Originally reported by sirdarckcat at http://code.google.com/p/chromium/issues/detail?id=117329 What steps will reproduce the problem? 1. Go to http://0x.lv/xss.php?html_xss=%3Cscript%20src=%22data:,alert(1)//
A minimized returned page for this looks like: <html xmlns="http://www.w3.org/1999/xhtml"> <body> <div class="lol"> <script src="data:,alert(1)// <h1>existing page clutter</h1> <script type="text/javascript">x = 2;</script> </body> </html>
Created attachment 133323 [details] Testcase
Created attachment 133379 [details] Patch.
Comment on attachment 133379 [details] Patch. View in context: https://bugs.webkit.org/attachment.cgi?id=133379&action=review > Source/WebCore/html/parser/XSSAuditor.cpp:521 > + bool commaSeen; This is a personal preference, but I think it's better to initialize scalars when they're declared (and then to have an empty first-clause in the for statement). > Source/WebCore/html/parser/XSSAuditor.cpp:530 > if (decodedSnippet[currentLength] == '?' || decodedSnippet[currentLength] == '#' At this point, I would store decodedSnippet[currentLength] in a local variable.
Created attachment 133391 [details] Patch + style nits.
Comment on attachment 133391 [details] Patch + style nits. Clearing flags on attachment: 133391 Committed r111808: <http://trac.webkit.org/changeset/111808>
All reviewed patches have been landed. Closing bug.