diff options
| author | dpapad <dpapad@chromium.org> | 2020-04-23 00:17:42 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-07-22 15:22:46 +0000 |
| commit | e61ea405c3ce8486fb00de64eadfef8e73f85a8f (patch) | |
| tree | 8ee6cdfb9837c83f294f0b31192c3d4c69fa7bbe | |
| parent | d41f723f49273984846616b185edcc744ab814a9 (diff) | |
| download | qtwebengine-chromium-e61ea405c3ce8486fb00de64eadfef8e73f85a8f.tar.gz | |
[Backport] CVE-2020-6535: Insufficient data validation in WebUI
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2161355:
Use parseHTMLSubset() in chrome://histograms.
This prevents a maliciously created histogram name from injecting
code (XSS) in the context of chrome://histograms.
Fixed: 1073409
Change-Id: I75c9a26b95363cad4a470ed6488718421289961e
Commit-Queue: dpapad <dpapad@chromium.org>
Auto-Submit: dpapad <dpapad@chromium.org>
Reviewed-by: Alexei Svitkine <asvitkine@chromium.org>
Cr-Commit-Position: refs/heads/master@{#761723}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
3 files changed, 8 insertions, 3 deletions
diff --git a/chromium/content/browser/resources/histograms/BUILD.gn b/chromium/content/browser/resources/histograms/BUILD.gn index 9b67dcd52b2..08c7f14373f 100644 --- a/chromium/content/browser/resources/histograms/BUILD.gn +++ b/chromium/content/browser/resources/histograms/BUILD.gn @@ -13,6 +13,7 @@ js_type_check("closure_compile") { js_library("histograms_internals") { deps = [ "//ui/webui/resources/js:cr", + "//ui/webui/resources/js:parse_html_subset", "//ui/webui/resources/js:util", ] } diff --git a/chromium/content/browser/resources/histograms/histograms_internals.html b/chromium/content/browser/resources/histograms/histograms_internals.html index 37e45404843..b997e6d2ff8 100644 --- a/chromium/content/browser/resources/histograms/histograms_internals.html +++ b/chromium/content/browser/resources/histograms/histograms_internals.html @@ -8,6 +8,7 @@ <script src="chrome://resources/js/cr.js"></script> <script src="chrome://resources/js/promise_resolver.js"></script> <script src="chrome://resources/js/util.js"></script> + <script src="chrome://resources/js/parse_html_subset.js"></script> <script src="histograms_internals.js"></script> <title>Histograms</title> </head> diff --git a/chromium/content/browser/resources/histograms/histograms_internals.js b/chromium/content/browser/resources/histograms/histograms_internals.js index 24c55fb23c9..b70641ed435 100644 --- a/chromium/content/browser/resources/histograms/histograms_internals.js +++ b/chromium/content/browser/resources/histograms/histograms_internals.js @@ -24,9 +24,12 @@ function addHistograms(histograms) { htmlOutput += histogram; } - // NOTE: This is generally unsafe due to XSS attacks. Make sure |htmlOutput| - // cannot be modified by an external party. - $('histograms').innerHTML = htmlOutput; + // The following HTML tags are coming from + // |HistogramsMessageHandler::HandleRequestHistograms|. + const sanitizedHTML = parseHtmlSubset(`<span>${htmlOutput}</span>`, [ + 'PRE', 'H4', 'BR', 'HR' + ]).firstChild.innerHTML; + $('histograms').innerHTML = sanitizedHTML; } /** |