From 98f5d9e5b14b590b6c948fa8b2728f3e47958a7d Mon Sep 17 00:00:00 2001
From: Mason Freed <masonfreed@chromium.org>
Date: Sat, 30 Nov 2019 07:48:15 +0000
Subject: [Backport] CVE-2020-6413 - Inappropriate implementation in Blink
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1940722:
Fix parser mXSS sanitizer bypass for <p> and <br> within foreign context

Prior to this CL, the following code:
<svg></p></svg>
parsed to this innerHTML: <svg><p></p></svg>

This is in contrast to this code:
<svg><p></svg>
which parses to <svg></svg><p></p>

The fact that the </p> is left inside the <svg> allowed sanitizer
bypasses as detailed in [1]. Please also see [2] for the spec
discussion.

With this CL, </p> and </br> within a foreign context now cause
the closing of the foreign context.

[1] https://research.securitum.com/dompurify-bypass-using-mxss/
[2] https://github.com/whatwg/html/issues/5113

Bug: 1005713
Change-Id: Iecaced38ed06c74296731c0bdcc10d2bbb462ff8
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 .../blink/renderer/core/html/parser/html_tree_builder.cc          | 7 +++++++
 .../renderer/core/html/parser/html_tree_builder_simulator.cc      | 8 +++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder.cc b/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder.cc
index e27ad677177..2bcc67d216f 100644
--- a/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder.cc
+++ b/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder.cc
@@ -2693,6 +2693,13 @@ void HTMLTreeBuilder::ProcessTokenInForeignContent(AtomicHTMLToken* token) {
         tree_.OpenElements()->Pop();
         return;
       }
+      if (token->GetName() == html_names::kBrTag ||
+          token->GetName() == html_names::kPTag) {
+        ParseError(token);
+        tree_.OpenElements()->PopUntilForeignContentScopeMarker();
+        ProcessEndTag(token);
+        return;
+      }
       if (!tree_.CurrentStackItem()->IsInHTMLNamespace()) {
         // FIXME: This code just wants an Element* iterator, instead of an
         // ElementRecord*
diff --git a/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder_simulator.cc b/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder_simulator.cc
index ed65f066854..65135aee48b 100644
--- a/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder_simulator.cc
+++ b/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder_simulator.cc
@@ -211,7 +211,13 @@ HTMLTreeBuilderSimulator::SimulatedToken HTMLTreeBuilderSimulator::Simulate(
       }
     }
   }
-
+  if (token.GetType() == HTMLToken::kEndTag && InForeignContent()) {
+    const String& tag_name = token.Data();
+    if (ThreadSafeMatch(tag_name, html_names::kPTag) ||
+        ThreadSafeMatch(tag_name, html_names::kBrTag)) {
+      namespace_stack_.pop_back();
+    }
+  }
   if (token.GetType() == HTMLToken::kEndTag ||
       (token.GetType() == HTMLToken::kStartTag && token.SelfClosing() &&
        InForeignContent())) {
-- 
cgit v1.2.1