[Backport] CVE-2020-6391 - Insufficient validation of untrusted input in Blink (2/3)

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1931412:
Strip SVGStyleElement in ReplaceSelectionCommand

crrev.com/c/1922919 added a stylesheet sanitizer for clipboard, but left
a loophole for SVGStyleElement. This patch also strips it.

Bug: 1017871
Change-Id: I8bd3ffbc8a9dc833b6cc2571c7e9ebf999bf495b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 2 insertions, 1 deletions

diff --git a/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc b/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc
index 47b3272da0a..c8ce261c69d 100644
--- a/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc
+++ b/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc
@@ -64,6 +64,7 @@
 #include "third_party/blink/renderer/core/input_type_names.h"
 #include "third_party/blink/renderer/core/layout/layout_object.h"
 #include "third_party/blink/renderer/core/layout/layout_text.h"
+#include "third_party/blink/renderer/core/svg/svg_style_element.h"
 #include "third_party/blink/renderer/platform/bindings/exception_state.h"
 #include "third_party/blink/renderer/platform/instrumentation/tracing/trace_event.h"
 #include "third_party/blink/renderer/platform/wtf/std_lib_extras.h"
@@ -831,7 +832,7 @@ static void RemoveHeadContents(ReplacementFragment& fragment) {
   for (Node* node = fragment.FirstChild(); node; node = next) {
     if (IsHTMLBaseElement(*node) || IsHTMLLinkElement(*node) ||
         IsHTMLMetaElement(*node) || IsHTMLStyleElement(*node) ||
-        IsHTMLTitleElement(*node)) {
+        IsHTMLTitleElement(*node) || IsSVGStyleElement(*node)) {
       next = NodeTraversal::NextSkippingChildren(*node);
       fragment.RemoveNode(node);
     } else {