blob: 39b5f1335d6aa1ede3c9b2325312130c8b2f1afa [file] [log] [blame]
// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <string_view>
#include "base/strings/escape.h"
#include "chrome/test/base/ui_test_utils.h"
#include "chrome/test/fuzzing/in_process_fuzzer.h"
// This is an example use of the InProcessFuzzer framework.
// It encodes arbirtary HTML into a data: URI then navigates to it.
// It's not really intended to be an effective fuzzer, but just to
// show an example of how this framework can be used.
class HtmlInProcessFuzzer : public InProcessFuzzer {
public:
HtmlInProcessFuzzer() = default;
int Fuzz(const uint8_t* data, size_t size) override;
};
REGISTER_IN_PROCESS_FUZZER(HtmlInProcessFuzzer)
int HtmlInProcessFuzzer::Fuzz(const uint8_t* data, size_t size) {
std::string_view html_string(reinterpret_cast<const char*>(data), size);
// See
// docs/security/url_display_guidelines/url_display_guidelines.md#url-length
const size_t kMaxUrlLength = 2 * 1024 * 1024;
std::string url_string = "data:text/html;charset=utf-8,";
const bool kUsePlus = false;
url_string.append(base::EscapeQueryParamValue(html_string, kUsePlus));
if (url_string.length() > kMaxUrlLength) {
return -1;
}
base::IgnoreResult(ui_test_utils::NavigateToURL(browser(), GURL(url_string)));
return 0;
}