diff options
author | Xiaocheng Hu <xiaochengh@chromium.org> | 2019-11-26 00:06:38 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-24 12:11:09 +0000 |
commit | bca907a58b5ddafda0f7dd05cc487ffaa8f29041 (patch) | |
tree | 7e3dcb4a72ed12ecddaf576a084b0269405fb082 | |
parent | 4ceb67df8cd83edb47bf473934decff6a1ebf919 (diff) | |
download | qtwebengine-chromium-bca907a58b5ddafda0f7dd05cc487ffaa8f29041.tar.gz |
[Backport] CVE-2020-6391 - Insufficient validation of untrusted input in Blink (2/3)
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1931412:
Strip SVGStyleElement in ReplaceSelectionCommand
crrev.com/c/1922919 added a stylesheet sanitizer for clipboard, but left
a loophole for SVGStyleElement. This patch also strips it.
Bug: 1017871
Change-Id: I8bd3ffbc8a9dc833b6cc2571c7e9ebf999bf495b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc b/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc index 47b3272da0a..c8ce261c69d 100644 --- a/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc +++ b/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc @@ -64,6 +64,7 @@ #include "third_party/blink/renderer/core/input_type_names.h" #include "third_party/blink/renderer/core/layout/layout_object.h" #include "third_party/blink/renderer/core/layout/layout_text.h" +#include "third_party/blink/renderer/core/svg/svg_style_element.h" #include "third_party/blink/renderer/platform/bindings/exception_state.h" #include "third_party/blink/renderer/platform/instrumentation/tracing/trace_event.h" #include "third_party/blink/renderer/platform/wtf/std_lib_extras.h" @@ -831,7 +832,7 @@ static void RemoveHeadContents(ReplacementFragment& fragment) { for (Node* node = fragment.FirstChild(); node; node = next) { if (IsHTMLBaseElement(*node) || IsHTMLLinkElement(*node) || IsHTMLMetaElement(*node) || IsHTMLStyleElement(*node) || - IsHTMLTitleElement(*node)) { + IsHTMLTitleElement(*node) || IsSVGStyleElement(*node)) { next = NodeTraversal::NextSkippingChildren(*node); fragment.RemoveNode(node); } else { |