Created attachment 31912 [details] Initial patch for false negatives with tests Resolves issues with HTML entities, scheme relative paths, and iFrame JavaScript URLs. Fix for the HTTP-Equiv UTF-7 forthcoming.

In general, we shouldn't be duplicating code from other source files. You should modify the other files to expose the functions you need in their header files. For example, fixUpChar could be moved to HTMLTokenizer.h (and possibly renamed) and similarly hexDigitValue. I also wish we didn't have to write our own XSSAuditor::decodeURLHTMLEntities. Does this function not exist elsewhere? If not, we should add it to the right file instead of adding it to the auditor directly. Also for XSSAuditor::findInRequest, we should only search the parent frame if the current frame's URL is about:blank. That should cover the <iframe src="javascript:..."> case. Finally, we should do the XSS_AUDITOR_PAGE_HEADERS work in a separate bug / patch because it's not related to these false negatives.

I will clean up the patch. I could not find an equivalent function to XSSAuditor::decodeURLHTMLEntities. (In reply to comment #2) > In general, we shouldn't be duplicating code from other source files. You > should modify the other files to expose the functions you need in their header > files. For example, fixUpChar could be moved to HTMLTokenizer.h (and possibly > renamed) and similarly hexDigitValue. > > I also wish we didn't have to write our own XSSAuditor::decodeURLHTMLEntities. > Does this function not exist elsewhere? If not, we should add it to the right > file instead of adding it to the auditor directly. Also for > XSSAuditor::findInRequest, we should only search the parent frame if the > current frame's URL is about:blank. That should cover the <iframe > src="javascript:..."> case. > > Finally, we should do the XSS_AUDITOR_PAGE_HEADERS work in a separate bug / > patch because it's not related to these false negatives. >

Created attachment 31972 [details] Updated patch with tests. Cleaned up patch. Fixed HTTP-Equiv UTF-7. I was not sure where to move the method XSSAuditor::decodeHTMLEntities (formally named decodeURLHTMLEntities). Any suggestions?

Created attachment 31973 [details] Updated patch with tests. Removed extraneous header: HTTPHeaderMap.h

Comment on attachment 31973 [details] Updated patch with tests. This looks great except for the HTML entities part. That code really shouldn't be in the XSSAuditor. It should be shared with the parser. Can you post a version of the patch without the HTML entities fix? That way we can get the other issues squared away and focus on the right HTML entities patch.

Created attachment 31978 [details] Patch without HTML entities support Removed support for HTML entities.

Comment on attachment 31978 [details] Patch without HTML entities support Thanks Dan. This looks great. There are some lines with trailing white space, but I'll fix them when I land the patch.

Will land.

I tweaked the patch slightly before landing. There isn't any need to store m_parentFrame because you can always get it from m_frame->tree()->parent(). Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/http-equiv-utf-7-encoded-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/http-equiv-utf-7-encoded.html Adding LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url.html Adding LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-default-encode.pl Adding LayoutTests/http/tests/security/xssAuditor/script-tag-utf-7-encoded-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-utf-7-encoded.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-relative-scheme.html Sending WebCore/ChangeLog Sending WebCore/html/HTMLTokenizer.cpp Sending WebCore/page/XSSAuditor.cpp Sending WebCore/page/XSSAuditor.h Sending WebCore/platform/network/ResourceResponseBase.cpp Sending WebCore/platform/network/ResourceResponseBase.h Transmitting file data ................ Committed revision 45312.