diff --git a/src/components/script/dom/bindings/str.rs b/src/components/script/dom/bindings/str.rs index a091060c66b..ae6c721abea 100644 --- a/src/components/script/dom/bindings/str.rs +++ b/src/components/script/dom/bindings/str.rs @@ -47,6 +47,9 @@ impl ByteString { pub fn is_token(&self) -> bool { let ByteString(ref vec) = *self; + if vec.len() == 0 { + return false; // A token must be at least a single character + } vec.iter().all(|&x| { // http://tools.ietf.org/html/rfc2616#section-2.2 match x { @@ -55,6 +58,7 @@ impl ByteString { 44 | 59 | 58 | 92 | 34 | 47 | 91 | 93 | 63 | 61 | 123 | 125 | 32 => false, // separators + x if x > 127 => false, // non-CHARs _ => true } }) diff --git a/src/components/script/dom/xmlhttprequest.rs b/src/components/script/dom/xmlhttprequest.rs index 60af7c394b1..cc99bb4ea88 100644 --- a/src/components/script/dom/xmlhttprequest.rs +++ b/src/components/script/dom/xmlhttprequest.rs @@ -301,7 +301,7 @@ impl<'a> XMLHttpRequestMethods<'a> for JSRef<'a, XMLHttpRequest> { }; // XXXManishearth Do some handling of username/passwords if self.sync { - // FIXME: This should only happen if the global environmet is a document environment + // FIXME: This should only happen if the global environment is a document environment if self.timeout != 0 || self.with_credentials || self.response_type != _empty { return Err(InvalidAccess) } @@ -320,6 +320,8 @@ impl<'a> XMLHttpRequestMethods<'a> for JSRef<'a, XMLHttpRequest> { } Ok(()) }, + // This includes cases where as_str() returns None, and when is_token() returns false, + // both of which indicate invalid extension method names _ => Err(Syntax), // Step 3 } }