From e61ea405c3ce8486fb00de64eadfef8e73f85a8f Mon Sep 17 00:00:00 2001
From: dpapad <dpapad@chromium.org>
Date: Thu, 23 Apr 2020 00:17:42 +0000
Subject: [Backport] CVE-2020-6535: Insufficient data validation in WebUI

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2161355:
Use parseHTMLSubset() in chrome://histograms.

This prevents a maliciously created histogram name from injecting
code (XSS) in the context of chrome://histograms.

Fixed: 1073409
Change-Id: I75c9a26b95363cad4a470ed6488718421289961e
Commit-Queue: dpapad <dpapad@chromium.org>
Auto-Submit: dpapad <dpapad@chromium.org>
Reviewed-by: Alexei Svitkine <asvitkine@chromium.org>
Cr-Commit-Position: refs/heads/master@{#761723}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 chromium/content/browser/resources/histograms/BUILD.gn           | 1 +
 .../browser/resources/histograms/histograms_internals.html       | 1 +
 .../content/browser/resources/histograms/histograms_internals.js | 9 ++++++---
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/chromium/content/browser/resources/histograms/BUILD.gn b/chromium/content/browser/resources/histograms/BUILD.gn
index 9b67dcd52b2..08c7f14373f 100644
--- a/chromium/content/browser/resources/histograms/BUILD.gn
+++ b/chromium/content/browser/resources/histograms/BUILD.gn
@@ -13,6 +13,7 @@ js_type_check("closure_compile") {
 js_library("histograms_internals") {
   deps = [
     "//ui/webui/resources/js:cr",
+    "//ui/webui/resources/js:parse_html_subset",
     "//ui/webui/resources/js:util",
   ]
 }
diff --git a/chromium/content/browser/resources/histograms/histograms_internals.html b/chromium/content/browser/resources/histograms/histograms_internals.html
index 37e45404843..b997e6d2ff8 100644
--- a/chromium/content/browser/resources/histograms/histograms_internals.html
+++ b/chromium/content/browser/resources/histograms/histograms_internals.html
@@ -8,6 +8,7 @@
   <script src="chrome://resources/js/cr.js"></script>
   <script src="chrome://resources/js/promise_resolver.js"></script>
   <script src="chrome://resources/js/util.js"></script>
+  <script src="chrome://resources/js/parse_html_subset.js"></script>
   <script src="histograms_internals.js"></script>
   <title>Histograms</title>
 </head>
diff --git a/chromium/content/browser/resources/histograms/histograms_internals.js b/chromium/content/browser/resources/histograms/histograms_internals.js
index 24c55fb23c9..b70641ed435 100644
--- a/chromium/content/browser/resources/histograms/histograms_internals.js
+++ b/chromium/content/browser/resources/histograms/histograms_internals.js
@@ -24,9 +24,12 @@ function addHistograms(histograms) {
     htmlOutput += histogram;
   }
 
-  // NOTE: This is generally unsafe due to XSS attacks. Make sure |htmlOutput|
-  // cannot be modified by an external party.
-  $('histograms').innerHTML = htmlOutput;
+  // The following HTML tags are coming from
+  // |HistogramsMessageHandler::HandleRequestHistograms|.
+  const sanitizedHTML = parseHtmlSubset(`<span>${htmlOutput}</span>`, [
+                          'PRE', 'H4', 'BR', 'HR'
+                        ]).firstChild.innerHTML;
+  $('histograms').innerHTML = sanitizedHTML;
 }
 
 /**
-- 
cgit v1.2.1