From 4113965994bb5d0c650bae13f28883d525a34002 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Wed, 1 Jun 2016 09:41:51 +0200 Subject: [PATCH] Extract bits out of a javascript URL through serialization The root cause here is a change in the URL parser that allows all schemes to have components such as host. Without this change more obscure javascript URLs such as javascript://test/%0Aalert(1) would fail to function. Fixes #672. --- source | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/source b/source index ad49a1418af..ffb6323c640 100644 --- a/source +++ b/source @@ -81497,26 +81497,14 @@ State: <OUTPUT NAME=I>1</OUTPUT> <INPUT VALUE="Increment" TYPE=BUTTON O active document's origin, then let result be undefined, and jump to the step labeled process result below.

-

  • Let urlRecord be the result of running the URL parser on the - URL of resource.

    • +

  • Let urlString be the result of running the URL serialiser on resource.

    • -

  • Let script source be the empty string.

    • - -

  • Append the first string of urlRecord's path component to script source.

    • - -

  • If urlRecord's query component is - not null, then first append a U+003F QUESTION MARK character (?) to script source, - and then append urlRecord's query - component to script source.

    • - -

  • If urlRecord's fragment - component is not null, then first append a U+0023 NUMBER SIGN character (#) to script - source, and then append urlRecord's fragment component to script source.

    • +

  • Remove the leading "javascript:" string from + urlString.

    • -

  • Replace script source with the result of applying the - percent decode algorithm to script source.

    • +

  • Let script source be the result of applying the percent decode + algorithm to urlString.

  • Replace script source with the result of applying the UTF-8 decode algorithm to script source.