161939 2016-09-13 18:20:22 -0700 [XSS Auditor] HTML5 entities can bypass XSS Auditor 2016-09-22 14:36:31 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Local Build All All RESOLVED FIXED BlinkMergeCandidate, InRadar P2 Normal --- 161937 1 dbates dbates aestes bfulgham webkit-bug-importer oldest_to_newest 1229401 0 dbates 2016-09-13 18:20:22 -0700 We should merge <https://chromium.googlesource.com/chromium/src/+/04e44060dccee711842d08652bf1c622a0f43179>. 1229402 1 dbates 2016-09-13 18:21:22 -0700 <rdar://problem/25819815> 1229406 2 288758 dbates 2016-09-13 18:43:49 -0700 Created attachment 288758 Patch and Layout Test 1229410 3 288758 ddkilzer 2016-09-13 18:58:25 -0700 Comment on attachment 288758 Patch and Layout Test r=me 1232631 4 288758 dbates 2016-09-22 14:36:28 -0700 Comment on attachment 288758 Patch and Layout Test Clearing flags on attachment: 288758 Committed r206277: <http://trac.webkit.org/changeset/206277> 1232632 5 dbates 2016-09-22 14:36:31 -0700 All reviewed patches have been landed. Closing bug. 288758 2016-09-13 18:43:49 -0700 2016-09-22 14:36:28 -0700 Patch and Layout Test bug-161939-20160913184113.patch text/plain 5567 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMjA1ODg3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZjUyNjhiZjZkODdhNmFl NzJhZGZiMTRjYWZkZGJhM2VlZmQ1MTAzNi4uMGU5MWQzNjViMWRhMjg1Y2FlNDUwYjU4Yzg0ODM3 ZTFiYThmODhiMyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSw1ICsxLDMwIEBACiAyMDE2LTA5LTEzICBEYW5p ZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KIAorICAgICAgICBbWFNTIEF1ZGl0b3JdIEhU TUw1IGVudGl0aWVzIGNhbiBieXBhc3MgWFNTIEF1ZGl0b3IKKyAgICAgICAgaHR0cHM6Ly9idWdz LndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE2MTkzOQorICAgICAgICA8cmRhcjovL3Byb2Js ZW0vMjU4MTk4MTU+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAg ICAgICAgTWVyZ2VkIGZyb20gQmxpbms6CisgICAgICAgIDxodHRwczovL2Nocm9taXVtLmdvb2ds ZXNvdXJjZS5jb20vY2hyb21pdW0vc3JjLysvMDRlNDQwNjBkY2NlZTcxMTg0MmQwODY1MmJmMWM2 MjJhMGY0MzE3OT4KKworICAgICAgICBUcnVuY2F0ZSBhIHNyYy1saWtlIFVSTCBhdCB0aGUgZmly c3QgJiBjaGFyYWN0ZXIgYXMgaXQgbWF5IG1hcmsgdGhlIHN0YXJ0IG9mIGFuIEhUTUwgZW50aXR5 LgorICAgICAgICBXZSB3aWxsIGV2YWx1YXRlIHRoZSBlZmZlY3RpdmVuZXNzIG9mIHRoaXMgYXBw cm9hY2ggYW5kIGFkanVzdCBpdCBpZiBuZWNlc3NhcnkgaWYgd2Ugc2VlIGFuCisgICAgICAgIGlu Y3JlYXNlIGluIGZhbHNlIHBvc2l0aXZlcy4KKworICAgICAgICBIVE1MNSBkZWZpbmVzIG1vcmUg bmFtZWQgY2hhcmFjdGVyIHJlZmVyZW5jZXMsIGluY2x1ZGluZyBuYW1lZCBjaGFyYWN0ZXIgcmVm ZXJlbmNlcyBmb3IgY29tbW9uCisgICAgICAgIHB1bmN0dWF0aW9uIGNoYXJhY3RlcnMuIENoYXJh Y3RlcnMgZm9sbG93aW5nIHNvbWUgcHVuY3R1YXRpb24gY2hhcmFjdGVycyBtYXkgY29tZSBmcm9t IHRoZSBwYWdlCisgICAgICAgIGl0c2VsZi4gV2UgdHJ1bmNhdGUgc3JjLWxpa2Ugc3RyaW5ncyBh dCBwdW5jdHVhdGlvbiBjaGFyYWN0ZXJzIHRvIGF2b2lkIGNvbnNpZGVyaW5nIHN1Y2ggcGFnZQor ICAgICAgICBjb250ZW50IHdoZW4gcGVyZm9ybWluZyBhIG1hdGNoLgorCisgICAgICAgIFRlc3Q6 IGh0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9zY3JpcHQtdGFnLXdpdGgtc291cmNlLWRh dGEtdXJsNS5odG1sCisKKyAgICAgICAgKiBodG1sL3BhcnNlci9YU1NBdWRpdG9yLmNwcDoKKyAg ICAgICAgKFdlYkNvcmU6OnRydW5jYXRlRm9yU3JjTGlrZUF0dHJpYnV0ZSk6CisKKzIwMTYtMDkt MTMgIERhbmllbCBCYXRlcyAgPGRhYmF0ZXNAYXBwbGUuY29tPgorCiAgICAgICAgIFtYU1MgQXVk aXRvcl0gVHJ1bmNhdGUgZGF0YSBVUkxzIGF0IHF1b3RlcwogICAgICAgICBodHRwczovL2J1Z3Mu d2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTYxOTM3CiAKZGlmZiAtLWdpdCBhL1NvdXJjZS9X ZWJDb3JlL2h0bWwvcGFyc2VyL1hTU0F1ZGl0b3IuY3BwIGIvU291cmNlL1dlYkNvcmUvaHRtbC9w YXJzZXIvWFNTQXVkaXRvci5jcHAKaW5kZXggZDlhZmZmNGYwMjAwOGQxMDlmOTc1MmEwNmY5YmNj ZGVmZjM2ZTMyYi4uZjMxNGRkNDM4M2Q1MjBmN2E4NGU3Yzc5YzBiMzdjYWFkM2EyYzYwMSAxMDA2 NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvaHRtbC9wYXJzZXIvWFNTQXVkaXRvci5jcHAKKysrIGIv U291cmNlL1dlYkNvcmUvaHRtbC9wYXJzZXIvWFNTQXVkaXRvci5jcHAKQEAgLTE4MiwxNSArMTgy LDE4IEBAIHN0YXRpYyB2b2lkIHRydW5jYXRlRm9yU3JjTGlrZUF0dHJpYnV0ZShTdHJpbmcmIGRl Y29kZWRTbmlwcGV0KQogICAgIC8vIHRoZSBmaXJzdCBjb21tYSwgYW5kIHRoZSBmaXJzdCAvKiwg Ly8sIG9yIDwhLS0gbWF5IGludHJvZHVjZSBhIGNvbW1lbnQuIEFsc28KICAgICAvLyBkYXRhIFVS THMgbWF5IHVzZSB0aGUgc2FtZSBzdHJpbmcgbGl0ZXJhbCB0cmlja3MgYXMgd2l0aCBzY3JpcHQg Y29udGVudCBpdHNlbGYuCiAgICAgLy8gSW4gZWl0aGVyIGNhc2UsIGNvbnRlbnQgZm9sbG93aW5n IHRoaXMgbWF5IGNvbWUgZnJvbSB0aGUgcGFnZSBhbmQgbWF5IGJlIGlnbm9yZWQKLSAgICAvLyB3 aGVuIHRoZSBzY3JpcHQgaXMgZXhlY3V0ZWQuCi0gICAgLy8gRm9yIHNpbXBsaWNpdHksIHdlIGRv bid0IGRpZmZlcmVudGlhdGUgYmFzZWQgb24gVVJMIHNjaGVtZSwgYW5kIHN0b3AgYXQKKyAgICAv LyB3aGVuIHRoZSBzY3JpcHQgaXMgZXhlY3V0ZWQuIEFsc28sIGFueSBvZiB0aGVzZSBjaGFyYWN0 ZXJzIG1heSBub3cgYmUgcmVwcmVzZW50ZWQKKyAgICAvLyBieSB0aGUgKGVubGFyZ2VkKSBzZXQg b2YgSFRNTDUgZW50aXRpZXMuCisgICAgLy8gRm9yIHNpbXBsaWNpdHksIHdlIGRvbid0IGRpZmZl cmVudGlhdGUgYmFzZWQgb24gVVJMIHNjaGVtZSwgYW5kIHN0b3AgYXQgdGhlIGZpcnN0CisgICAg Ly8gJiAoc2luY2UgaXQgbWlnaHQgYmUgcGFydCBvZiBhbiBlbnRpdHkgZm9yIGFueSBvZiB0aGUg c3Vic2VxdWVudCBwdW5jdHVhdGlvbikKICAgICAvLyB0aGUgZmlyc3QgIyBvciA/LCB0aGUgdGhp cmQgc2xhc2gsIG9yIHRoZSBmaXJzdCBzbGFzaCwgPCwgJywgb3IgIiBvbmNlIGEgY29tbWEKICAg ICAvLyBpcyBzZWVuLgogICAgIGludCBzbGFzaENvdW50ID0gMDsKICAgICBib29sIGNvbW1hU2Vl biA9IGZhbHNlOwogICAgIGZvciAoc2l6ZV90IGN1cnJlbnRMZW5ndGggPSAwOyBjdXJyZW50TGVu Z3RoIDwgZGVjb2RlZFNuaXBwZXQubGVuZ3RoKCk7ICsrY3VycmVudExlbmd0aCkgewogICAgICAg ICBVQ2hhciBjdXJyZW50Q2hhciA9IGRlY29kZWRTbmlwcGV0W2N1cnJlbnRMZW5ndGhdOwotICAg ICAgICBpZiAoY3VycmVudENoYXIgPT0gJz8nCisgICAgICAgIGlmIChjdXJyZW50Q2hhciA9PSAn JicKKyAgICAgICAgICAgIHx8IGN1cnJlbnRDaGFyID09ICc/JwogICAgICAgICAgICAgfHwgY3Vy cmVudENoYXIgPT0gJyMnCiAgICAgICAgICAgICB8fCAoKGN1cnJlbnRDaGFyID09ICcvJyB8fCBj dXJyZW50Q2hhciA9PSAnXFwnKSAmJiAoY29tbWFTZWVuIHx8ICsrc2xhc2hDb3VudCA+IDIpKQog ICAgICAgICAgICAgfHwgKGN1cnJlbnRDaGFyID09ICc8JyAmJiBjb21tYVNlZW4pCmRpZmYgLS1n aXQgYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cgYi9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKaW5kZXgg YzMyOTMyNTIyZjFmYTNkYWQ3NGViNTdhMTkxYTQwMzM5ZGVkMDVjZi4uMzc4YzM1Mzc2NThlNDY5 OWM2YzMzZTFiZDFkOWM3MmJlMmQwNjFmNCAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvQ2hhbmdl TG9nCisrKyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwpAQCAtMSw1ICsxLDE2IEBACiAyMDE2LTA5 LTEzICBEYW5pZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KIAorICAgICAgICBbWFNTIEF1 ZGl0b3JdIEhUTUw1IGVudGl0aWVzIGNhbiBieXBhc3MgWFNTIEF1ZGl0b3IKKyAgICAgICAgaHR0 cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE2MTkzOQorICAgICAgICA8cmRh cjovL3Byb2JsZW0vMjU4MTk4MTU+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BT ISkuCisKKyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRh Zy13aXRoLXNvdXJjZS1kYXRhLXVybDUtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiBo dHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1kYXRh LXVybDUuaHRtbDogQWRkZWQuCisKKzIwMTYtMDktMTMgIERhbmllbCBCYXRlcyAgPGRhYmF0ZXNA YXBwbGUuY29tPgorCiAgICAgICAgIFtYU1MgQXVkaXRvcl0gVHJ1bmNhdGUgZGF0YSBVUkxzIGF0 IHF1b3RlcwogICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9 MTYxOTM3CiAKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNz QXVkaXRvci9zY3JpcHQtdGFnLXdpdGgtc291cmNlLWRhdGEtdXJsNS1leHBlY3RlZC50eHQgYi9M YXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRo LXNvdXJjZS1kYXRhLXVybDUtZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4 IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjE3NjlkZTNkZjBiN2M1 MGNkMTc4ZTk1MzllOTVhNjljODc4NDA2MDcKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0 cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1k YXRhLXVybDUtZXhwZWN0ZWQudHh0CkBAIC0wLDAgKzEsMiBAQAorQ09OU09MRSBNRVNTQUdFOiBs aW5lIDM6IFRoZSBYU1MgQXVkaXRvciByZWZ1c2VkIHRvIGV4ZWN1dGUgYSBzY3JpcHQgaW4gJ2h0 dHA6Ly9sb2NhbGhvc3Q6ODAwMC9zZWN1cml0eS94c3NBdWRpdG9yL3Jlc291cmNlcy9lY2hvLXBy b3BlcnR5LnBsP3E9JTIyJTNFJTNDc2NyaXB0JTIwc3JjJTNkZGF0YTolMjZjb21tYSUzYmFsZXJ0 KDEpJTNiJTIyJyBiZWNhdXNlIGl0cyBzb3VyY2UgY29kZSB3YXMgZm91bmQgd2l0aGluIHRoZSBy ZXF1ZXN0LiBUaGUgYXVkaXRvciB3YXMgZW5hYmxlZCBiZWNhdXNlIHRoZSBzZXJ2ZXIgZGlkIG5v dCBzZW5kIGFuICdYLVhTUy1Qcm90ZWN0aW9uJyBoZWFkZXIuCisKZGlmZiAtLWdpdCBhL0xheW91 dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9zY3JpcHQtdGFnLXdpdGgtc291 cmNlLWRhdGEtdXJsNS5odG1sIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NB dWRpdG9yL3NjcmlwdC10YWctd2l0aC1zb3VyY2UtZGF0YS11cmw1Lmh0bWwKbmV3IGZpbGUgbW9k ZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4u YmFmOWFiMjdlM2M3ZTAxYjkzZTE3NWY4NGMwMDE4ZWExNDIyYzljZAotLS0gL2Rldi9udWxsCisr KyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9zY3JpcHQtdGFn LXdpdGgtc291cmNlLWRhdGEtdXJsNS5odG1sCkBAIC0wLDAgKzEsMTUgQEAKKzwhRE9DVFlQRSBo dG1sPgorPGh0bWw+Cis8aGVhZD4KKzxzY3JpcHQ+CitpZiAod2luZG93LnRlc3RSdW5uZXIpIHsK KyAgdGVzdFJ1bm5lci5kdW1wQXNUZXh0KCk7CisgIHRlc3RSdW5uZXIuc2V0WFNTQXVkaXRvckVu YWJsZWQodHJ1ZSk7Cit9Cis8L3NjcmlwdD4KKzwvaGVhZD4KKzxib2R5PgorPGlmcmFtZSBzcmM9 Imh0dHA6Ly9sb2NhbGhvc3Q6ODAwMC9zZWN1cml0eS94c3NBdWRpdG9yL3Jlc291cmNlcy9lY2hv LXByb3BlcnR5LnBsP3E9JTIyPjxzY3JpcHQgc3JjJTNkZGF0YTolMjZjb21tYSUzYmFsZXJ0KDEp JTNiJTIyIj4KKzwvaWZyYW1lPgorPC9ib2R5PgorPC9odG1sPgo=