From 93043620bc63102f3316bfbec4aab33d06df334b Mon Sep 17 00:00:00 2001
From: Dmitri Gribenko <gribozavr@gmail.com>
Date: Tue, 22 Apr 2014 10:59:13 +0000
Subject: Comment parsing: in the generated XML file, mark HTML that is safe to
 pass through to the output even if the input comment comes from an untrusted
 source

Attribute filtering is currently based on a blacklist, which right now includes
all event handler attributes (they contain JavaScipt code).  It should be
switched to a whitelist, but going over all of the HTML5 spec requires a
significant amount of time.

llvm-svn: 206882
---
 clang/lib/Index/CommentToXML.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'clang/lib/Index/CommentToXML.cpp')

diff --git a/clang/lib/Index/CommentToXML.cpp b/clang/lib/Index/CommentToXML.cpp
index 43c423274da..377440f81d5 100644
--- a/clang/lib/Index/CommentToXML.cpp
+++ b/clang/lib/Index/CommentToXML.cpp
@@ -667,14 +667,20 @@ void CommentASTToXMLConverter::visitInlineCommandComment(
 
 void CommentASTToXMLConverter::visitHTMLStartTagComment(
     const HTMLStartTagComment *C) {
-  Result << "<rawHTML><![CDATA[";
+  Result << "<rawHTML";
+  if (C->isSafeToPassThrough())
+    Result << " isSafeToPassThrough=\"1\"";
+  Result << "><![CDATA[";
   printHTMLStartTagComment(C, Result);
   Result << "]]></rawHTML>";
 }
 
 void
 CommentASTToXMLConverter::visitHTMLEndTagComment(const HTMLEndTagComment *C) {
-  Result << "<rawHTML>&lt;/" << C->getTagName() << "&gt;</rawHTML>";
+  Result << "<rawHTML";
+  if (C->isSafeToPassThrough())
+    Result << " isSafeToPassThrough=\"1\"";
+  Result << ">&lt;/" << C->getTagName() << "&gt;</rawHTML>";
 }
 
 void
-- 
cgit v1.2.3