summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorsreeram@chromium.org <sreeram@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-01-23 04:40:51 +0000
committersreeram@chromium.org <sreeram@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-01-23 04:40:51 +0000
commit04db261f3eaa86f6e3b5c0f24eb3adf0f2a2700a (patch)
tree35d026137c04cd99b040c2e15a898d953868d1bf
parentcdaa0712d47303b5d8c537d14a1ac925170c84b2 (diff)
downloadchromium_src-04db261f3eaa86f6e3b5c0f24eb3adf0f2a2700a.zip
chromium_src-04db261f3eaa86f6e3b5c0f24eb3adf0f2a2700a.tar.gz
chromium_src-04db261f3eaa86f6e3b5c0f24eb3adf0f2a2700a.tar.bz2
Escape HTML to avoid injection attacks.
BUG=171134 R=jschuh@chromium.org TEST=No more XSS (server side fixes also necessary). Review URL: https://chromiumcodereview.appspot.com/12039002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@178247 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r--chrome/renderer/resources/extensions/searchbox_api.js16
1 files changed, 14 insertions, 2 deletions
diff --git a/chrome/renderer/resources/extensions/searchbox_api.js b/chrome/renderer/resources/extensions/searchbox_api.js
index b76d5bc..06aa877 100644
--- a/chrome/renderer/resources/extensions/searchbox_api.js
+++ b/chrome/renderer/resources/extensions/searchbox_api.js
@@ -58,6 +58,18 @@ if (!chrome.searchBox) {
native function StartCapturingKeyStrokes();
native function StopCapturingKeyStrokes();
+ function escapeHTML(text) {
+ return text.replace(/[<>&"']/g, function(match) {
+ switch (match) {
+ case '<': return '&lt;';
+ case '>': return '&gt;';
+ case '&': return '&amp;';
+ case '"': return '&quot;';
+ case "'": return '&apos;';
+ }
+ });
+ }
+
// Returns the |restrictedText| wrapped in a ShadowDOM.
function SafeWrap(restrictedText) {
var node = document.createElement('div');
@@ -84,8 +96,8 @@ if (!chrome.searchBox) {
GetAutocompleteResults());
var userInput = GetQuery();
for (var i = 0, result; result = autocompleteResults[i]; ++i) {
- var title = result.contents;
- var url = CleanUrl(result.destination_url, userInput);
+ var title = escapeHTML(result.contents);
+ var url = escapeHTML(CleanUrl(result.destination_url, userInput));
var combinedHtml = '<span class=chrome_url>' + url + '</span>';
if (title) {
result.titleNode = SafeWrap(title);