Prevent injection vulnerability in image page

author: Johann Hofmann <mail@johann-hofmann.com> 2016-08-01 13:37:54 +0200
committer: Johann Hofmann <mail@johann-hofmann.com> 2016-08-01 17:25:23 +0200
commit: ff6283a63c092d7c265fec79a1ad46877b95fe03 (patch)
tree: 6a0038403a73a119dffd052cae080bcad5b05ea1 /components/script/dom/servohtmlparser.rs
parent: 7e39efa2dfb37a87745c1548e313527806891777 (diff)
download: servo-ff6283a63c092d7c265fec79a1ad46877b95fe03.tar.gz
servo-ff6283a63c092d7c265fec79a1ad46877b95fe03.zip
1 files changed, 14 insertions, 2 deletions
diff --git a/components/script/dom/servohtmlparser.rs b/components/script/dom/servohtmlparser.rs
index a28612416fc..09ee38a1232 100644
--- a/components/script/dom/servohtmlparser.rs
+++ b/components/script/dom/servohtmlparser.rs
@@ -7,13 +7,18 @@
 
 use document_loader::LoadType;
 use dom::bindings::cell::DOMRefCell;
+use dom::bindings::codegen::Bindings::DocumentBinding::DocumentMethods;
+use dom::bindings::codegen::Bindings::HTMLImageElementBinding::HTMLImageElementMethods;
+use dom::bindings::codegen::Bindings::NodeBinding::NodeMethods;
 use dom::bindings::codegen::Bindings::ServoHTMLParserBinding;
 use dom::bindings::global::GlobalRef;
 use dom::bindings::js::{JS, Root};
 use dom::bindings::refcounted::Trusted;
 use dom::bindings::reflector::{Reflector, reflect_dom_object};
+use dom::bindings::str::DOMString;
 use dom::bindings::trace::JSTraceable;
 use dom::document::Document;
+use dom::htmlimageelement::HTMLImageElement;
 use dom::node::Node;
 use dom::window::Window;
 use encoding::all::UTF_8;
@@ -112,13 +117,20 @@ impl AsyncResponseListener for ParserContext {
         match content_type {
             Some(ContentType(Mime(TopLevel::Image, _, _))) => {
                 self.is_synthesized_document = true;
-                let page = format!("<html><body><img src='{}' /></body></html>", self.url);
+                let page = "<html><body></body></html>".into();
                 parser.pending_input().borrow_mut().push(page);
                 parser.parse_sync();
+
+                let doc = parser.document();
+                let doc_body = Root::upcast::<Node>(doc.GetBody().unwrap());
+                let img = HTMLImageElement::new(atom!("img"), None, doc);
+                img.SetSrc(DOMString::from(self.url.to_string()));
+                doc_body.AppendChild(&Root::upcast::<Node>(img)).expect("Appending failed");
+
             },
             Some(ContentType(Mime(TopLevel::Text, SubLevel::Plain, _))) => {
                 // https://html.spec.whatwg.org/multipage/#read-text
-                let page = format!("<pre>\n");
+                let page = "<pre>\n".into();
                 parser.pending_input().borrow_mut().push(page);
                 parser.parse_sync();
                 parser.set_plaintext_state();
author	Johann Hofmann <mail@johann-hofmann.com>	2016-08-01 13:37:54 +0200
committer	Johann Hofmann <mail@johann-hofmann.com>	2016-08-01 17:25:23 +0200
commit	ff6283a63c092d7c265fec79a1ad46877b95fe03 (patch)
tree	6a0038403a73a119dffd052cae080bcad5b05ea1 /components/script/dom/servohtmlparser.rs
parent	7e39efa2dfb37a87745c1548e313527806891777 (diff)
download	servo-ff6283a63c092d7c265fec79a1ad46877b95fe03.tar.gz servo-ff6283a63c092d7c265fec79a1ad46877b95fe03.zip