/
cherry-pick-12ba78f3fa7a.patch
89 lines (85 loc) · 3.76 KB
/
cherry-pick-12ba78f3fa7a.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Mon, 25 Apr 2022 20:57:43 +0000
Subject: Sanitize DragData markup before inserting it into document
(cherry picked from commit 5164a0fe3391283663e1196cf4576ec233985e89)
Fixed: 1315040
Change-Id: I8a0ddfb983d12c185f7e943d3d5277788199b011
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3579670
Quick-Run: Xiaocheng Hu <xiaochengh@chromium.org>
Auto-Submit: Xiaocheng Hu <xiaochengh@chromium.org>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#991324}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3589799
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Owners-Override: Achuith Bhandarkar <achuith@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1602}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
diff --git a/third_party/blink/renderer/core/page/drag_data.cc b/third_party/blink/renderer/core/page/drag_data.cc
index d5ace3a879ab5ab00557ba380d9470d9eb937286..36ad9f68d3a79fe3d7d948276a654aacf5db019b 100644
--- a/third_party/blink/renderer/core/page/drag_data.cc
+++ b/third_party/blink/renderer/core/page/drag_data.cc
@@ -131,8 +131,8 @@ DocumentFragment* DragData::AsFragment(LocalFrame* frame) const {
platform_drag_data_->HtmlAndBaseURL(html, base_url);
DCHECK(frame->GetDocument());
if (DocumentFragment* fragment =
- CreateFragmentFromMarkup(*frame->GetDocument(), html, base_url,
- kDisallowScriptingAndPluginContent))
+ CreateSanitizedFragmentFromMarkupWithContext(
+ *frame->GetDocument(), html, 0, html.length(), base_url))
return fragment;
}
diff --git a/third_party/blink/web_tests/editing/pasteboard/drag-and-drop-svg-use-sanitize.html b/third_party/blink/web_tests/editing/pasteboard/drag-and-drop-svg-use-sanitize.html
new file mode 100644
index 0000000000000000000000000000000000000000..58551d28341d851dbd99322e2a5d3af68b3b0c72
--- /dev/null
+++ b/third_party/blink/web_tests/editing/pasteboard/drag-and-drop-svg-use-sanitize.html
@@ -0,0 +1,47 @@
+<!doctype html>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+
+<div id="drag-from" draggable=true>Drag from</div>
+<div id="drag-to" contenteditable>Drag to</div>
+
+<script>
+function computePoint(element) {
+ return {
+ x: element.offsetLeft + element.offsetWidth / 2,
+ y: element.offsetTop + element.offsetHeight / 2
+ };
+}
+
+let dragged = false;
+let executed = false;
+const payload = `
+ <svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg'><image href='fake' onerror='executed=true' /></svg>#x" />
+`;
+
+const dragFrom = document.getElementById('drag-from');
+dragFrom.ondragstart = event => {
+ dragged = true;
+ event.dataTransfer.setData('text/html', payload);
+}
+
+const dragTo = document.getElementById('drag-to');
+
+promise_test(async test => {
+ assert_own_property(window, 'eventSender', 'This test requires eventSender to simulate drag and drop');
+
+ const fromPoint = computePoint(dragFrom);
+ eventSender.mouseMoveTo(fromPoint.x, fromPoint.y);
+ eventSender.mouseDown();
+
+ const toPoint = computePoint(dragTo);
+ eventSender.mouseMoveTo(toPoint.x, toPoint.y);
+ eventSender.mouseUp();
+
+ assert_true(dragged, 'Element should be dragged');
+
+ // The 'error' event is dispatched asynchronously.
+ await new Promise(resolve => test.step_timeout(resolve, 100));
+ assert_false(executed, 'Script should be blocked');
+}, 'Script in SVG use href should be sanitized');
+</script>