Sanitize JavaScript links in HTMLViewSourceDocument

To limit mischief, replace the target of JavaScript-scheme links in HTMLViewSourceDocument with about:blank. Bug: 705206, 808407 Change-Id: I185006d0cb29caabcd08dd9d5b9324357c79efaa Reviewed-on: https://chromium-review.googlesource.com/900099Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Eric Lawrence <elawrence@chromium.org> Cr-Commit-Position: refs/heads/master@{#534705}

Sanitize JavaScript links in HTMLViewSourceDocument
To limit mischief, replace the target of JavaScript-scheme links in HTMLViewSourceDocument with about:blank. Bug: 705206, 808407 Change-Id: I185006d0cb29caabcd08dd9d5b9324357c79efaa Reviewed-on: https://chromium-review.googlesource.com/900099Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Eric Lawrence <elawrence@chromium.org> Cr-Commit-Position: refs/heads/master@{#534705}
4f811848 · Eric Lawrence · Commit Bot · 0ac4fa20 · 4f811848
Commit 4f811848 authored Feb 06, 2018 by Eric Lawrence Committed by Commit Bot Feb 06, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

third_party/WebKit/Source/core/html/HTMLViewSourceDocument.cpp ..._party/WebKit/Source/core/html/HTMLViewSourceDocument.cpp +3 -0

No files found.
--- a/third_party/WebKit/Source/core/html/HTMLViewSourceDocument.cpp
+++ b/third_party/WebKit/Source/core/html/HTMLViewSourceDocument.cpp
@@ -314,6 +314,9 @@ Element* HTMLViewSourceDocument::AddLink(const AtomicString& url,
  anchor->setAttribute(classAttr, class_value);
  anchor->setAttribute(targetAttr, "_blank");
  anchor->setAttribute(hrefAttr, url);
+  // Disallow JavaScript hrefs. https://crbug.com/808407
+  if (anchor->Url().ProtocolIsJavaScript())
+    anchor->setAttribute(hrefAttr, "about:blank");
  current_->ParserAppendChild(anchor);
  return anchor;
 }