[Backport] CVE-2022-1492: Insufficient data validation in Blink Editing

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3589799:
Sanitize DragData markup before inserting it into document

(cherry picked from commit 5164a0fe3391283663e1196cf4576ec233985e89)

Fixed: 1315040
Change-Id: I8a0ddfb983d12c185f7e943d3d5277788199b011
Quick-Run: Xiaocheng Hu <xiaochengh@chromium.org>
Auto-Submit: Xiaocheng Hu <xiaochengh@chromium.org>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#991324}
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Owners-Override: Achuith Bhandarkar <achuith@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1602}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 2 insertions, 2 deletions

diff --git a/chromium/third_party/blink/renderer/core/page/drag_data.cc b/chromium/third_party/blink/renderer/core/page/drag_data.cc
index d5ace3a879a..36ad9f68d3a 100644
--- a/chromium/third_party/blink/renderer/core/page/drag_data.cc
+++ b/chromium/third_party/blink/renderer/core/page/drag_data.cc
@@ -131,8 +131,8 @@ DocumentFragment* DragData::AsFragment(LocalFrame* frame) const {
     platform_drag_data_->HtmlAndBaseURL(html, base_url);
     DCHECK(frame->GetDocument());
     if (DocumentFragment* fragment =
-            CreateFragmentFromMarkup(*frame->GetDocument(), html, base_url,
-                                     kDisallowScriptingAndPluginContent))
+            CreateSanitizedFragmentFromMarkupWithContext(
+                *frame->GetDocument(), html, 0, html.length(), base_url))
       return fragment;
   }