diff --git a/patches/chromium/.patches b/patches/chromium/.patches index e6c67e24ebad6..0e0e9224eece2 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -175,3 +175,4 @@ skia_renderer_-_don_t_explicitly_clip_scissor_for_large_transforms.patch skia_renderer_use_rectf_intersect_in_applyscissor.patch cherry-pick-1a31e2110440.patch m100_change_ownership_of_blobbytesprovider.patch +cherry-pick-12ba78f3fa7a.patch diff --git a/patches/chromium/cherry-pick-12ba78f3fa7a.patch b/patches/chromium/cherry-pick-12ba78f3fa7a.patch new file mode 100644 index 0000000000000..417f6315e683a --- /dev/null +++ b/patches/chromium/cherry-pick-12ba78f3fa7a.patch @@ -0,0 +1,89 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Xiaocheng Hu +Date: Mon, 25 Apr 2022 20:57:43 +0000 +Subject: Sanitize DragData markup before inserting it into document + +(cherry picked from commit 5164a0fe3391283663e1196cf4576ec233985e89) + +Fixed: 1315040 +Change-Id: I8a0ddfb983d12c185f7e943d3d5277788199b011 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3579670 +Quick-Run: Xiaocheng Hu +Auto-Submit: Xiaocheng Hu +Commit-Queue: Kent Tamura +Cr-Original-Commit-Position: refs/heads/main@{#991324} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3589799 +Reviewed-by: Achuith Bhandarkar +Owners-Override: Achuith Bhandarkar +Commit-Queue: Roger Felipe Zanoni da Silva +Cr-Commit-Position: refs/branch-heads/4664@{#1602} +Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512} + +diff --git a/third_party/blink/renderer/core/page/drag_data.cc b/third_party/blink/renderer/core/page/drag_data.cc +index d5ace3a879ab5ab00557ba380d9470d9eb937286..36ad9f68d3a79fe3d7d948276a654aacf5db019b 100644 +--- a/third_party/blink/renderer/core/page/drag_data.cc ++++ b/third_party/blink/renderer/core/page/drag_data.cc +@@ -131,8 +131,8 @@ DocumentFragment* DragData::AsFragment(LocalFrame* frame) const { + platform_drag_data_->HtmlAndBaseURL(html, base_url); + DCHECK(frame->GetDocument()); + if (DocumentFragment* fragment = +- CreateFragmentFromMarkup(*frame->GetDocument(), html, base_url, +- kDisallowScriptingAndPluginContent)) ++ CreateSanitizedFragmentFromMarkupWithContext( ++ *frame->GetDocument(), html, 0, html.length(), base_url)) + return fragment; + } + +diff --git a/third_party/blink/web_tests/editing/pasteboard/drag-and-drop-svg-use-sanitize.html b/third_party/blink/web_tests/editing/pasteboard/drag-and-drop-svg-use-sanitize.html +new file mode 100644 +index 0000000000000000000000000000000000000000..58551d28341d851dbd99322e2a5d3af68b3b0c72 +--- /dev/null ++++ b/third_party/blink/web_tests/editing/pasteboard/drag-and-drop-svg-use-sanitize.html +@@ -0,0 +1,47 @@ ++ ++ ++ ++ ++
Drag from
++
Drag to
++ ++