XSSAuditor: script src=data URLs need truncation at quotes

BUG=582860

Review URL: https://codereview.chromium.org/1689223003

Cr-Commit-Position: refs/heads/master@{#375210}
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl
index c60e081c..49cfab7 100755
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl
@@ -14,5 +14,6 @@
     print $cgi->param('clutter');
 }
 print "\">\n";
+print "<script>var y = 123;</script>";
 print "</body>\n";
 print "</html>\n";
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt
new file mode 100644
index 0000000..19e25a6
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt
@@ -0,0 +1,2 @@
+CONSOLE ERROR: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%3E%3Cscript%20src%3ddata:,alert(1)%3bhey%%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html
new file mode 100644
index 0000000..0851981
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+  testRunner.dumpAsText();
+  testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22><script src%3ddata:,alert(1)%3bhey%%22">
+</iframe>
+</body>
+</html>
diff --git a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
index b7c4aaa..381b287 100644
--- a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
+++ b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
@@ -196,10 +196,12 @@
     // In HTTP URLs, characters following the first ?, #, or third slash may come from
     // the page itself and can be merely ignored by an attacker's server when a remote
     // script or script-like resource is requested. In DATA URLS, the payload starts at
-    // the first comma, and the the first /*, //, or <!-- may introduce a comment. Characters
-    // following this may come from the page itself and may be ignored when the script is
-    // executed. For simplicity, we don't differentiate based on URL scheme, and stop at
-    // the first # or ?, the third slash, or the first slash or < once a comma is seen.
+    // the first comma, and the the first /*, //, or <!-- may introduce a comment. Also,
+    // DATA URLs may use the same string literal tricks as with script content itself.
+    // In either case, content following this may come from the page and may be ignored
+    // when the script is executed.
+    // For simplicity, we don't differentiate based on URL scheme, and stop at the first
+    // # or ?, the third slash, or the first slash, <, ', or " once a comma is seen.
     int slashCount = 0;
     bool commaSeen = false;
     for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
@@ -207,7 +209,9 @@
         if (currentChar == '?'
             || currentChar == '#'
             || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))
-            || (currentChar == '<' && commaSeen)) {
+            || (currentChar == '<' && commaSeen)
+            || (currentChar == '\'' && commaSeen)
+            || (currentChar == '"' && commaSeen)) {
             decodedSnippet.truncate(currentLength);
             return;
         }