XSSAuditor: handle partial closing script tag

Bug: 742459 Change-Id: I228bccccb3f094e60a45dc3b9e8267c580f3d750 Reviewed-on: https://chromium-review.googlesource.com/571018Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#486826}

XSSAuditor: handle partial closing script tag
Bug: 742459 Change-Id: I228bccccb3f094e60a45dc3b9e8267c580f3d750 Reviewed-on: https://chromium-review.googlesource.com/571018Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#486826}
2a6689f9 · Tom Sepez · Commit Bot · 6ec16c86 · 2a6689f9 · 2a6689f9
Commit 2a6689f9 authored Jul 14, 2017 by Tom Sepez Committed by Commit Bot Jul 14, 2017
3 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-partial-close-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-partial-close-expected.txt
+CONSOLE ERROR: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(1)%3C/script&clutter=%20' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-partial-close.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-partial-close.html
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+  testRunner.dumpAsText();
+  testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=<script>alert(1)</script&clutter=%20">
+</iframe>
+</body>
+</html>
--- a/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
+++ b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
@@ -135,6 +135,15 @@ static bool StartsOpeningScriptTagAt(const String& string, size_t start) {
                                script);
 }

+static bool StartsClosingScriptTagAt(const String& string, size_t start) {
+  if (start + 7 >= string.length())
+    return false;
+  // TODO(esprehn): StringView should probably have startsWith.
+  StringView script("</script");
+  return EqualIgnoringASCIICase(StringView(string, start, script.length()),
+                                script);
+}
+
 // If other files need this, we should move this to
 // core/html/parser/HTMLParserIdioms.h
 template <size_t inlineCapacity>
@@ -880,7 +889,8 @@ String XSSAuditor::CanonicalizedSnippetForJavaScript(
        break;

      if (last_non_space_position != kNotFound &&
-          StartsOpeningScriptTagAt(string, found_position)) {
+          (StartsOpeningScriptTagAt(string, found_position) ||
+           StartsClosingScriptTagAt(string, found_position))) {
        found_position = last_non_space_position + 1;
        break;
      }