diff options
| author | Xiaocheng Hu <xiaochengh@chromium.org> | 2019-11-26 00:06:38 +0000 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-06 16:05:18 +0000 |
| commit | e7980ade9ab1ec70db29623ff658e38497c7385d (patch) | |
| tree | dd726b0b3c0962b3d08e92d1255bfffe10514bf1 | |
| parent | f720be4aac53e2bcd93622a24a653aa85e12f7be (diff) | |
| download | qtwebengine-chromium-e7980ade9ab1ec70db29623ff658e38497c7385d.tar.gz | |
[Backport] CVE-2020-6391 - Insufficient validation of untrusted input in Blink (2/3)
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1931412:
Strip SVGStyleElement in ReplaceSelectionCommand
crrev.com/c/1922919 added a stylesheet sanitizer for clipboard, but left
a loophole for SVGStyleElement. This patch also strips it.
Bug: 1017871
Change-Id: I8bd3ffbc8a9dc833b6cc2571c7e9ebf999bf495b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc b/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc index 9dbba501604..49f468d1b2b 100644 --- a/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc +++ b/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc @@ -63,6 +63,7 @@ #include "third_party/blink/renderer/core/input_type_names.h" #include "third_party/blink/renderer/core/layout/layout_object.h" #include "third_party/blink/renderer/core/layout/layout_text.h" +#include "third_party/blink/renderer/core/svg/svg_style_element.h" #include "third_party/blink/renderer/platform/bindings/exception_state.h" #include "third_party/blink/renderer/platform/heap/heap.h" #include "third_party/blink/renderer/platform/instrumentation/tracing/trace_event.h" @@ -830,7 +831,7 @@ static void RemoveHeadContents(ReplacementFragment& fragment) { for (Node* node = fragment.FirstChild(); node; node = next) { if (IsHTMLBaseElement(*node) || IsHTMLLinkElement(*node) || IsHTMLMetaElement(*node) || IsHTMLStyleElement(*node) || - IsHTMLTitleElement(*node)) { + IsHTMLTitleElement(*node) || IsSVGStyleElement(*node)) { next = NodeTraversal::NextSkippingChildren(*node); fragment.RemoveNode(node); } else { |