Reverse order of tests in eraseDangerousAttributeIfInjected().

The semicolon-separated case must come first to prevent it from
being handled in the ordinary manner when the string starts with
javascript:, since it need not obey the normal termination rules
when it is first split by semicolons.

BUG=384077

Review URL: https://codereview.chromium.org/346623003

git-svn-id: svn://svn.chromium.org/blink/trunk@176478 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/svg-animate-clutter-2-expected.txt

+CONSOLE ERROR: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%20xmlns:xlink=%27http://www.w3.org/1999/xlink%27%3E%3Ca%3E%3Ccircle%20r=100%20/%3E%3Canimate%20attributeName=xlink:href%20values=javascript%3Aalert(1)%3B%3B&clutter=blah%27%3E&notifyDone=1&dumpElementBySelector=animate' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+This test passes if the element displayed in the frame below has a 'values' attribute containing only 'javascript:void(0)'.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+animate => animate
+* attributeName: xlink:href
+* values: javascript:void(0)
+

third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/svg-animate-clutter-2.html

+<!DOCTYPE html>
+<html>
+<head>
+    <script>
+        if (window.testRunner) {
+            testRunner.dumpAsText();
+            testRunner.dumpChildFramesAsText();
+            testRunner.waitUntilDone();
+            testRunner.setXSSAuditorEnabled(true);
+        }
+    </script>
+</head>
+<body>
+    <p>This test passes if the element displayed in the frame below has a 'values' attribute containing only 'javascript:void(0)'.</p>
+    <iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=<svg%20xmlns:xlink='http://www.w3.org/1999/xlink'><a><circle%20r=100%20/><animate%20attributeName=xlink:href%20values=javascript%3Aalert(1)%3B%3B&clutter=blah'>&notifyDone=1&dumpElementBySelector=animate"></iframe>
+</body>
+</html>

third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

@@ -607,9 +607,6 @@ bool XSSAuditor::eraseDangerousAttributesIfInjected(const FilterTokenRequest& re
         // FIXME: Don't create a new String for every attribute.value in the document.
         if (isNameOfInlineEventHandler(attribute.name)) {
             eraseAttribute = isContainedInRequest(canonicalize(snippetFromAttribute(request, attribute), ScriptLikeAttributeTruncation));
-        } else if (protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(String(attribute.value)))) {
-            valueContainsJavaScriptURL = true;
-            eraseAttribute = isContainedInRequest(canonicalize(snippetFromAttribute(request, attribute), ScriptLikeAttributeTruncation));
         } else if (isSemicolonSeparatedAttribute(attribute)) {
             String subValue = semicolonSeparatedValueContainingJavaScriptURL(String(attribute.value));
             if (!subValue.isEmpty()) {
@@ -617,6 +614,9 @@ bool XSSAuditor::eraseDangerousAttributesIfInjected(const FilterTokenRequest& re
                 eraseAttribute = isContainedInRequest(canonicalize(nameFromAttribute(request, attribute), NoTruncation))
                     && isContainedInRequest(canonicalize(subValue, ScriptLikeAttributeTruncation));
             }
+        } else if (protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(String(attribute.value)))) {
+            valueContainsJavaScriptURL = true;
+            eraseAttribute = isContainedInRequest(canonicalize(snippetFromAttribute(request, attribute), ScriptLikeAttributeTruncation));
         }
         if (!eraseAttribute)
             continue;