Apply markup sanitizer in CompositeEditCommand::MoveParagraphs()

CompositeEditCommand::MoveParagraphs() serailizes part of the DOM and then re-parse it and insert it at some other place of the document. This is essentially a copy-and-paste, and can be exploited in the same way how copy-and-paste is exploited. So we should also sanitize markup in the function. Bug: 1141350 Change-Id: I25c1dfc61c20b9134b23e057c5a3a0f56c190b5c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2500633 Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#821098}

Apply markup sanitizer in CompositeEditCommand::MoveParagraphs()
CompositeEditCommand::MoveParagraphs() serailizes part of the DOM and then re-parse it and insert it at some other place of the document. This is essentially a copy-and-paste, and can be exploited in the same way how copy-and-paste is exploited. So we should also sanitize markup in the function. Bug: 1141350 Change-Id: I25c1dfc61c20b9134b23e057c5a3a0f56c190b5c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2500633 Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#821098}
c529cbcc · Xiaocheng Hu · Commit Bot · a07837fd · c529cbcc · c529cbcc
Commit c529cbcc authored Oct 27, 2020 by Xiaocheng Hu Committed by Commit Bot Oct 27, 2020
2 changed files
--- a/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc
+++ b/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc
@@ -1515,19 +1515,18 @@ void CompositeEditCommand::MoveParagraphs(
  // FIXME: This is an inefficient way to preserve style on nodes in the
  // paragraph to move. It shouldn't matter though, since moved paragraphs will
  // usually be quite small.
-  DocumentFragment* fragment =
-      start_of_paragraph_to_move.DeepEquivalent() !=
-              end_of_paragraph_to_move.DeepEquivalent()
-          ? CreateFragmentFromMarkup(
-                GetDocument(),
-                CreateMarkup(start.ParentAnchoredEquivalent(),
-                             end.ParentAnchoredEquivalent(),
-                             CreateMarkupOptions::Builder()
-                                 .SetShouldConvertBlocksToInlines(true)
-                                 .SetConstrainingAncestor(constraining_ancestor)
-                                 .Build()),
-                "", kDisallowScriptingAndPluginContent)
-          : nullptr;
+  DocumentFragment* fragment = nullptr;
+  if (start_of_paragraph_to_move.DeepEquivalent() !=
+      end_of_paragraph_to_move.DeepEquivalent()) {
+    const String paragraphs_markup = CreateMarkup(
+        start.ParentAnchoredEquivalent(), end.ParentAnchoredEquivalent(),
+        CreateMarkupOptions::Builder()
+            .SetShouldConvertBlocksToInlines(true)
+            .SetConstrainingAncestor(constraining_ancestor)
+            .Build());
+    fragment = CreateSanitizedFragmentFromMarkupWithContext(
+        GetDocument(), paragraphs_markup, 0, paragraphs_markup.length(), "");
+  }

  // A non-empty paragraph's style is moved when we copy and move it.  We don't
  // move anything if we're given an empty paragraph, but an empty paragraph can

--- a/third_party/blink/web_tests/editing/pasteboard/mathml-sanitizer-bypass.html
+++ b/third_party/blink/web_tests/editing/pasteboard/mathml-sanitizer-bypass.html
@@ -59,4 +59,16 @@ selection_test(
    : '<div contenteditable>teA<math>B<br></math>C|<svg></svg>st</div>',
  'Paste blocks SVG style injection');

+// crbug.com/1141350
+selection_test(
+  '<div contenteditable>|abc</div>',
+  selection => {
+    selection.setClipboardData(`<math><xss style=display:block>t<xmp>X<a title="</xmp><div style=position:fixed;left:0;top:0;width:100%;height:100%><svg><use href=data:application/xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJz4KPGEgaHJlZj0namF2YXNjcmlwdDphbGVydCgxMjMpJz4KICAgIDxyZWN0IHdpZHRoPScxMDAlJyBoZWlnaHQ9JzEwMCUnIGZpbGw9J2xpZ2h0Ymx1ZScgLz4KICAgICA8dGV4dCB4PScwJyB5PScwJyBmaWxsPSdibGFjayc+CiAgICAgICA8dHNwYW4geD0nMCcgZHk9JzEuMmVtJz5Pb3BzLCB0aGVyZSdzIHNvbWV0aGluZyB3cm9uZyB3aXRoIHRoZSBwYWdlITwvdHNwYW4+CiAgICAgPHRzcGFuIHg9JzAnIGR5PScxLjJlbSc+UGxlYXNlIGNsaWNrIGhlcmUgdG8gcmVsb2FkLjwvdHNwYW4+Cjwvc3ZnPg==#x>">.<a>.`),
+    selection.document.execCommand('paste');
+    assert_equals(selection.document.querySelector('use'), null, 'SVG <use> with data URI should not leak into main document');
+  },
+  supportsEditableMathML
+    ? '<div contenteditable><math><xss style="display:block"><xmp>X<a title="</xmp><div style=position:fixed;left:0;top:0;width:100%;height:100%><svg><use href=data:application/xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJz4KPGEgaHJlZj0namF2YXNjcmlwdDphbGVydCgxMjMpJz4KICAgIDxyZWN0IHdpZHRoPScxMDAlJyBoZWlnaHQ9JzEwMCUnIGZpbGw9J2xpZ2h0Ymx1ZScgLz4KICAgICA8dGV4dCB4PScwJyB5PScwJyBmaWxsPSdibGFjayc+CiAgICAgICA8dHNwYW4geD0nMCcgZHk9JzEuMmVtJz5Pb3BzLCB0aGVyZSdzIHNvbWV0aGluZyB3cm9uZyB3aXRoIHRoZSBwYWdlITwvdHNwYW4+CiAgICAgPHRzcGFuIHg9JzAnIGR5PScxLjJlbSc+UGxlYXNlIGNsaWNrIGhlcmUgdG8gcmVsb2FkLjwvdHNwYW4+Cjwvc3ZnPg==#x>">.<a></a></a></xmp></xss></math>t|abc</div>'
+    : '<div contenteditable>t<xmp>X&lt;a title="</xmp><div style="position: fixed; left: 0px; top: 0px; width: 800px; height: 600px;"><svg></svg></div>|abc</div>',
+  'Paste blocks data URI in SVG use element injection via <math>');
 </script>