RESOLVED FIXED 193155
Parsed protocol of javascript URLs with embedded newlines and carriage returns do not match parsed protocol in Chrome and Firefox 
https://bugs.webkit.org/show_bug.cgi?id=193155
Summary Parsed protocol of javascript URLs with embedded newlines and carriage return...
Daniel Bates
Reported 2019-01-04 13:19:51 PST
Created attachment 358355 [details] Test Behavior of URLUtils.protocol() for some JavaScript URLs disagrees with the behavior in Chrome version 71.0.3578.98 and Firefox version 64.0. For instance, the URLUtils.protocol() for "javascript://:%0aalert(2)" and "javascript://:%0dalert(3)" returns ":" instead of "javascript:". See attached test case.
Attachments
Test (119 bytes, text/html)
2019-01-04 13:19 PST, Daniel Bates 		no flags
Details
Patch (4.33 KB, patch)
2019-01-04 14:24 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch for landing (5.05 KB, patch)
2019-01-04 14:52 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 2 2019-01-04 13:22:48 PST
URLUtils is our implementation of https://html.spec.whatwg.org/multipage/links.html#htmlhyperlinkelementutils which relies on URL parsing.
Chris Dumez
Comment 3 2019-01-04 13:56:35 PST
diff --git a/Source/WebCore/html/URLUtils.h b/Source/WebCore/html/URLUtils.h index 3a8d5413f93..a957910aacd 100644 --- a/Source/WebCore/html/URLUtils.h +++ b/Source/WebCore/html/URLUtils.h @@ -90,6 +90,8 @@ String URLUtils<T>::origin() const template <typename T> String URLUtils<T>::protocol() const { + if (WTF::protocolIsJavaScript(url)) + return "javascript:"_s; return makeString(href().protocol(), ':'); } ?
Chris Dumez
Comment 4 2019-01-04 13:57:16 PST
(In reply to Chris Dumez from comment #3) > diff --git a/Source/WebCore/html/URLUtils.h b/Source/WebCore/html/URLUtils.h > index 3a8d5413f93..a957910aacd 100644 > --- a/Source/WebCore/html/URLUtils.h > +++ b/Source/WebCore/html/URLUtils.h > @@ -90,6 +90,8 @@ String URLUtils<T>::origin() const > template <typename T> > String URLUtils<T>::protocol() const > { > + if (WTF::protocolIsJavaScript(url)) > + return "javascript:"_s; > return makeString(href().protocol(), ':'); > } > > ? Meant: --- a/Source/WebCore/html/URLUtils.h +++ b/Source/WebCore/html/URLUtils.h @@ -90,6 +90,8 @@ String URLUtils<T>::origin() const template <typename T> String URLUtils<T>::protocol() const { + if (WTF::protocolIsJavaScript(href())) + return "javascript:"_s; return makeString(href().protocol(), ':'); }
Brent Fulgham
Comment 5 2019-01-04 14:23:51 PST
<rdar://problem/40230982>
Brent Fulgham
Comment 6 2019-01-04 14:24:54 PST
Created attachment 358371 [details] Patch
Chris Dumez
Comment 7 2019-01-04 14:27:28 PST
Comment on attachment 358371 [details] Patch r=me if the bots are happy. Note that it'd be nice if the test checked that the javascript ran without the filter.
Brent Fulgham
Comment 8 2019-01-04 14:52:41 PST
Created attachment 358376 [details] Patch for landing
WebKit Commit Bot
Comment 9 2019-01-04 15:41:45 PST
The commit-queue encountered the following flaky tests while processing attachment 358376 [details]: http/wpt/css/css-animations/start-animation-001.html bug 190903 (authors: dino@apple.com, fred.wang@free.fr, and graouts@apple.com) The commit-queue is continuing to process your patch.
WebKit Commit Bot
Comment 10 2019-01-04 15:42:40 PST
Comment on attachment 358376 [details] Patch for landing Clearing flags on attachment: 358376 Committed r239642: <https://trac.webkit.org/changeset/239642>
WebKit Commit Bot
Comment 11 2019-01-04 15:42:42 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.