Strip SVGStyleElement in ReplaceSelectionCommand

crrev.com/c/1922919 added a stylesheet sanitizer for clipboard, but left a loophole for SVGStyleElement. This patch also strips it. Bug: 1017871 Change-Id: Icc6c513f79597c191f732cd63a98cc59afe1fc69 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1931412 Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#718902}

Strip SVGStyleElement in ReplaceSelectionCommand
crrev.com/c/1922919 added a stylesheet sanitizer for clipboard, but left a loophole for SVGStyleElement. This patch also strips it. Bug: 1017871 Change-Id: Icc6c513f79597c191f732cd63a98cc59afe1fc69 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1931412 Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#718902}
7d16958f · Xiaocheng Hu · Commit Bot · 69f72294 · 7d16958f · 7d16958f
Commit 7d16958f authored Nov 26, 2019 by Xiaocheng Hu Committed by Commit Bot Nov 26, 2019
2 changed files
--- a/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc
+++ b/third_party/blink/renderer/core/editing/commands/replace_selection_command.cc
@@ -64,6 +64,7 @@
 #include "third_party/blink/renderer/core/input_type_names.h"
 #include "third_party/blink/renderer/core/layout/layout_object.h"
 #include "third_party/blink/renderer/core/layout/layout_text.h"
+#include "third_party/blink/renderer/core/svg/svg_style_element.h"
 #include "third_party/blink/renderer/platform/bindings/exception_state.h"
 #include "third_party/blink/renderer/platform/heap/heap.h"
 #include "third_party/blink/renderer/platform/instrumentation/tracing/trace_event.h"
@@ -856,7 +857,7 @@ static void RemoveHeadContents(ReplacementFragment& fragment) {
  for (Node* node = fragment.FirstChild(); node; node = next) {
    if (IsA<HTMLBaseElement>(*node) || IsHTMLLinkElement(*node) ||
        IsA<HTMLMetaElement>(*node) || IsA<HTMLStyleElement>(*node) ||
-        IsA<HTMLTitleElement>(*node)) {
+        IsA<HTMLTitleElement>(*node) || IsA<SVGStyleElement>(*node)) {
      next = NodeTraversal::NextSkippingChildren(*node);
      fragment.RemoveNode(node);
    } else {

--- a/third_party/blink/web_tests/editing/pasteboard/paste-xss-injection.html
+++ b/third_party/blink/web_tests/editing/pasteboard/paste-xss-injection.html
@@ -3,6 +3,7 @@
 <script src="../../resources/testharnessreport.js"></script>
 <script src="../assert_selection.js"></script>
 <script>
+// crbug.com/1011950
 selection_test(
  '<div contenteditable>te|st</div>',
  selection => {
@@ -11,4 +12,24 @@ selection_test(
  },
  '<div contenteditable>te<br>t<img src>">.<a>.|</a>st</div>',
  'Paste blocks script injection');
+// crbug.com/1017871
+selection_test(
+  '<div contenteditable>te|st</div>',
+  selection => {
+    selection.setClipboardData('<math><xss style=display:block>t<style>X<a title="</style><style>*{background:red}</style>">.<a>.');
+    selection.document.execCommand('paste');
+  },
+  '<div contenteditable>te<br>t">.<a>.|</a>st</div>',
+  'Paste blocks HTML style injection');
+// crbug.com/1017871
+selection_test(
+  '<div contenteditable>te|st</div>',
+  selection => {
+    selection.setClipboardData('A<math>B<a style=display:block>C<title>D<a id="</title><svg><style>*{background:red}</style>">c');
+    selection.document.execCommand('paste');
+  },
+  '<div contenteditable>teA<math>B<br></math>C|<svg></svg>st</div>',
+  'Paste blocks SVG style injection');
 </script>