diff options
author | Xiaocheng Hu <xiaochengh@chromium.org> | 2022-04-25 20:57:43 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-23 09:08:57 +0000 |
commit | 1eef7ecd2c2c644f8abaa83ce77e663415c6ec43 (patch) | |
tree | 6641f1450db5482d3c5742576ee21f757664b55d | |
parent | 73d8d18f1f662923716a03437d6ffee829deb5a6 (diff) | |
download | qtwebengine-chromium-1eef7ecd2c2c644f8abaa83ce77e663415c6ec43.tar.gz |
[Backport] CVE-2022-1492: Insufficient data validation in Blink Editing
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3589799:
Sanitize DragData markup before inserting it into document
(cherry picked from commit 5164a0fe3391283663e1196cf4576ec233985e89)
Fixed: 1315040
Change-Id: I8a0ddfb983d12c185f7e943d3d5277788199b011
Quick-Run: Xiaocheng Hu <xiaochengh@chromium.org>
Auto-Submit: Xiaocheng Hu <xiaochengh@chromium.org>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#991324}
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Owners-Override: Achuith Bhandarkar <achuith@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1602}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/core/page/drag_data.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/core/page/drag_data.cc b/chromium/third_party/blink/renderer/core/page/drag_data.cc index d5ace3a879a..36ad9f68d3a 100644 --- a/chromium/third_party/blink/renderer/core/page/drag_data.cc +++ b/chromium/third_party/blink/renderer/core/page/drag_data.cc @@ -131,8 +131,8 @@ DocumentFragment* DragData::AsFragment(LocalFrame* frame) const { platform_drag_data_->HtmlAndBaseURL(html, base_url); DCHECK(frame->GetDocument()); if (DocumentFragment* fragment = - CreateFragmentFromMarkup(*frame->GetDocument(), html, base_url, - kDisallowScriptingAndPluginContent)) + CreateSanitizedFragmentFromMarkupWithContext( + *frame->GetDocument(), html, 0, html.length(), base_url)) return fragment; } |