Summary: | [XSSAuditor] Reduce false positives by checking for illegal URI characters | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Daniel Bates <dbates> | ||||
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | abarth, sam | ||||
Priority: | P2 | Keywords: | XSSAuditor | ||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Attachments: |
|
Description
Daniel Bates
2009-09-30 18:06:07 PDT
Created attachment 40415 [details]
Patch with test cases and rebased test cases
Also includes a minor formatting change.
Comment on attachment 40415 [details]
Patch with test cases and rebased test cases
Great. Thanks Dan.
Committed r48961: <http://trac.webkit.org/changeset/48961> (In reply to comment #0) > [...] > With regards to an injection of an inline event handler, we believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed. However, this decision causes the following test cases to fail: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html. We should address these in a separate update. See bug #127853. |