XSSAuditor: script src=data URLs need truncation at quotes
BUG=582860
Review URL: https://codereview.chromium.org/1689223003
Cr-Commit-Position: refs/heads/master@{#375210}
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl
index c60e081c..49cfab7 100755
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl
@@ -14,5 +14,6 @@
print $cgi->param('clutter');
}
print "\">\n";
+print "<script>var y = 123;</script>";
print "</body>\n";
print "</html>\n";
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt
new file mode 100644
index 0000000..19e25a6
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt
@@ -0,0 +1,2 @@
+CONSOLE ERROR: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%3E%3Cscript%20src%3ddata:,alert(1)%3bhey%%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html
new file mode 100644
index 0000000..0851981
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22><script src%3ddata:,alert(1)%3bhey%%22">
+</iframe>
+</body>
+</html>
diff --git a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
index b7c4aaa..381b2875 100644
--- a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
+++ b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
@@ -196,10 +196,12 @@
// In HTTP URLs, characters following the first ?, #, or third slash may come from
// the page itself and can be merely ignored by an attacker's server when a remote
// script or script-like resource is requested. In DATA URLS, the payload starts at
- // the first comma, and the the first /*, //, or <!-- may introduce a comment. Characters
- // following this may come from the page itself and may be ignored when the script is
- // executed. For simplicity, we don't differentiate based on URL scheme, and stop at
- // the first # or ?, the third slash, or the first slash or < once a comma is seen.
+ // the first comma, and the the first /*, //, or <!-- may introduce a comment. Also,
+ // DATA URLs may use the same string literal tricks as with script content itself.
+ // In either case, content following this may come from the page and may be ignored
+ // when the script is executed.
+ // For simplicity, we don't differentiate based on URL scheme, and stop at the first
+ // # or ?, the third slash, or the first slash, <, ', or " once a comma is seen.
int slashCount = 0;
bool commaSeen = false;
for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
@@ -207,7 +209,9 @@
if (currentChar == '?'
|| currentChar == '#'
|| ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))
- || (currentChar == '<' && commaSeen)) {
+ || (currentChar == '<' && commaSeen)
+ || (currentChar == '\'' && commaSeen)
+ || (currentChar == '"' && commaSeen)) {
decodedSnippet.truncate(currentLength);
return;
}
