Comment parsing: in the generated XML file, mark HTML that is safe to pass
through to the output even if the input comment comes from an untrusted source
Attribute filtering is currently based on a blacklist, which right now includes
all event handler attributes (they contain JavaScipt code). It should be
switched to a whitelist, but going over all of the HTML5 spec requires a
significant amount of time.
llvm-svn: 206882
diff --git a/clang/lib/Index/CommentToXML.cpp b/clang/lib/Index/CommentToXML.cpp
index 43c4232..377440f 100644
--- a/clang/lib/Index/CommentToXML.cpp
+++ b/clang/lib/Index/CommentToXML.cpp
@@ -667,14 +667,20 @@
void CommentASTToXMLConverter::visitHTMLStartTagComment(
const HTMLStartTagComment *C) {
- Result << "<rawHTML><![CDATA[";
+ Result << "<rawHTML";
+ if (C->isSafeToPassThrough())
+ Result << " isSafeToPassThrough=\"1\"";
+ Result << "><![CDATA[";
printHTMLStartTagComment(C, Result);
Result << "]]></rawHTML>";
}
void
CommentASTToXMLConverter::visitHTMLEndTagComment(const HTMLEndTagComment *C) {
- Result << "<rawHTML></" << C->getTagName() << "></rawHTML>";
+ Result << "<rawHTML";
+ if (C->isSafeToPassThrough())
+ Result << " isSafeToPassThrough=\"1\"";
+ Result << "></" << C->getTagName() << "></rawHTML>";
}
void