diff options
author | dpapad <dpapad@chromium.org> | 2020-04-23 00:17:42 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-07-24 16:33:53 +0000 |
commit | 572a93d8f1495d877f522bfb7303c92a8b6c8ca1 (patch) | |
tree | c037f3573a2b16ac11d7ad47e3f25d478ebb7f01 | |
parent | 9c52e6b3360ce4120e8b3e965e816f67361db6f1 (diff) | |
download | qtwebengine-chromium-572a93d8f1495d877f522bfb7303c92a8b6c8ca1.tar.gz |
[Backport] CVE-2020-6535: Insufficient data validation in WebUI
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2161355:
Use parseHTMLSubset() in chrome://histograms.
This prevents a maliciously created histogram name from injecting
code (XSS) in the context of chrome://histograms.
Fixed: 1073409
Change-Id: I75c9a26b95363cad4a470ed6488718421289961e
Commit-Queue: dpapad <dpapad@chromium.org>
Auto-Submit: dpapad <dpapad@chromium.org>
Reviewed-by: Alexei Svitkine <asvitkine@chromium.org>
Cr-Commit-Position: refs/heads/master@{#761723}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
3 files changed, 8 insertions, 3 deletions
diff --git a/chromium/content/browser/resources/histograms/BUILD.gn b/chromium/content/browser/resources/histograms/BUILD.gn index 9b67dcd52b2..08c7f14373f 100644 --- a/chromium/content/browser/resources/histograms/BUILD.gn +++ b/chromium/content/browser/resources/histograms/BUILD.gn @@ -13,6 +13,7 @@ js_type_check("closure_compile") { js_library("histograms_internals") { deps = [ "//ui/webui/resources/js:cr", + "//ui/webui/resources/js:parse_html_subset", "//ui/webui/resources/js:util", ] } diff --git a/chromium/content/browser/resources/histograms/histograms_internals.html b/chromium/content/browser/resources/histograms/histograms_internals.html index 16a224365a4..77e9484faf4 100644 --- a/chromium/content/browser/resources/histograms/histograms_internals.html +++ b/chromium/content/browser/resources/histograms/histograms_internals.html @@ -8,6 +8,7 @@ <script src="chrome://resources/js/cr.js"></script> <script src="chrome://resources/js/promise_resolver.js"></script> <script src="chrome://resources/js/util.js"></script> + <script src="chrome://resources/js/parse_html_subset.js"></script> <script src="histograms_internals.js"></script> <title>Histograms</title> </head> diff --git a/chromium/content/browser/resources/histograms/histograms_internals.js b/chromium/content/browser/resources/histograms/histograms_internals.js index 428fc36261f..80bfe58015a 100644 --- a/chromium/content/browser/resources/histograms/histograms_internals.js +++ b/chromium/content/browser/resources/histograms/histograms_internals.js @@ -22,9 +22,12 @@ function addHistograms(histograms) { for (let histogram of histograms) htmlOutput += histogram; - // NOTE: This is generally unsafe due to XSS attacks. Make sure |htmlOutput| - // cannot be modified by an external party. - $('histograms').innerHTML = htmlOutput; + // The following HTML tags are coming from + // |HistogramsMessageHandler::HandleRequestHistograms|. + const sanitizedHTML = parseHtmlSubset(`<span>${htmlOutput}</span>`, [ + 'PRE', 'H4', 'BR', 'HR' + ]).firstChild.innerHTML; + $('histograms').innerHTML = sanitizedHTML; } /** |