diff options
author | Xiaocheng Hu <xiaochengh@chromium.org> | 2020-10-27 05:43:59 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-12-09 13:43:10 +0000 |
commit | c1cc6046fbc810daf91263b01953c359f6ad2c21 (patch) | |
tree | 216ef53b0aaf072f9e2b7cbe6dd22518b2ef1733 | |
parent | 2b0be93dc423c7958bcc49aed5f57c312b3b430d (diff) | |
download | qtwebengine-chromium-c1cc6046fbc810daf91263b01953c359f6ad2c21.tar.gz |
[Backport] CVE-2020-16030: Insufficient data validation in Blink
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2500633:
Apply markup sanitizer in CompositeEditCommand::MoveParagraphs()
CompositeEditCommand::MoveParagraphs() serailizes part of the DOM and
then re-parse it and insert it at some other place of the document. This
is essentially a copy-and-paste, and can be exploited in the same way
how copy-and-paste is exploited. So we should also sanitize markup in
the function.
Bug: 1141350
Change-Id: I25c1dfc61c20b9134b23e057c5a3a0f56c190b5c
Commit-Queue: Yoshifumi Inoue <yosin@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#821098
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc | 25 |
1 files changed, 12 insertions, 13 deletions
diff --git a/chromium/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc b/chromium/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc index 3139bf6409c..75f5aa9d4e1 100644 --- a/chromium/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc +++ b/chromium/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc @@ -1470,19 +1470,18 @@ void CompositeEditCommand::MoveParagraphs( // FIXME: This is an inefficient way to preserve style on nodes in the // paragraph to move. It shouldn't matter though, since moved paragraphs will // usually be quite small. - DocumentFragment* fragment = - start_of_paragraph_to_move.DeepEquivalent() != - end_of_paragraph_to_move.DeepEquivalent() - ? CreateFragmentFromMarkup( - GetDocument(), - CreateMarkup(start.ParentAnchoredEquivalent(), - end.ParentAnchoredEquivalent(), - CreateMarkupOptions::Builder() - .SetShouldConvertBlocksToInlines(true) - .SetConstrainingAncestor(constraining_ancestor) - .Build()), - "", kDisallowScriptingAndPluginContent) - : nullptr; + DocumentFragment* fragment = nullptr; + if (start_of_paragraph_to_move.DeepEquivalent() != + end_of_paragraph_to_move.DeepEquivalent()) { + const String paragraphs_markup = CreateMarkup( + start.ParentAnchoredEquivalent(), end.ParentAnchoredEquivalent(), + CreateMarkupOptions::Builder() + .SetShouldConvertBlocksToInlines(true) + .SetConstrainingAncestor(constraining_ancestor) + .Build()); + fragment = CreateSanitizedFragmentFromMarkupWithContext( + GetDocument(), paragraphs_markup, 0, paragraphs_markup.length(), ""); + } // A non-empty paragraph's style is moved when we copy and move it. We don't // move anything if we're given an empty paragraph, but an empty paragraph can |