diff options
| author | inferno@chromium.org <inferno@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-06 03:43:55 +0000 |
|---|---|---|
| committer | inferno@chromium.org <inferno@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-06 03:43:55 +0000 |
| commit | b68462c437afd0846489a870e3521decb6fbd658 (patch) | |
| tree | d13c289c2fa5a9acdf979f9eb600cbe0b92a22cc /base/json | |
| parent | d1c90bf7270eb0dd62e1e4924d55bd97636762f0 (diff) | |
| download | chromium_src-b68462c437afd0846489a870e3521decb6fbd658.zip chromium_src-b68462c437afd0846489a870e3521decb6fbd658.tar.gz chromium_src-b68462c437afd0846489a870e3521decb6fbd658.tar.bz2 | |
Improve the underlying escaping function JsonDoubleQuoteT to escape < and > characters BY DEFAULT to prevent script execution.
BUG=40147
TEST=StringEscapeTest.*
Review URL: http://codereview.chromium.org/1512013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@43695 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'base/json')
| -rw-r--r-- | base/json/string_escape.cc | 7 | ||||
| -rw-r--r-- | base/json/string_escape_unittest.cc | 2 |
2 files changed, 6 insertions, 3 deletions
diff --git a/base/json/string_escape.cc b/base/json/string_escape.cc index 5bf0b86..0b12439 100644 --- a/base/json/string_escape.cc +++ b/base/json/string_escape.cc @@ -58,9 +58,10 @@ void JsonDoubleQuoteT(const STR& str, for (typename STR::const_iterator it = str.begin(); it != str.end(); ++it) { typename ToUnsigned<typename STR::value_type>::Unsigned c = *it; if (!JsonSingleEscapeChar(c, dst)) { - if (c < 32 || c > 126) { - // Technically, we could also pass through c > 126 as UTF8, but this is - // also optional. It would also be a pain to implement here. + if (c < 32 || c > 126 || c == '<' || c == '>') { + // 1. Escaping <, > to prevent script execution. + // 2. Technically, we could also pass through c > 126 as UTF8, but this + // is also optional. It would also be a pain to implement here. unsigned int as_uint = static_cast<unsigned int>(c); StringAppendF(dst, "\\u%04X", as_uint); } else { diff --git a/base/json/string_escape_unittest.cc b/base/json/string_escape_unittest.cc index 29e5a38..c550ca3 100644 --- a/base/json/string_escape_unittest.cc +++ b/base/json/string_escape_unittest.cc @@ -18,6 +18,7 @@ const struct json_narrow_test_data { {"a\b\f\n\r\t\v\1\\.\"z", "a\\b\\f\\n\\r\\t\\u000B\\u0001\\\\.\\\"z"}, {"b\x0f\x7f\xf0\xff!", "b\\u000F\\u007F\\u00F0\\u00FF!"}, + {"c<>d", "c\\u003C\\u003Ed"}, }; } // namespace @@ -62,6 +63,7 @@ const struct json_wide_test_data { {L"a\b\f\n\r\t\v\1\\.\"z", "a\\b\\f\\n\\r\\t\\u000B\\u0001\\\\.\\\"z"}, {L"b\x0f\x7f\xf0\xff!", "b\\u000F\\u007F\\u00F0\\u00FF!"}, + {L"c<>d", "c\\u003C\\u003Ed"}, }; } // namespace |