54590 2011-02-16 14:47:36 -0800 Fix xssAuditor/form-action.html 2011-02-17 12:28:36 -0800 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Other OS X 10.5 RESOLVED FIXED P2 Normal --- 1 abarth abarth ap commit-queue dbates eric oldest_to_newest 352374 0 abarth 2011-02-16 14:47:36 -0800 Fix xssAuditor/form-action.html 352376 1 82703 abarth 2011-02-16 14:49:06 -0800 Created attachment 82703 Patch 352381 2 82703 eric 2011-02-16 14:51:53 -0800 Comment on attachment 82703 Patch That diff looks strange due to the file previously being empty. But looks good. 352558 3 82703 commit-queue 2011-02-16 20:01:14 -0800 Comment on attachment 82703 Patch Clearing flags on attachment: 82703 Committed r78780: <http://trac.webkit.org/changeset/78780> 352559 4 commit-queue 2011-02-16 20:01:19 -0800 All reviewed patches have been landed. Closing bug. 353024 5 ap 2011-02-17 10:54:55 -0800 + We should block form actions. Although this technically can't be used + to run script, it's a pretty easy vector for stealing passwords. Doesn't the error message get too confusing then? +CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request. 353084 6 abarth 2011-02-17 12:28:36 -0800 Yep. We should tailor the error message to what was blocked. 82703 2011-02-16 14:49:06 -0800 2011-02-16 20:01:14 -0800 Patch bug-54590-20110216144905.patch text/plain 3857 abarth U3VidmVyc2lvbiBSZXZpc2lvbjogNzg3MjUKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5n ZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwppbmRleCAzODg1NGNiYmZkNmQ5OWI1MzUzZDc0 ZWM1ZGY1ZTQ2MjE4Y2I0MjM3Li5hOTVmODM3ZDQ5N2U5YWU4NzNlMWQ0NGJkYzhjZmZmOThhNjRj NjY5IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMv Q2hhbmdlTG9nCkBAIC0yLDYgKzIsMTcgQEAKIAogICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkg KE9PUFMhKS4KIAorICAgICAgICBGaXggeHNzQXVkaXRvci9mb3JtLWFjdGlvbi5odG1sCisgICAg ICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD01NDU5MAorCisgICAg ICAgIFVwZGF0ZSBleHBlY3RlZCByZXN1bHRzIHRvIHNob3cgdGhhdCB3ZSBwYXNzLgorCisgICAg ICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL2Zvcm0tYWN0aW9uLWV4cGVjdGVk LnR4dDoKKworMjAxMS0wMi0xNiAgQWRhbSBCYXJ0aCAgPGFiYXJ0aEB3ZWJraXQub3JnPgorCisg ICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCiAgICAgICAgIEltcG9ydCBYU1NB dWRpdG9yIHRlc3RzIGZyb20gRGF2aWQgUm9zcwogICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0 Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NTQ1NzYKIApkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0 cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL2Zvcm0tYWN0aW9uLWV4cGVjdGVkLnR4dCBiL0xh eW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9mb3JtLWFjdGlvbi1leHBl Y3RlZC50eHQKaW5kZXggOGIxMzc4OTE3OTFmZTk2OTI3YWQ3OGU2NGIwYWFkN2JkZWQwOGJkYy4u NTEzZTJmOGQwM2Y3NDIwM2EzNWUwYmVlZDFmZDQzYjQzMjkyZGMyZiAxMDA2NDQKLS0tIGEvTGF5 b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL2Zvcm0tYWN0aW9uLWV4cGVj dGVkLnR4dAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Iv Zm9ybS1hY3Rpb24tZXhwZWN0ZWQudHh0CkBAIC0xICsxLDMgQEAKK0NPTlNPTEUgTUVTU0FHRTog bGluZSAxOiBSZWZ1c2VkIHRvIGV4ZWN1dGUgYSBKYXZhU2NyaXB0IHNjcmlwdC4gU291cmNlIGNv ZGUgb2Ygc2NyaXB0IGZvdW5kIHdpdGhpbiByZXF1ZXN0LgorCiAKZGlmZiAtLWdpdCBhL1NvdXJj ZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwppbmRleCAyZjRl Yjk1YmFjMTNmYzc1ZGEyNjg3YjdkMjc1ZmZhMjhhNTRiYjdiLi44NWQ0NDUyYzU2NTQwZWQzNGYw Y2FiMWIyY2MzNmVlNTY3MGQyM2E4IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VM b2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTggQEAKKzIwMTEt MDItMTYgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9yZz4KKworICAgICAgICBSZXZpZXdl ZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBGaXggeHNzQXVkaXRvci9mb3JtLWFjdGlv bi5odG1sCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD01 NDU5MAorCisgICAgICAgIFdlIHNob3VsZCBibG9jayBmb3JtIGFjdGlvbnMuICBBbHRob3VnaCB0 aGlzIHRlY2huaWNhbGx5IGNhbid0IGJlIHVzZWQKKyAgICAgICAgdG8gcnVuIHNjcmlwdCwgaXQn cyBhIHByZXR0eSBlYXN5IHZlY3RvciBmb3Igc3RlYWxpbmcgcGFzc3dvcmRzLgorCisgICAgICAg ICogaHRtbC9wYXJzZXIvWFNTRmlsdGVyLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OlhTU0ZpbHRl cjo6ZmlsdGVyVG9rZW5Jbml0aWFsKToKKyAgICAgICAgKFdlYkNvcmU6OlhTU0ZpbHRlcjo6Zmls dGVyRm9ybVRva2VuKToKKyAgICAgICAgKiBodG1sL3BhcnNlci9YU1NGaWx0ZXIuaDoKKwogMjAx MS0wMi0xNiAgSGFucyBXZW5uYm9yZyAgPGhhbnNAY2hyb21pdW0ub3JnPgogCiAgICAgICAgIFJl dmlld2VkIGJ5IEplcmVteSBPcmxvdy4KZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2h0bWwv cGFyc2VyL1hTU0ZpbHRlci5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9odG1sL3BhcnNlci9YU1NGaWx0 ZXIuY3BwCmluZGV4IGRlMzFmNzYzMzRjYTBiM2E0NzlmZjEzNjgxZmM1Mzc4YzNlN2VlN2YuLmQ3 ODYxNWNkNTMwMGViZGU0Nzg0OTY1NTc4YTlkMjU0Yjc4NTJlOTEgMTAwNjQ0Ci0tLSBhL1NvdXJj ZS9XZWJDb3JlL2h0bWwvcGFyc2VyL1hTU0ZpbHRlci5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUv aHRtbC9wYXJzZXIvWFNTRmlsdGVyLmNwcApAQCAtMjQ5LDYgKzI0OSw4IEBAIGJvb2wgWFNTRmls dGVyOjpmaWx0ZXJUb2tlbkluaXRpYWwoSFRNTFRva2VuJiB0b2tlbikKICAgICAgICAgZGlkQmxv Y2tTY3JpcHQgfD0gZmlsdGVyTWV0YVRva2VuKHRva2VuKTsKICAgICBlbHNlIGlmIChoYXNOYW1l KHRva2VuLCBiYXNlVGFnKSkKICAgICAgICAgZGlkQmxvY2tTY3JpcHQgfD0gZmlsdGVyQmFzZVRv a2VuKHRva2VuKTsKKyAgICBlbHNlIGlmIChoYXNOYW1lKHRva2VuLCBmb3JtVGFnKSkKKyAgICAg ICAgZGlkQmxvY2tTY3JpcHQgfD0gZmlsdGVyRm9ybVRva2VuKHRva2VuKTsKIAogICAgIHJldHVy biBkaWRCbG9ja1NjcmlwdDsKIH0KQEAgLTM2OSw2ICszNzEsMTUgQEAgYm9vbCBYU1NGaWx0ZXI6 OmZpbHRlckJhc2VUb2tlbihIVE1MVG9rZW4mIHRva2VuKQogICAgIHJldHVybiBlcmFzZUF0dHJp YnV0ZUlmSW5qZWN0ZWQodG9rZW4sIGhyZWZBdHRyKTsKIH0KIAorYm9vbCBYU1NGaWx0ZXI6OmZp bHRlckZvcm1Ub2tlbihIVE1MVG9rZW4mIHRva2VuKQoreworICAgIEFTU0VSVChtX3N0YXRlID09 IEluaXRpYWwpOworICAgIEFTU0VSVCh0b2tlbi50eXBlKCkgPT0gSFRNTFRva2VuOjpTdGFydFRh Zyk7CisgICAgQVNTRVJUKGhhc05hbWUodG9rZW4sIGZvcm1UYWcpKTsKKworICAgIHJldHVybiBl cmFzZUF0dHJpYnV0ZUlmSW5qZWN0ZWQodG9rZW4sIGFjdGlvbkF0dHIpOworfQorCiBib29sIFhT U0ZpbHRlcjo6ZXJhc2VEYW5nZXJvdXNBdHRyaWJ1dGVzSWZJbmplY3RlZChIVE1MVG9rZW4mIHRv a2VuKQogewogICAgIERFRklORV9TVEFUSUNfTE9DQUwoU3RyaW5nLCBzYWZlSmF2YVNjcmlwdFVS TCwgKCJqYXZhc2NyaXB0OnZvaWQoMCkiKSk7CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9o dG1sL3BhcnNlci9YU1NGaWx0ZXIuaCBiL1NvdXJjZS9XZWJDb3JlL2h0bWwvcGFyc2VyL1hTU0Zp bHRlci5oCmluZGV4IDJjN2Q0Mjg4NWQ5NjM2NzA5Zjc4ODdiMjk0NGRhMTRmYzZiYWFjY2UuLjUx OWE3MTQ5NDY4NTVhMjA4NjMxOTRkZGZkOGI1ZmYxMzc1YTVlMTIgMTAwNjQ0Ci0tLSBhL1NvdXJj ZS9XZWJDb3JlL2h0bWwvcGFyc2VyL1hTU0ZpbHRlci5oCisrKyBiL1NvdXJjZS9XZWJDb3JlL2h0 bWwvcGFyc2VyL1hTU0ZpbHRlci5oCkBAIC02MCw2ICs2MCw3IEBAIHByaXZhdGU6CiAgICAgYm9v bCBmaWx0ZXJBcHBsZXRUb2tlbihIVE1MVG9rZW4mKTsKICAgICBib29sIGZpbHRlck1ldGFUb2tl bihIVE1MVG9rZW4mKTsKICAgICBib29sIGZpbHRlckJhc2VUb2tlbihIVE1MVG9rZW4mKTsKKyAg ICBib29sIGZpbHRlckZvcm1Ub2tlbihIVE1MVG9rZW4mKTsKIAogICAgIGJvb2wgZXJhc2VEYW5n ZXJvdXNBdHRyaWJ1dGVzSWZJbmplY3RlZChIVE1MVG9rZW4mKTsKICAgICBib29sIGVyYXNlQXR0 cmlidXRlSWZJbmplY3RlZChIVE1MVG9rZW4mLCBjb25zdCBRdWFsaWZpZWROYW1lJiwgY29uc3Qg U3RyaW5nJiByZXBsYWNlbWVudFZhbHVlID0gU3RyaW5nKCkpOwo=