提交 b5ba4cf7 编写于 作者: I igerasim

8226765: Commentary on Javadoc comments

Reviewed-by: jjg, rhalade, skoivu
上级 3db59b62
...@@ -68,12 +68,10 @@ public class JavaScriptScanner { ...@@ -68,12 +68,10 @@ public class JavaScriptScanner {
private boolean newline = true; private boolean newline = true;
Map<String, TagParser> tagParsers; Map<String, TagParser> tagParsers;
Set<String> eventAttrs;
Set<String> uriAttrs; Set<String> uriAttrs;
public JavaScriptScanner() { public JavaScriptScanner() {
initTagParsers(); initTagParsers();
initEventAttrs();
initURIAttrs(); initURIAttrs();
} }
...@@ -100,7 +98,11 @@ public class JavaScriptScanner { ...@@ -100,7 +98,11 @@ public class JavaScriptScanner {
private void checkHtmlAttr(String name, String value) { private void checkHtmlAttr(String name, String value) {
String n = name.toLowerCase(Locale.ENGLISH); String n = name.toLowerCase(Locale.ENGLISH);
if (eventAttrs.contains(n) // https://www.w3.org/TR/html52/fullindex.html#attributes-table
// See https://www.w3.org/TR/html52/webappapis.html#events-event-handlers
// An event handler has a name, which always starts with "on" and is followed by
// the name of the event for which it is intended.
if (n.startsWith("on")
|| uriAttrs.contains(n) || uriAttrs.contains(n)
&& value != null && value.toLowerCase(Locale.ENGLISH).trim().startsWith("javascript:")) { && value != null && value.toLowerCase(Locale.ENGLISH).trim().startsWith("javascript:")) {
reporter.report(); reporter.report();
...@@ -1060,34 +1062,6 @@ public class JavaScriptScanner { ...@@ -1060,34 +1062,6 @@ public class JavaScriptScanner {
} }
private void initEventAttrs() {
eventAttrs = new HashSet<>(Arrays.asList(
// See https://www.w3.org/TR/html-markup/global-attributes.html#common.attrs.event-handler
"onabort", "onblur", "oncanplay", "oncanplaythrough",
"onchange", "onclick", "oncontextmenu", "ondblclick",
"ondrag", "ondragend", "ondragenter", "ondragleave",
"ondragover", "ondragstart", "ondrop", "ondurationchange",
"onemptied", "onended", "onerror", "onfocus", "oninput",
"oninvalid", "onkeydown", "onkeypress", "onkeyup",
"onload", "onloadeddata", "onloadedmetadata", "onloadstart",
"onmousedown", "onmousemove", "onmouseout", "onmouseover",
"onmouseup", "onmousewheel", "onpause", "onplay",
"onplaying", "onprogress", "onratechange", "onreadystatechange",
"onreset", "onscroll", "onseeked", "onseeking",
"onselect", "onshow", "onstalled", "onsubmit", "onsuspend",
"ontimeupdate", "onvolumechange", "onwaiting",
// See https://www.w3.org/TR/html4/sgml/dtd.html
// Most of the attributes that take a %Script are also defined as event handlers
// in HTML 5. The one exception is onunload.
// "onchange", "onclick", "ondblclick", "onfocus",
// "onkeydown", "onkeypress", "onkeyup", "onload",
// "onmousedown", "onmousemove", "onmouseout", "onmouseover",
// "onmouseup", "onreset", "onselect", "onsubmit",
"onunload"
));
}
private void initURIAttrs() { private void initURIAttrs() {
uriAttrs = new HashSet<>(Arrays.asList( uriAttrs = new HashSet<>(Arrays.asList(
// See https://www.w3.org/TR/html4/sgml/dtd.html // See https://www.w3.org/TR/html4/sgml/dtd.html
......
...@@ -25,7 +25,7 @@ ...@@ -25,7 +25,7 @@
/** /**
* @test * @test
* @bug 8138725 * @bug 8138725 8226765
* @summary test --allow-script-in-comments * @summary test --allow-script-in-comments
* @run main TestScriptInComment * @run main TestScriptInComment
*/ */
...@@ -65,6 +65,10 @@ public class TestScriptInComment { ...@@ -65,6 +65,10 @@ public class TestScriptInComment {
WS("< script >#ALERT</script>", false, "-Xdoclint:none"), // script tag with invalid white space WS("< script >#ALERT</script>", false, "-Xdoclint:none"), // script tag with invalid white space
SA("<script src=\"file\"> #ALERT </script>", true), // script tag with an attribute SA("<script src=\"file\"> #ALERT </script>", true), // script tag with an attribute
ON("<a onclick='#ALERT'>x</a>", true), // event handler attribute ON("<a onclick='#ALERT'>x</a>", true), // event handler attribute
OME("<img alt='1' onmouseenter='#ALERT'>", true), // onmouseenter event handler attribute
OML("<img alt='1' onmouseleave='#ALERT'>", true), // onmouseleave event handler attribute
OFI("<a href='#' onfocusin='#ALERT'>x</a>", true), // onfocusin event handler attribute
OBE("<a onbogusevent='#ALERT'>x</a>", true), // bogus/future event handler attribute
URI("<a href='javascript:#ALERT'>x</a>", true); // javadcript URI URI("<a href='javascript:#ALERT'>x</a>", true); // javadcript URI
/** /**
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册