Fix clipboard markup serialization crash on SVG <foreignObject>

When re-serializing sanitized clipboard markup, not all elements need
an inline style. For example, SVG <foreignObject>. We should not try to
strip UA style from their inline styles as otherwise it crashes.

Bug: 1032389
Change-Id: Idedc98a09fd5503281dd6c7354b4df78368a8e0d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1962977
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Reviewed-by: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/master@{#724068}

third_party/blink/renderer/core/editing/editing_style_utilities.cc

@@ -238,6 +238,9 @@ const CSSValue* EditingStyleUtilities::BackgroundColorValueInEffect(
 
 void EditingStyleUtilities::StripUAStyleRulesForMarkupSanitization(
     EditingStyle* style) {
+  if (!style->Style())
+    return;
+
   // This is a hacky approach to avoid 'font-family: ""' appearing in
   // sanitized markup.
   // TODO(editing-dev): Implement a non-hacky fix up for all properties

third_party/blink/renderer/core/editing/serializers/serialization_test.cc

@@ -27,5 +27,22 @@ TEST(SerializationTest, CantCreateFragmentCrash) {
   EXPECT_TRUE(sanitized.IsEmpty());
 }
 
+// Regression test for https://crbug.com/1032389
+TEST(SerializationTest, SVGForeignObjectCrash) {
+  const String markup =
+      "<svg>"
+      "  <foreignObject>"
+      "    <br>"
+      "    <div style=\"height: 50px;\"></div>"
+      "  </foreignObject>"
+      "</svg>"
+      "<span>\u00A0</span>";
+  const String sanitized =
+      SanitizeMarkupWithContext(markup, 0, markup.length());
+  // This is a crash test. We don't verify the content of the sanitized markup
+  // as it's too verbose and not interesting.
+  EXPECT_FALSE(sanitized.IsEmpty());
+}
+
 }  // namespace
 }  // namespace blink