diff options
| author | inferno@chromium.org <inferno@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-06 03:43:55 +0000 |
|---|---|---|
| committer | inferno@chromium.org <inferno@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-06 03:43:55 +0000 |
| commit | b68462c437afd0846489a870e3521decb6fbd658 (patch) | |
| tree | d13c289c2fa5a9acdf979f9eb600cbe0b92a22cc | |
| parent | d1c90bf7270eb0dd62e1e4924d55bd97636762f0 (diff) | |
| download | chromium_src-b68462c437afd0846489a870e3521decb6fbd658.zip chromium_src-b68462c437afd0846489a870e3521decb6fbd658.tar.gz chromium_src-b68462c437afd0846489a870e3521decb6fbd658.tar.bz2 | |
Improve the underlying escaping function JsonDoubleQuoteT to escape < and > characters BY DEFAULT to prevent script execution.
BUG=40147
TEST=StringEscapeTest.*
Review URL: http://codereview.chromium.org/1512013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@43695 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | base/json/string_escape.cc | 7 | ||||
| -rw-r--r-- | base/json/string_escape_unittest.cc | 2 | ||||
| -rw-r--r-- | chrome/common/json_value_serializer_unittest.cc | 4 |
3 files changed, 8 insertions, 5 deletions
diff --git a/base/json/string_escape.cc b/base/json/string_escape.cc index 5bf0b86..0b12439 100644 --- a/base/json/string_escape.cc +++ b/base/json/string_escape.cc @@ -58,9 +58,10 @@ void JsonDoubleQuoteT(const STR& str, for (typename STR::const_iterator it = str.begin(); it != str.end(); ++it) { typename ToUnsigned<typename STR::value_type>::Unsigned c = *it; if (!JsonSingleEscapeChar(c, dst)) { - if (c < 32 || c > 126) { - // Technically, we could also pass through c > 126 as UTF8, but this is - // also optional. It would also be a pain to implement here. + if (c < 32 || c > 126 || c == '<' || c == '>') { + // 1. Escaping <, > to prevent script execution. + // 2. Technically, we could also pass through c > 126 as UTF8, but this + // is also optional. It would also be a pain to implement here. unsigned int as_uint = static_cast<unsigned int>(c); StringAppendF(dst, "\\u%04X", as_uint); } else { diff --git a/base/json/string_escape_unittest.cc b/base/json/string_escape_unittest.cc index 29e5a38..c550ca3 100644 --- a/base/json/string_escape_unittest.cc +++ b/base/json/string_escape_unittest.cc @@ -18,6 +18,7 @@ const struct json_narrow_test_data { {"a\b\f\n\r\t\v\1\\.\"z", "a\\b\\f\\n\\r\\t\\u000B\\u0001\\\\.\\\"z"}, {"b\x0f\x7f\xf0\xff!", "b\\u000F\\u007F\\u00F0\\u00FF!"}, + {"c<>d", "c\\u003C\\u003Ed"}, }; } // namespace @@ -62,6 +63,7 @@ const struct json_wide_test_data { {L"a\b\f\n\r\t\v\1\\.\"z", "a\\b\\f\\n\\r\\t\\u000B\\u0001\\\\.\\\"z"}, {L"b\x0f\x7f\xf0\xff!", "b\\u000F\\u007F\\u00F0\\u00FF!"}, + {L"c<>d", "c\\u003C\\u003Ed"}, }; } // namespace diff --git a/chrome/common/json_value_serializer_unittest.cc b/chrome/common/json_value_serializer_unittest.cc index d1475ec..14f4f5d 100644 --- a/chrome/common/json_value_serializer_unittest.cc +++ b/chrome/common/json_value_serializer_unittest.cc @@ -83,8 +83,8 @@ TEST(JSONValueSerializerTest, StringEscape) { std::string all_chars_expected = "\\u0001\\u0002\\u0003\\u0004\\u0005\\u0006\\u0007\\b\\t\\n\\u000B\\f\\r" "\\u000E\\u000F\\u0010\\u0011\\u0012\\u0013\\u0014\\u0015\\u0016\\u0017" - "\\u0018\\u0019\\u001A\\u001B\\u001C\\u001D\\u001E" - "\\u001F !\\\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\" + "\\u0018\\u0019\\u001A\\u001B\\u001C\\u001D\\u001E\\u001F !\\\"" + "#$%&'()*+,-./0123456789:;\\u003C=\\u003E?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\" "\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\\u007F\\u0080\\u0081\\u0082\\u0083" "\\u0084\\u0085\\u0086\\u0087\\u0088\\u0089\\u008A\\u008B\\u008C\\u008D" "\\u008E\\u008F\\u0090\\u0091\\u0092\\u0093\\u0094\\u0095\\u0096\\u0097" |