Created attachment 358355 [details] Test Behavior of URLUtils.protocol() for some JavaScript URLs disagrees with the behavior in Chrome version 71.0.3578.98 and Firefox version 64.0. For instance, the URLUtils.protocol() for "javascript://:%0aalert(2)" and "javascript://:%0dalert(3)" returns ":" instead of "javascript:". See attached test case.
https://html.spec.whatwg.org/multipage/links.html#htmlhyperlinkelementutils
URLUtils is our implementation of https://html.spec.whatwg.org/multipage/links.html#htmlhyperlinkelementutils which relies on URL parsing.
diff --git a/Source/WebCore/html/URLUtils.h b/Source/WebCore/html/URLUtils.h index 3a8d5413f93..a957910aacd 100644 --- a/Source/WebCore/html/URLUtils.h +++ b/Source/WebCore/html/URLUtils.h @@ -90,6 +90,8 @@ String URLUtils<T>::origin() const template <typename T> String URLUtils<T>::protocol() const { + if (WTF::protocolIsJavaScript(url)) + return "javascript:"_s; return makeString(href().protocol(), ':'); } ?
(In reply to Chris Dumez from comment #3) > diff --git a/Source/WebCore/html/URLUtils.h b/Source/WebCore/html/URLUtils.h > index 3a8d5413f93..a957910aacd 100644 > --- a/Source/WebCore/html/URLUtils.h > +++ b/Source/WebCore/html/URLUtils.h > @@ -90,6 +90,8 @@ String URLUtils<T>::origin() const > template <typename T> > String URLUtils<T>::protocol() const > { > + if (WTF::protocolIsJavaScript(url)) > + return "javascript:"_s; > return makeString(href().protocol(), ':'); > } > > ? Meant: --- a/Source/WebCore/html/URLUtils.h +++ b/Source/WebCore/html/URLUtils.h @@ -90,6 +90,8 @@ String URLUtils<T>::origin() const template <typename T> String URLUtils<T>::protocol() const { + if (WTF::protocolIsJavaScript(href())) + return "javascript:"_s; return makeString(href().protocol(), ':'); }
<rdar://problem/40230982>
Created attachment 358371 [details] Patch
Comment on attachment 358371 [details] Patch r=me if the bots are happy. Note that it'd be nice if the test checked that the javascript ran without the filter.
Created attachment 358376 [details] Patch for landing
The commit-queue encountered the following flaky tests while processing attachment 358376 [details]: http/wpt/css/css-animations/start-animation-001.html bug 190903 (authors: dino@apple.com, fred.wang@free.fr, and graouts@apple.com) The commit-queue is continuing to process your patch.
Comment on attachment 358376 [details] Patch for landing Clearing flags on attachment: 358376 Committed r239642: <https://trac.webkit.org/changeset/239642>
All reviewed patches have been landed. Closing bug.