Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(105)
Issues Repositories Search
Open Issues | Closed Issues | All Issues | Sign in with your Google Account to create issues and add comments

Issue 7173043: Use uri.js in html-sanitizer and caja uri policies (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
11 years, 3 months ago by Jasvir
Modified:
11 years, 2 months ago
Reviewers:
felix8a, kpreid2, ihab.awad
CC:
caja-discuss-undisclosed_googlegroups.com, MarkM, felix8a, Jasvir, metaweta, MikeSamuel, ihab.awad
Base URL:
http://google-caja.googlecode.com/svn/trunk/
Visibility:
Public.

Description

Changes the uriPolicy api to use uri.js and passes parsed URIs to policy functions. This addresses potential vulnerabilities arising from differences between how browsers parse urls that are malformed. Added URI tests from WebKit but further normalization of URI domains are needed before these tests can be run correctly. @5288

Patch Set 1 #

Total comments: 4

Patch Set 2 : Use uri.js in html-sanitizer and caja uri policies #

Patch Set 3 : Use uri.js in html-sanitizer and caja uri policies #

Patch Set 4 : Use uri.js in html-sanitizer and caja uri policies #

Total comments: 2

Patch Set 5 : Use uri.js in html-sanitizer and caja uri policies #

Total comments: 3
Unified diffs Side-by-side diffs Delta from patch set Stats (+166 lines, -39 lines) Patch
M build.xml View 1 chunk +1 line, -0 lines 0 comments Download
M src/com/google/caja/demos/playground/client/ui/PlaygroundView.java View 1 1 chunk +1 line, -1 line 0 comments Download
M src/com/google/caja/plugin/caja.js View 2 chunks +2 lines, -2 lines 0 comments Download
M src/com/google/caja/plugin/domado.js View 1 2 3 4 1 chunk +32 lines, -13 lines 3 comments Download
M src/com/google/caja/plugin/html-sanitizer.js View 2 chunks +12 lines, -13 lines 0 comments Download
M src/com/google/caja/plugin/uri.js View 1 chunk +3 lines, -1 line 0 comments Download
M tests/com/google/caja/lexer/escaping/UriUtilTest.java View 1 chunk +11 lines, -0 lines 0 comments Download
M tests/com/google/caja/plugin/default-test-driver.js View 1 chunk +1 line, -1 line 0 comments Download
M tests/com/google/caja/plugin/es53-test-client-uri-rewriting.js View 4 chunks +4 lines, -4 lines 0 comments Download
M tests/com/google/caja/plugin/es53-test-domado-special.js View 1 chunk +1 line, -1 line 0 comments Download
M tests/com/google/caja/plugin/html-sanitizer-test.js View 1 2 3 chunks +9 lines, -3 lines 0 comments Download
M tests/com/google/caja/plugin/uri_test.js View 1 2 1 chunk +89 lines, -0 lines 0 comments Download

Messages

Total messages: 12
Jasvir
11 years, 3 months ago (2013-01-21 01:41:38 UTC) #1
ihab.awad
https://codereview.appspot.com/7173043/diff/1/src/com/google/caja/plugin/domado.js File src/com/google/caja/plugin/domado.js (right): https://codereview.appspot.com/7173043/diff/1/src/com/google/caja/plugin/domado.js#newcode93 src/com/google/caja/plugin/domado.js:93: console.log('Rejecting url ' + uri + ' because ' ...
11 years, 3 months ago (2013-01-22 19:04:51 UTC) #2
ihab.awad
lgtm++
11 years, 3 months ago (2013-01-22 19:05:00 UTC) #3
Jasvir
Changes the uriPolicy api to use uri.js and passes parsed URIs to policy functions. This ...
11 years, 3 months ago (2013-01-22 19:08:54 UTC) #4
Jasvir
Changes the uriPolicy api to use uri.js and passes parsed URIs to policy functions. This ...
11 years, 3 months ago (2013-01-22 19:23:06 UTC) #5
Jasvir
Changes the uriPolicy api to use uri.js and passes parsed URIs to policy functions. This ...
11 years, 3 months ago (2013-01-22 20:14:08 UTC) #6
felix8a
https://codereview.appspot.com/7173043/diff/13001/src/com/google/caja/plugin/domado.js File src/com/google/caja/plugin/domado.js (right): https://codereview.appspot.com/7173043/diff/13001/src/com/google/caja/plugin/domado.js#newcode101 src/com/google/caja/plugin/domado.js:101: naiveUriPolicy.fetch(undefined, mime, callback); naiveUriPolicy.fetch is not a function here. ...
11 years, 3 months ago (2013-01-23 21:20:12 UTC) #7
Jasvir
Changes the uriPolicy api to use uri.js and passes parsed URIs to policy functions. This ...
11 years, 3 months ago (2013-01-23 21:24:48 UTC) #8
Jasvir
https://codereview.appspot.com/7173043/diff/13001/src/com/google/caja/plugin/domado.js File src/com/google/caja/plugin/domado.js (right): https://codereview.appspot.com/7173043/diff/13001/src/com/google/caja/plugin/domado.js#newcode101 src/com/google/caja/plugin/domado.js:101: naiveUriPolicy.fetch(undefined, mime, callback); Removed.
11 years, 3 months ago (2013-01-23 21:25:33 UTC) #9
kpreid2
https://codereview.appspot.com/7173043/diff/16001/src/com/google/caja/plugin/domado.js File src/com/google/caja/plugin/domado.js (right): https://codereview.appspot.com/7173043/diff/16001/src/com/google/caja/plugin/domado.js#newcode93 src/com/google/caja/plugin/domado.js:93: console.log('Rejecting url ' + uri + ' because ' ...
11 years, 3 months ago (2013-01-23 21:31:01 UTC) #10
Jasvir
https://codereview.appspot.com/7173043/diff/16001/src/com/google/caja/plugin/domado.js File src/com/google/caja/plugin/domado.js (right): https://codereview.appspot.com/7173043/diff/16001/src/com/google/caja/plugin/domado.js#newcode93 src/com/google/caja/plugin/domado.js:93: console.log('Rejecting url ' + uri + ' because ' ...
11 years, 3 months ago (2013-01-23 21:54:09 UTC) #11
kpreid2
11 years, 3 months ago (2013-01-23 21:55:28 UTC) #12 
https://codereview.appspot.com/7173043/diff/16001/src/com/google/caja/plugin/...
File src/com/google/caja/plugin/domado.js (right):

https://codereview.appspot.com/7173043/diff/16001/src/com/google/caja/plugin/...
src/com/google/caja/plugin/domado.js:93: console.log('Rejecting url ' + uri + '
because ' + e);
On 2013/01/23 21:54:09, Jasvir wrote:
> I was staying consistent with other console.log message calls in this file.

Then those should be changed too, eventually.
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b