Summary: | Web Inspector: render XHRs matching JSON regex as JSON. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Pavel Feldman <pfeldman> | ||||||
Component: | Web Inspector (Deprecated) | Assignee: | Nobody <webkit-unassigned> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | apavlov, bweinstein, joepeck, keishi, loislo, pfeldman, pmuellr, rik, timothy, yurys | ||||||
Priority: | P2 | ||||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
Attachments: |
|
Description
Pavel Feldman
2011-03-24 10:28:27 PDT
Created attachment 86794 [details]
[IMAGE] Screenshot with patch applied.
Created attachment 86798 [details]
Patch
Comment on attachment 86798 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=86798&action=review > Source/WebCore/inspector/front-end/RemoteObject.js:219 > + buffer += ", "; Why not use Array.join instead? > Source/WebCore/inspector/front-end/ResourceJSONView.js:41 > + var start = /[{[]/.exec(text); I vaguely recall that it's not uncommon to use a sequence of all kinds of brackets instead of while(1) to prevent XSS in this case. I don't remember details though and in particular whether the brackets should be opening or closing ones, you may want to double check. > Source/WebCore/inspector/front-end/ResourceJSONView.js:42 > + if (start && start.index) Can it be a valid JSON string if it doesn't contain no { nor [ ? > I vaguely recall that it's not uncommon to use a sequence of all kinds of brackets instead of while(1) to prevent XSS in this case. I don't remember details though and in particular whether the brackets should be opening or closing ones, you may want to double check. I did check, they prepend closing brackets. > > Source/WebCore/inspector/front-end/ResourceJSONView.js:42 > > + if (start && start.index) > > Can it be a valid JSON string if it doesn't contain no { nor [ ? Sure, it can be a string or a number. Committed r81878: <http://trac.webkit.org/changeset/81878> |