEwYTViNzli ODc0ZDE1MmI5IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9odG1sL3BhcnNlci9YU1NGaWx0 ZXIuaAorKysgYi9Tb3VyY2UvV2ViQ29yZS9odG1sL3BhcnNlci9YU1NGaWx0ZXIuaApAQCAtNzAs NiArNzAsNyBAQCBwcml2YXRlOgogCiAgICAgSFRNTERvY3VtZW50UGFyc2VyKiBtX3BhcnNlcjsK ICAgICBib29sIG1faXNFbmFibGVkOworICAgIGJvb2wgbV9pc0luaXRpYWxpemVkOwogICAgIFhT U1Byb3RlY3Rpb25EaXNwb3NpdGlvbiBtX3hzc1Byb3RlY3Rpb247CiAKICAgICBTdHJpbmcgbV9k ZWNvZGVkVVJMOwo=