Off by one in XSSAuditor::canonicalizedSnippetForJavaScript()

See discussion in bug.
BUG=526104

Review URL: https://codereview.chromium.org/1310153004

git-svn-id: svn://svn.chromium.org/blink/trunk@201803 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode-expected.txt

+CONSOLE ERROR: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/xss/)-1%2502%3Cscript%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+

third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode.html

+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+  testRunner.dumpAsText();
+  testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=<script>alert(/xss/)-1%2502<script</script>">
+</iframe>
+</body>
+</html>

third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

@@ -767,7 +767,7 @@ String XSSAuditor::canonicalizedSnippetForJavaScript(const FilterTokenRequest& r
                 break;
 
             if (lastNonSpacePosition != kNotFound && startsOpeningScriptTagAt(string, foundPosition)) {
-                foundPosition = lastNonSpacePosition;
+                foundPosition = lastNonSpacePosition + 1;
                 break;
             }
             if (foundPosition > startPosition + kMaximumFragmentLengthTarget) {