diff options
| author | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-02 16:44:56 +0000 |
|---|---|---|
| committer | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-02 16:44:56 +0000 |
| commit | b1eed66ff9bc1dd0c2c319c8ff42f8f0d1abc1b3 (patch) | |
| tree | dbaaabf08550d211f03dd7cc4c46c38c80a294e0 /webkit/appcache/view_appcache_internals_job.cc | |
| parent | 534c4fb35c8c195c6d82e7e12ac303397e796825 (diff) | |
| download | chromium_src-b1eed66ff9bc1dd0c2c319c8ff42f8f0d1abc1b3.zip chromium_src-b1eed66ff9bc1dd0c2c319c8ff42f8f0d1abc1b3.tar.gz chromium_src-b1eed66ff9bc1dd0c2c319c8ff42f8f0d1abc1b3.tar.bz2 | |
Apply content-security-policy to chrome://appcache-internals and chrome://blob-internals.
Since these files live under /webkit, just hardcode the CSP directive rather
than trying to read it from a resource bundle. Re-write the page to be
compleltely free of javascript, falling back to form-posts, to avoid having
to pull in an external file.
Review URL: http://codereview.chromium.org/7518011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@95093 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit/appcache/view_appcache_internals_job.cc')
| -rw-r--r-- | webkit/appcache/view_appcache_internals_job.cc | 35 |
1 files changed, 18 insertions, 17 deletions
diff --git a/webkit/appcache/view_appcache_internals_job.cc b/webkit/appcache/view_appcache_internals_job.cc index 606a1e4..efd0410 100644 --- a/webkit/appcache/view_appcache_internals_job.cc +++ b/webkit/appcache/view_appcache_internals_job.cc @@ -48,26 +48,22 @@ const char kViewCacheCommand[] = "view-cache"; const char kViewEntryCommand[] = "view-entry"; void EmitPageStart(std::string* out) { - DCHECK(out); out->append( "<!DOCTYPE HTML>\n" "<html><title>AppCache Internals</title>\n" + "<meta http-equiv=\"X-WebKit-CSP\"" + " content=\"object-src 'none'; script-src 'none'\">\n" "<style>\n" "body { font-family: sans-serif; font-size: 0.8em; }\n" "tt, code, pre { font-family: WebKitHack, monospace; }\n" + "form { display: inline; }\n" ".subsection_body { margin: 10px 0 10px 2em; }\n" ".subsection_title { font-weight: bold; }\n" "</style>\n" - "<script>\n" - "function PerformCommand(command, param) {\n" - " location = location.pathname + '?' + command + '=' + param;\n" - "}\n" - "</script>\n" "</head><body>\n"); } void EmitPageEnd(std::string* out) { - DCHECK(out); out->append("</body></html>\n"); } @@ -78,26 +74,31 @@ void EmitCommandButton(const std::string& label, const std::string& command, const std::string& param, std::string* out) { - base::StringAppendF(out, "<input type=\"button\" value=\"%s\" " - "onclick=\"PerformCommand('%s', '%s')\" />\n", - label.c_str(), command.c_str(), param.c_str()); + base::StringAppendF(out, + "<form action=\"\" method=\"GET\">\n" + "<input type=\"hidden\" name=\"%s\" value=\"%s\">\n" + "<input type=\"submit\" value=\"%s\">\n" + "</form>", + EscapeForHTML(command).c_str(), + EscapeForHTML(param).c_str(), + EscapeForHTML(label).c_str()); } -void EmitListItem(const std::string& label, const std::string& data, +void EmitListItem(const std::string& label, + const std::string& data, std::string* out) { - DCHECK(out); out->append("<li>"); - out->append(label); + out->append(EscapeForHTML(label)); out->append(data); out->append("</li>\n"); } void EmitAnchor(const std::string& url, const std::string& text, std::string* out) { - out->append("<a href="); - out->append(url); - out->append(">"); - out->append(text); + out->append("<a href=\""); + out->append(EscapeForHTML(url)); + out->append("\">"); + out->append(EscapeForHTML(text)); out->append("</a><br/>"); } |