Source/WebCore/html/parser/XSSFilter.h - platform/external/webkit - Git at Google

 /*
  * Copyright (C) 2011 Adam Barth. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */

 #ifndef XSSFilter_h
 #define XSSFilter_h

 #include "HTMLToken.h"
 #include "HTTPParsers.h"
 #include "SuffixTree.h"

 namespace WebCore {

 class HTMLDocumentParser;

 class XSSFilter {
     WTF_MAKE_NONCOPYABLE(XSSFilter);
 public:
     explicit XSSFilter(HTMLDocumentParser*);

     void filterToken(HTMLToken&);

 private:
     enum State {
         Uninitialized,
         Initial,
         AfterScriptStartTag,
     };

     void init();

     bool filterTokenInitial(HTMLToken&);
     bool filterTokenAfterScriptStartTag(HTMLToken&);

     bool filterScriptToken(HTMLToken&);
     bool filterObjectToken(HTMLToken&);
     bool filterParamToken(HTMLToken&);
     bool filterEmbedToken(HTMLToken&);
     bool filterAppletToken(HTMLToken&);
     bool filterIframeToken(HTMLToken&);
     bool filterMetaToken(HTMLToken&);
     bool filterBaseToken(HTMLToken&);
     bool filterFormToken(HTMLToken&);

     bool eraseDangerousAttributesIfInjected(HTMLToken&);
     bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&, const String& replacementValue = String());

     String snippetForRange(const HTMLToken&, int start, int end);
     String snippetForAttribute(const HTMLToken&, const HTMLToken::Attribute&);

     bool isContainedInRequest(const String&);
     bool isSameOriginResource(const String& url);

     HTMLDocumentParser* m_parser;
     bool m_isEnabled;
     XSSProtectionDisposition m_xssProtection;

     String m_decodedURL;
     String m_decodedHTTPBody;
     OwnPtr<SuffixTree<ASCIICodebook> > m_decodedHTTPBodySuffixTree;

     State m_state;
     String m_cachedSnippet;
 };

 }

 #endif
	/*
	* Copyright (C) 2011 Adam Barth. All Rights Reserved.
	*
	* Redistribution and use in source and binary forms, with or without
	* modification, are permitted provided that the following conditions
	* are met:
	* 1. Redistributions of source code must retain the above copyright
	* notice, this list of conditions and the following disclaimer.
	* 2. Redistributions in binary form must reproduce the above copyright
	* notice, this list of conditions and the following disclaimer in the
	* documentation and/or other materials provided with the distribution.
	*
	* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
	* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
	* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
	* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
	* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
	* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
	* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	*/

	#ifndef XSSFilter_h
	#define XSSFilter_h

	#include "HTMLToken.h"
	#include "HTTPParsers.h"
	#include "SuffixTree.h"

	namespace WebCore {

	class HTMLDocumentParser;

	class XSSFilter {
	WTF_MAKE_NONCOPYABLE(XSSFilter);
	public:
	explicit XSSFilter(HTMLDocumentParser*);

	void filterToken(HTMLToken&);

	private:
	enum State {
	Uninitialized,
	Initial,
	AfterScriptStartTag,
	};

	void init();

	bool filterTokenInitial(HTMLToken&);
	bool filterTokenAfterScriptStartTag(HTMLToken&);

	bool filterScriptToken(HTMLToken&);
	bool filterObjectToken(HTMLToken&);
	bool filterParamToken(HTMLToken&);
	bool filterEmbedToken(HTMLToken&);
	bool filterAppletToken(HTMLToken&);
	bool filterIframeToken(HTMLToken&);
	bool filterMetaToken(HTMLToken&);
	bool filterBaseToken(HTMLToken&);
	bool filterFormToken(HTMLToken&);

	bool eraseDangerousAttributesIfInjected(HTMLToken&);
	bool eraseAttributeIfInjected(HTMLToken&, const QualifiedName&, const String& replacementValue = String());

	String snippetForRange(const HTMLToken&, int start, int end);
	String snippetForAttribute(const HTMLToken&, const HTMLToken::Attribute&);

	bool isContainedInRequest(const String&);
	bool isSameOriginResource(const String& url);

	HTMLDocumentParser* m_parser;
	bool m_isEnabled;
	XSSProtectionDisposition m_xssProtection;

	String m_decodedURL;
	String m_decodedHTTPBody;
	OwnPtr<SuffixTree<ASCIICodebook> > m_decodedHTTPBodySuffixTree;

	State m_state;
	String m_cachedSnippet;
	};

	}

	#endif