Disallow pasting SVG use elements data URI

SVG use elements with data URI may carry arbitrary content. Hence, we also sanitize it before pasting it into document. Bug: 1040755 Change-Id: Iad8701174c7c0f13dc5affb9e011d645990ef754 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2119198 Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#753349}

Disallow pasting SVG use elements data URI
SVG use elements with data URI may carry arbitrary content. Hence, we also sanitize it before pasting it into document. Bug: 1040755 Change-Id: Iad8701174c7c0f13dc5affb9e011d645990ef754 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2119198 Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#753349}
dfa9e425 · Xiaocheng Hu · Commit Bot · 96d8c59a · dfa9e425 · dfa9e425
Commit dfa9e425 authored Mar 25, 2020 by Xiaocheng Hu Committed by Commit Bot Mar 25, 2020
2 changed files
--- a/third_party/blink/renderer/core/editing/serializers/serialization.cc
+++ b/third_party/blink/renderer/core/editing/serializers/serialization.cc
@@ -67,6 +67,7 @@
 #include "third_party/blink/renderer/core/loader/empty_clients.h"
 #include "third_party/blink/renderer/core/page/page.h"
 #include "third_party/blink/renderer/core/svg/svg_style_element.h"
+#include "third_party/blink/renderer/core/svg/svg_use_element.h"
 #include "third_party/blink/renderer/platform/bindings/exception_state.h"
 #include "third_party/blink/renderer/platform/bindings/runtime_call_stats.h"
 #include "third_party/blink/renderer/platform/bindings/v8_per_isolate_data.h"
@@ -803,6 +804,25 @@ static bool ContainsStyleElements(const DocumentFragment& fragment) {
  return false;
 }
+// Returns true if any svg <use> element is removed.
+static bool StripSVGUseDataURLs(Node& node) {
+  if (IsA<SVGUseElement>(node)) {
+    SVGUseElement& use = To<SVGUseElement>(node);
+    SVGURLReferenceResolver resolver(use.HrefString(), use.GetDocument());
+    if (resolver.AbsoluteUrl().ProtocolIsData())
+      node.remove();
+    return true;
+  }
+  bool stripped = false;
+  for (Node* child = node.firstChild(); child;) {
+    Node* next = child->nextSibling();
+    if (StripSVGUseDataURLs(*child))
+      stripped = true;
+    child = next;
+  }
+  return stripped;
+}
 DocumentFragment* CreateSanitizedFragmentFromMarkupWithContext(
    Document& document,
    const String& raw_markup,
@@ -823,7 +843,13 @@ DocumentFragment* CreateSanitizedFragmentFromMarkupWithContext(
    return nullptr;
  }
-  if (!ContainsStyleElements(*fragment)) {
+  bool needs_sanitization = false;
+  if (ContainsStyleElements(*fragment))
+    needs_sanitization = true;
+  if (StripSVGUseDataURLs(*fragment))
+    needs_sanitization = true;
+  if (!needs_sanitization) {
    staging_document->GetPage()->WillBeDestroyed();
    return CreateFragmentFromMarkupWithContext(
        document, raw_markup, fragment_start, fragment_end, base_url,

--- a/third_party/blink/web_tests/editing/pasteboard/paste-svg-use.html
+++ b/third_party/blink/web_tests/editing/pasteboard/paste-svg-use.html
+<!DOCTYPE html>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<script src="../assert_selection.js"></script>
+<script>
+// crbug.com/1040755
+selection_test(
+  '<div contenteditable>|</div>',
+  selection => {
+    selection.setClipboardData(`
+      <svg>
+        <use href="data:application/xml,
+          <svg id=x>
+            <a href='javascript:alert(1)'>
+              <rect width=100 height=100 fill=blue />
+            </a>
+          </svg>#x">
+        </use>
+      </svg>`);
+    selection.document.execCommand('paste');
+  },
+  '<div contenteditable>|<svg></svg></div>',
+  'Paste blocks data URI in SVG use elements');
+</script>