diff options
author | sreeram@chromium.org <sreeram@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-01-23 04:40:51 +0000 |
---|---|---|
committer | sreeram@chromium.org <sreeram@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-01-23 04:40:51 +0000 |
commit | 04db261f3eaa86f6e3b5c0f24eb3adf0f2a2700a (patch) | |
tree | 35d026137c04cd99b040c2e15a898d953868d1bf | |
parent | cdaa0712d47303b5d8c537d14a1ac925170c84b2 (diff) | |
download | chromium_src-04db261f3eaa86f6e3b5c0f24eb3adf0f2a2700a.zip chromium_src-04db261f3eaa86f6e3b5c0f24eb3adf0f2a2700a.tar.gz chromium_src-04db261f3eaa86f6e3b5c0f24eb3adf0f2a2700a.tar.bz2 |
Escape HTML to avoid injection attacks.
BUG=171134
R=jschuh@chromium.org
TEST=No more XSS (server side fixes also necessary).
Review URL: https://chromiumcodereview.appspot.com/12039002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@178247 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | chrome/renderer/resources/extensions/searchbox_api.js | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/chrome/renderer/resources/extensions/searchbox_api.js b/chrome/renderer/resources/extensions/searchbox_api.js index b76d5bc..06aa877 100644 --- a/chrome/renderer/resources/extensions/searchbox_api.js +++ b/chrome/renderer/resources/extensions/searchbox_api.js @@ -58,6 +58,18 @@ if (!chrome.searchBox) { native function StartCapturingKeyStrokes(); native function StopCapturingKeyStrokes(); + function escapeHTML(text) { + return text.replace(/[<>&"']/g, function(match) { + switch (match) { + case '<': return '<'; + case '>': return '>'; + case '&': return '&'; + case '"': return '"'; + case "'": return '''; + } + }); + } + // Returns the |restrictedText| wrapped in a ShadowDOM. function SafeWrap(restrictedText) { var node = document.createElement('div'); @@ -84,8 +96,8 @@ if (!chrome.searchBox) { GetAutocompleteResults()); var userInput = GetQuery(); for (var i = 0, result; result = autocompleteResults[i]; ++i) { - var title = result.contents; - var url = CleanUrl(result.destination_url, userInput); + var title = escapeHTML(result.contents); + var url = escapeHTML(CleanUrl(result.destination_url, userInput)); var combinedHtml = '<span class=chrome_url>' + url + '</span>'; if (title) { result.titleNode = SafeWrap(title); |