Disallow data: URLs.

validator/testdata/feature_tests/javascript_xss.html

@@ -27,6 +27,7 @@
 <a href="javascript:alert('boo')">Click here to see an important message.</a>
 <a href="JavaScript:alert('boo')">It's CAse inSenSitive.</a>
 <a href="vbscript:bar">vbscript is also dangerous</a>
+<a href="data:baz">data urls have some risks</a>
 
 </body>
 </html>

validator/testdata/feature_tests/javascript_xss.out

@@ -2,3 +2,4 @@ FAIL
 feature_tests/javascript_xss.html:27:0 INVALID_ATTR_VALUE href=javascript:alert('boo')
 feature_tests/javascript_xss.html:28:0 INVALID_ATTR_VALUE href=JavaScript:alert('boo')
 feature_tests/javascript_xss.html:29:0 INVALID_ATTR_VALUE href=vbscript:bar
+feature_tests/javascript_xss.html:30:0 INVALID_ATTR_VALUE href=data:baz

validator/validator.js

@@ -1165,19 +1165,23 @@ ParsedTagSpec.prototype.validateAttributes = function(
                            parsedSpec.getSpec().deprecation,
                        parsedSpec.getSpec().deprecationUrl,
                        resultForAttempt);
-      // Since the Javascript is always in development mode, deprecation
-      // is an error. So we return.
-      return;
+      // Deprecation is only a warning, so we don't return.
     }
     if (parsedSpec.getSpec().devModeEnabled !== null) {
       context.addError(amp.validator.ValidationError.Code.DEV_MODE_ENABLED,
                        encounteredAttrName + ' - ' +
                            parsedSpec.getSpec().devModeEnabled,
                        parsedSpec.getSpec().devModeEnabledUrl,
                        resultForAttempt);
-      // Since the Javascript is always in development mode, developer mode
-      // enabled is not an error, so no need to return.
+      // Enabling the developer attribute is now always an error, so we
+      // return.
+      return;
     }
+    // The value, value_regex, and value_properties fields are
+    // treated like a oneof, but we're not using oneof because it's
+    // a feature that was added after protobuf 2.5.0 (which our
+    // open-source version uses).
+    // begin oneof {
     if (parsedSpec.getSpec().value !== null) {
       if (encounteredAttrValue != parsedSpec.getSpec().value) {
         context.addError(amp.validator.ValidationError.Code.INVALID_ATTR_VALUE,
@@ -1204,6 +1208,7 @@ ParsedTagSpec.prototype.validateAttributes = function(
         return;
       }
     }
+    // } end oneof
     if (parsedSpec.getSpec().blacklistedValueRegex !== null) {
       const blacklistedValueRegex =
           new RegExp(parsedSpec.getSpec().blacklistedValueRegex, 'gi');
@@ -1217,6 +1222,9 @@ ParsedTagSpec.prototype.validateAttributes = function(
     if (parsedSpec.getSpec().mandatory) {
       mandatoryAttrsSeen.push(parsedSpec.getId());
     }
+    // The "at most 1" part of mandatory_oneof: mandatory_oneof
+    // wants exactly one of the alternatives, so here
+    // we check whether we already saw another alternative
     if (parsedSpec.getSpec().mandatoryOneof &&
         mandatoryOneofsSeen.contains(parsedSpec.getSpec().mandatoryOneof)) {
       context.addError(
@@ -1227,6 +1235,8 @@ ParsedTagSpec.prototype.validateAttributes = function(
     }
     mandatoryOneofsSeen.add(parsedSpec.getSpec().mandatoryOneof);
   }
+  // The "at least 1" part of mandatory_oneof: If none of the
+  // alternatives were present, we report that an attribute is missing.
   for (const mandatoryOneof of this.mandatoryOneofs_) {
     if (!mandatoryOneofsSeen.contains(mandatoryOneof)) {
       context.addError(

validator/validator.protoascii

@@ -25,7 +25,7 @@ min_validator_revision_required: 63
 # newer versions of the spec file. This is currently a Google internal
 # mechanism, validator.js does not use this facility. However, any
 # change to this file requires updating this revision id.
-spec_file_revision: 92
+spec_file_revision: 93
 
 # Rules for AMP HTML
 # (https://github.com/google/amphtml/blob/master/spec/amp-html-format.md).
@@ -593,7 +593,7 @@ tags: {
   name: "a"
   attrs: {
     name: "href"
-    blacklisted_value_regex: "(javascript|vbscript):.*"
+    blacklisted_value_regex: "(javascript|vbscript|data):.*"
   }
   attrs: {
     name: "target"