From e7980ade9ab1ec70db29623ff658e38497c7385d Mon Sep 17 00:00:00 2001 From: Xiaocheng Hu Date: Tue, 26 Nov 2019 00:06:38 +0000 Subject: [Backport] CVE-2020-6391 - Insufficient validation of untrusted input in Blink (2/3) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/1931412: Strip SVGStyleElement in ReplaceSelectionCommand crrev.com/c/1922919 added a stylesheet sanitizer for clipboard, but left a loophole for SVGStyleElement. This patch also strips it. Bug: 1017871 Change-Id: I8bd3ffbc8a9dc833b6cc2571c7e9ebf999bf495b Reviewed-by: Jüri Valdmann --- .../blink/renderer/core/editing/commands/replace_selection_command.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc b/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc index 9dbba501604..49f468d1b2b 100644 --- a/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc +++ b/chromium/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc @@ -63,6 +63,7 @@ #include "third_party/blink/renderer/core/input_type_names.h" #include "third_party/blink/renderer/core/layout/layout_object.h" #include "third_party/blink/renderer/core/layout/layout_text.h" +#include "third_party/blink/renderer/core/svg/svg_style_element.h" #include "third_party/blink/renderer/platform/bindings/exception_state.h" #include "third_party/blink/renderer/platform/heap/heap.h" #include "third_party/blink/renderer/platform/instrumentation/tracing/trace_event.h" @@ -830,7 +831,7 @@ static void RemoveHeadContents(ReplacementFragment& fragment) { for (Node* node = fragment.FirstChild(); node; node = next) { if (IsHTMLBaseElement(*node) || IsHTMLLinkElement(*node) || IsHTMLMetaElement(*node) || IsHTMLStyleElement(*node) || - IsHTMLTitleElement(*node)) { + IsHTMLTitleElement(*node) || IsSVGStyleElement(*node)) { next = NodeTraversal::NextSkippingChildren(*node); fragment.RemoveNode(node); } else { -- cgit v1.2.1