From 885800e030cba278f1cb2b91a9cc78f6fa71574b Mon Sep 17 00:00:00 2001
From: Jeremy Rose <jeremya@chromium.org>
Date: Fri, 11 Dec 2020 11:03:59 -0800
Subject: [PATCH] chore: cherry-pick 3abc372c9c00 from chromium (#26894)

* chore: cherry-pick 3abc372c9c00 from chromium

* resolve conflict
---
 patches/chromium/.patches                     |  1 +
 .../chromium/cherry-pick-3abc372c9c00.patch   | 61 +++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 patches/chromium/cherry-pick-3abc372c9c00.patch

diff --git a/patches/chromium/.patches b/patches/chromium/.patches
index 0eec0f39a6dac..54730bfe7174e 100644
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -116,6 +116,7 @@ cherry-pick-bbb64b5c6916.patch
 ignore_renderframehostimpl_detach_for_speculative_rfhs.patch
 cherry-pick-eec5025668f8.patch
 cherry-pick-bbc6ab5bb49c.patch
+cherry-pick-3abc372c9c00.patch
 cherry-pick-d8d64b7cd244.patch
 cherry-pick-5ffbb7ed173a.patch
 ui_check_that_unpremultiply_is_passed_a_32bpp_image.patch
diff --git a/patches/chromium/cherry-pick-3abc372c9c00.patch b/patches/chromium/cherry-pick-3abc372c9c00.patch
new file mode 100644
index 0000000000000..d0bb9c06a4d40
--- /dev/null
+++ b/patches/chromium/cherry-pick-3abc372c9c00.patch
@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Xiaocheng Hu <xiaochengh@chromium.org>
+Date: Tue, 3 Nov 2020 23:00:29 +0000
+Subject: Apply markup sanitizer in CompositeEditCommand::MoveParagraphs()
+
+CompositeEditCommand::MoveParagraphs() serailizes part of the DOM and
+then re-parse it and insert it at some other place of the document. This
+is essentially a copy-and-paste, and can be exploited in the same way
+how copy-and-paste is exploited. So we should also sanitize markup in
+the function.
+
+(cherry picked from commit c529cbcc1bb0f72af944c30f03c2b3b435317bc7)
+
+Bug: 1141350
+Change-Id: I25c1dfc61c20b9134b23e057c5a3a0f56c190b5c
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2500633
+Commit-Queue: Yoshifumi Inoue <yosin@chromium.org>
+Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#821098}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2518088
+Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org>
+Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4280@{#1099}
+Cr-Branched-From: ea420fb963f9658c9969b6513c56b8f47efa1a2a-refs/heads/master@{#812852}
+
+diff --git a/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc b/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc
+index 08a19440da1bff652481c3cedae2f1edb2b58246..0ba9af6cff6dd6eaa373a0f4dca37226aee85ca0 100644
+--- a/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc
++++ b/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc
+@@ -1507,19 +1507,18 @@ void CompositeEditCommand::MoveParagraphs(
+   // FIXME: This is an inefficient way to preserve style on nodes in the
+   // paragraph to move. It shouldn't matter though, since moved paragraphs will
+   // usually be quite small.
+-  DocumentFragment* fragment =
+-      start_of_paragraph_to_move.DeepEquivalent() !=
+-              end_of_paragraph_to_move.DeepEquivalent()
+-          ? CreateFragmentFromMarkup(
+-                GetDocument(),
+-                CreateMarkup(start.ParentAnchoredEquivalent(),
+-                             end.ParentAnchoredEquivalent(),
+-                             CreateMarkupOptions::Builder()
+-                                 .SetShouldConvertBlocksToInlines(true)
+-                                 .SetConstrainingAncestor(constraining_ancestor)
+-                                 .Build()),
+-                "", kDisallowScriptingAndPluginContent)
+-          : nullptr;
++  DocumentFragment* fragment = nullptr;
++  if (start_of_paragraph_to_move.DeepEquivalent() !=
++      end_of_paragraph_to_move.DeepEquivalent()) {
++    const String paragraphs_markup = CreateMarkup(
++        start.ParentAnchoredEquivalent(), end.ParentAnchoredEquivalent(),
++        CreateMarkupOptions::Builder()
++            .SetShouldConvertBlocksToInlines(true)
++            .SetConstrainingAncestor(constraining_ancestor)
++            .Build());
++    fragment = CreateSanitizedFragmentFromMarkupWithContext(
++        GetDocument(), paragraphs_markup, 0, paragraphs_markup.length(), "");
++  }
+ 
+   // A non-empty paragraph's style is moved when we copy and move it.  We don't
+   // move anything if we're given an empty paragraph, but an empty paragraph can