[Sanitizer] Check for SVG animate targets by parsing the QName. [chromium/src : main]
0 views
Skip to first unread message
Daniel Vogelheim (Gerrit)
Feb 27, 2026, 12:27:25 PM (yesterday) Feb 27
to Daniel Vogelheim, Chromium LUCI CQ, Menard, Alexis, chromium...@chromium.org, Dirk Schulze, Fredrik Söderquist, Olga Gerchikov, Stephen Chenney, blink-revie...@chromium.org, blink-...@chromium.org, fmalit...@chromium.org, kouhe...@chromium.org, pdr+svgw...@chromium.org
Attention needed from Joey Arhar
Daniel Vogelheim voted Commit-Queue+0![]( "Open in Gerrit")
| Commit-Queue | +0 |
Related details
Attention is currently required from:
- Joey Arhar
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Joey Arhar (Gerrit)
Feb 27, 2026, 4:22:54 PM (yesterday) Feb 27
to Daniel Vogelheim, Chromium LUCI CQ, Menard, Alexis, chromium...@chromium.org, Dirk Schulze, Fredrik Söderquist, Olga Gerchikov, Stephen Chenney, blink-revie...@chromium.org, blink-...@chromium.org, fmalit...@chromium.org, kouhe...@chromium.org, pdr+svgw...@chromium.org
Attention needed from Daniel Vogelheim
Joey Arhar voted and added 1 comment![]( "Open in Gerrit")
Votes added by Joey Arhar
| Code-Review | +1 |
1 comment
File third_party/blink/renderer/core/sanitizer/sanitizer_unittest.cc
Line 19, Patchset 7 (Latest):
TEST_F(SanitizerTest, Regression) {Joey Arhar . unresolved
I think a more descriptive name would be better?
Related details
Attention is currently required from:
- Daniel Vogelheim
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Daniel Vogelheim (Gerrit)
11:09 AM (10 hours ago) 11:09 AM
to Daniel Vogelheim, Chromium LUCI CQ, Menard, Alexis, chromium...@chromium.org, Dirk Schulze, Fredrik Söderquist, Olga Gerchikov, Stephen Chenney, blink-revie...@chromium.org, blink-...@chromium.org, fmalit...@chromium.org, kouhe...@chromium.org, pdr+svgw...@chromium.org
Daniel Vogelheim added 1 comment![]( "Open in Gerrit")
File third_party/blink/renderer/core/sanitizer/sanitizer_unittest.cc
I think a more descriptive name would be better?
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Daniel Vogelheim (Gerrit)
11:09 AM (10 hours ago) 11:09 AM
to Daniel Vogelheim, Chromium LUCI CQ, Menard, Alexis, chromium...@chromium.org, Dirk Schulze, Fredrik Söderquist, Olga Gerchikov, Stephen Chenney, blink-revie...@chromium.org, blink-...@chromium.org, fmalit...@chromium.org, kouhe...@chromium.org, pdr+svgw...@chromium.org
Daniel Vogelheim voted Commit-Queue+2![]( "Open in Gerrit")
| Commit-Queue | +2 |
Chromium LUCI CQ (Gerrit)
11:16 AM (10 hours ago) 11:16 AM
to Daniel Vogelheim, Menard, Alexis, chromium...@chromium.org, Dirk Schulze, Fredrik Söderquist, Olga Gerchikov, Stephen Chenney, blink-revie...@chromium.org, blink-...@chromium.org, fmalit...@chromium.org, kouhe...@chromium.org, pdr+svgw...@chromium.org
Chromium LUCI CQ submitted the change with unreviewed changes![]( "Open in Gerrit")
Unreviewed changes
7 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:
```
The name of the file: third_party/blink/renderer/core/sanitizer/sanitizer_unittest.cc
Insertions: 1, Deletions: 1.
@@ -16,7 +16,7 @@
class SanitizerTest : public PageTestBase {};
// Regression test for crbug.com/487863654.
-TEST_F(SanitizerTest, Regression) {
+TEST_F(SanitizerTest, SvgSetWithMultipleColons) {
// Payload from crbug.com/487863654.
const char* payload =
R"X(<svg viewBox="0 0 240 80" xmlns:xlink="http://www.w3.org/1999/xlink"><a id="foo"><text x="20" y="20">click me</text></a><set href="#foo" attributeName="xlink:href:x" to="javascript:alert()"></set></svg>)X";
```
```
The name of the file: third_party/blink/renderer/core/sanitizer/sanitizer.h
Insertions: 1, Deletions: 1.
@@ -129,7 +129,7 @@
// Helper for constructors: Copy from other Sanitizer.
void setFrom(const Sanitizer&);
- FRIEND_TEST_ALL_PREFIXES(SanitizerTest, Regression);
+ FRIEND_TEST_ALL_PREFIXES(SanitizerTest, SvgSetWithMultipleColons);
private:
enum class SanitizerBoolWithAbsence { kAbsent, kTrue, kFalse };
```
Change information
Commit message:
[Sanitizer] Check for SVG animate targets by parsing the QName.
To check whether an <svg:set> (& other animate elements) targets a
href/xlink:href attribute, we presently use a string comparison.
That is what the spec says. This may fail, because the actual
interpretation of that value is more complex. Instead, we properly
parse the attribute name, just like SVGAnimateElement::ConstructQualifiedName does.
Bug: 487863654
Change-Id: Ib263b10493952775a8efa7dc66191f9bc90a0920
Commit-Queue: Daniel Vogelheim <voge...@chromium.org>
Reviewed-by: Joey Arhar <jar...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1592033}
Files:
- M third_party/blink/renderer/core/sanitizer/build.gni
- M third_party/blink/renderer/core/sanitizer/sanitizer.cc
- M third_party/blink/renderer/core/sanitizer/sanitizer.h
- A third_party/blink/renderer/core/sanitizer/sanitizer_unittest.cc
Change size: S
Delta: 4 files changed, 43 insertions(+), 1 deletion(-)
Branch: refs/heads/main
Submit Requirements:
Code-Review: +1 by Joey Arhar
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages