Diff
Modified: trunk/LayoutTests/ChangeLog (100587 => 100588)
--- trunk/LayoutTests/ChangeLog 2011-11-17 10:09:21 UTC (rev 100587)
+++ trunk/LayoutTests/ChangeLog 2011-11-17 10:10:14 UTC (rev 100588)
@@ -1,3 +1,13 @@
+2011-11-16 Alexander Pavlov <apav...@chromium.org>
+
+ Web Inspector: inspector follows _javascript_: hrefs as relative
+ https://bugs.webkit.org/show_bug.cgi?id=72373
+
+ Reviewed by Yury Semikhatsky.
+
+ * inspector/styles/styles-url-linkify-expected.txt:
+ * inspector/styles/styles-url-linkify.html:
+
2011-11-17 Dominic Mazzoni <dmazz...@google.com>
Accessibility: Chromium requires an AX notification when an iframe loads.
Modified: trunk/LayoutTests/inspector/styles/styles-url-linkify-expected.txt (100587 => 100588)
--- trunk/LayoutTests/inspector/styles/styles-url-linkify-expected.txt 2011-11-17 10:09:21 UTC (rev 100587)
+++ trunk/LayoutTests/inspector/styles/styles-url-linkify-expected.txt 2011-11-17 10:10:14 UTC (rev 100588)
@@ -1,4 +1,4 @@
-Tests that URLs are linked to and completed correctly. Bugs 51663, 53171, 62643
+Tests that URLs are linked to and completed correctly. Bugs 51663, 53171, 62643, 72373
URLs completed:
@@ -13,6 +13,8 @@
http://example.com/foo?a=b
http://example.com/foo?a=b
data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEIAAABCAgMAAACeOuh7AAAABGdBTUEAAK/INwWK6QAAAAlQTFRF////AAAA////fu+PTwAAAAF0Uk5TAEDm2GYAAACHSURBVDjLxdLbDYAgDAVQGELn0R3oEHYf2KGdUqtE46OFRCP3oyTng1xCnWsaD5JRRtCkQ2YmkBkHRXqWJBn0j0TICbrsWVoWhRShCdcGyZCtHxMaUnVPRZ9KSbmBJdsX2vJVnwqRD0Rb4rpzgIbE/AI5NTnWAMvy5l0dXrfuLh5OCe5BmmYGXhTUxlQ5xJ8AAAAASUVORK5CYII=
+_javascript_:alert('foo');
+null
Link for a URI from CSS document:
webkit-html-resource-link inspector/styles/resources/fromcss.png
Link for a URI from iframe inline stylesheet:
Modified: trunk/LayoutTests/inspector/styles/styles-url-linkify.html (100587 => 100588)
--- trunk/LayoutTests/inspector/styles/styles-url-linkify.html 2011-11-17 10:09:21 UTC (rev 100587)
+++ trunk/LayoutTests/inspector/styles/styles-url-linkify.html 2011-11-17 10:10:14 UTC (rev 100588)
@@ -27,6 +27,8 @@
const dataURL = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEIAAABCAgMAAACeOuh7AAAABGdBTUEAAK/INwWK6QAAAAlQTFRF////AAAA////fu+PTwAAAAF0Uk5TAEDm2GYAAACHSURBVDjLxdLbDYAgDAVQGELn0R3oEHYf2KGdUqtE46OFRCP3oyTng1xCnWsaD5JRRtCkQ2YmkBkHRXqWJBn0j0TICbrsWVoWhRShCdcGyZCtHxMaUnVPRZ9KSbmBJdsX2vJVnwqRD0Rb4rpzgIbE/AI5NTnWAMvy5l0dXrfuLh5OCe5BmmYGXhTUxlQ5xJ8AAAAASUVORK5CYII=";
completeURL("https://example.com/foo", dataURL);
+ completeURL("http://example.com/foo", "_javascript_:alert('foo');");
+ InspectorTest.addResult(WebInspector.resourceURLForRelatedNode(null, " _javascript_:alert('foo'); "));
function dumpHref(dumpLinkClass)
{
@@ -81,7 +83,7 @@
</head>
<body _onload_="runAfterIframeIsLoaded()">
<p>
-Tests that URLs are linked to and completed correctly. Bugs <a href="" <a href="" <a href=""
+Tests that URLs are linked to and completed correctly. Bugs <a href="" <a href="" <a href="" <a href=""
</p>
<div id="local"></div>
<iframe src=""
Modified: trunk/Source/WebCore/ChangeLog (100587 => 100588)
--- trunk/Source/WebCore/ChangeLog 2011-11-17 10:09:21 UTC (rev 100587)
+++ trunk/Source/WebCore/ChangeLog 2011-11-17 10:10:14 UTC (rev 100588)
@@ -1,3 +1,17 @@
+2011-11-16 Alexander Pavlov <apav...@chromium.org>
+
+ Web Inspector: inspector follows _javascript_: hrefs as relative
+ https://bugs.webkit.org/show_bug.cgi?id=72373
+
+ _javascript_: hrefs should never be linkified for security.
+
+ Reviewed by Yury Semikhatsky.
+
+ * inspector/front-end/ElementsTreeOutline.js:
+ (WebInspector.ElementsTreeElement.prototype._buildAttributeDOM):
+ * inspector/front-end/ResourceUtils.js:
+ (WebInspector.completeURL):
+
2011-11-17 Nikolas Zimmermann <nzimmerm...@rim.com>
Not reviewed. Fix 32bit builds.
Modified: trunk/Source/WebCore/inspector/front-end/ElementsTreeOutline.js (100587 => 100588)
--- trunk/Source/WebCore/inspector/front-end/ElementsTreeOutline.js 2011-11-17 10:09:21 UTC (rev 100587)
+++ trunk/Source/WebCore/inspector/front-end/ElementsTreeOutline.js 2011-11-17 10:10:14 UTC (rev 100588)
@@ -1467,7 +1467,11 @@
if (linkify && (name === "src" || name === "href")) {
var rewrittenHref = WebInspector.resourceURLForRelatedNode(node, value);
value = value.replace(/([\/;:\)\]\}])/g, "$1\u200B");
- attrSpanElement.appendChild(linkify(rewrittenHref, value, "webkit-html-attribute-value", node.nodeName().toLowerCase() === "a"));
+ if (rewrittenHref === null) {
+ var attrValueElement = attrSpanElement.createChild("span", "webkit-html-attribute-value");
+ attrValueElement.textContent = value;
+ } else
+ attrSpanElement.appendChild(linkify(rewrittenHref, value, "webkit-html-attribute-value", node.nodeName().toLowerCase() === "a"));
} else {
value = value.replace(/([\/;:\)\]\}])/g, "$1\u200B");
var attrValueElement = attrSpanElement.createChild("span", "webkit-html-attribute-value");
Modified: trunk/Source/WebCore/inspector/front-end/ResourceUtils.js (100587 => 100588)
--- trunk/Source/WebCore/inspector/front-end/ResourceUtils.js 2011-11-17 10:09:21 UTC (rev 100587)
+++ trunk/Source/WebCore/inspector/front-end/ResourceUtils.js 2011-11-17 10:10:14 UTC (rev 100588)
@@ -220,11 +220,17 @@
return anchor;
}
+/**
+ * @return {?string} null if the specified resource MUST NOT have a URL (e.g. "_javascript_:...")
+ */
WebInspector.resourceURLForRelatedNode = function(node, url)
{
if (!url || url.indexOf("://") > 0)
return url;
+ if (url.trim().indexOf("_javascript_:") === 0)
+ return null; // Do not provide a resource URL for security.
+
for (var frameOwnerCandidate = node; frameOwnerCandidate; frameOwnerCandidate = frameOwnerCandidate.parentNode) {
if (frameOwnerCandidate.documentURL) {
var result = WebInspector.completeURL(frameOwnerCandidate.documentURL, url);
@@ -280,8 +286,13 @@
if (href) {
// Return absolute URLs as-is.
var parsedHref = href.asParsedURL();
- if ((parsedHref && parsedHref.scheme) || href.indexOf("data:") === 0)
+ if (parsedHref && parsedHref.scheme)
return href;
+
+ // Return special URLs as-is.
+ var trimmedHref = href.trim();
+ if (trimmedHref.indexOf("data:") === 0 || trimmedHref.indexOf("_javascript_:") === 0)
+ return href;
}
var parsedURL = baseURL.asParsedURL();