beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-26 09:30:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

LibWeb: XHR set_request_header() validate header name and value

Browse source
This commit is contained in:
Kenneth Myhra 2022-04-13 22:05:36 +02:00 committed by Linus Groh
parent 1ca1a73d67
commit 01194053b7
Notes: sideshowbarker 2024-07-17 11:35:16 +09:00 
Author: https://github.com/kennethmyhra
Commit: https://github.com/SerenityOS/serenity/commit/01194053b7
Pull-request: https://github.com/SerenityOS/serenity/pull/13520
Reviewed-by: https://github.com/alimpfard
Reviewed-by: https://github.com/linusg
1 changed files with 22 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
Userland/Libraries/LibWeb/XHR/XMLHttpRequest.cpp
View file

@ -394,6 +394,13 @@ static bool is_method(String const& method)
return regex.has_match(method);
}
// https://fetch.spec.whatwg.org/#header-name
static bool is_header_name(String const& header_name)
{
Regex<ECMA262Parser> regex { R"~~~(^[A-Za-z0-9!#$%&'*+-.^_`|~]+$)~~~" };
return regex.has_match(header_name);
}
// https://fetch.spec.whatwg.org/#concept-method-normalize
static String normalize_method(String const& method)
{
@ -409,6 +416,16 @@ static String normalize_header_value(String const& header_value)
return header_value.trim(StringView { http_whitespace_bytes });
}
// https://fetch.spec.whatwg.org/#header-value
static bool is_header_value(String const& header_value)
{
for (auto const& character : header_value.view()) {
if (character == '\0' || character == '\n' || character == '\r')
return false;
}
return true;
}
// https://xhr.spec.whatwg.org/#dom-xmlhttprequest-setrequestheader
DOM::ExceptionOr<void> XMLHttpRequest::set_request_header(String const& name, String const& value)
{
@ -423,8 +440,11 @@ DOM::ExceptionOr<void> XMLHttpRequest::set_request_header(String const& name, St
// 3. Normalize value.
auto normalized_value = normalize_header_value(value);
// FIXME: 4. If name is not a header name or value is not a header value,
// then throw a "SyntaxError" DOMException.
// 4. If name is not a header name or value is not a header value, then throw a "SyntaxError" DOMException.
if (!is_header_name(name))
return DOM::SyntaxError::create("Header name contains invalid characters.");
if (!is_header_value(value))
return DOM::SyntaxError::create("Header value contains invalid characters.");
// 5. If name is a forbidden header name, then return.
if (is_forbidden_header_name(name))