Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[M102] Markup sanitization should iterate until markup is stable
There are cases where parsing a markup and then serializing it does not round trip, which can be used to inject XSS. Current sanitization code only does one round of parsing and serializing, which does not remove XSS injections that hide deeper. Hence this patch makes sanitization algorithm iterate until the markup is stable, or declares failure if it doesn't stabilize after many tries. (cherry picked from commit 1928035) Fixed: 1315563 Change-Id: I4a3ebe1fda6df0e04a24d863b2b48df2110af209 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3611826 Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#997032} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3621618 Auto-Submit: Xiaocheng Hu <xiaochengh@chromium.org> Reviewed-by: Joey Arhar <jarhar@chromium.org> Commit-Queue: Joey Arhar <jarhar@chromium.org> Cr-Commit-Position: refs/branch-heads/5005@{#363} Cr-Branched-From: 5b4d945-refs/heads/main@{#992738}
- Loading branch information
1 parent
f89af86
commit b03797b
Showing
3 changed files
with
96 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
.../web_tests/external/wpt/clipboard-apis/async-navigator-clipboard-read-sanitize.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
<!doctype html> | ||
<meta charset="utf-8"> | ||
<title>Async Clipboard.read() should sanitize text/html</title> | ||
<link rel="help" href="https://w3c.github.io/clipboard-apis/#dom-clipboard-read"> | ||
<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=1315563"> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="/resources/testdriver.js"></script> | ||
<script src="/resources/testdriver-vendor.js"></script> | ||
|
||
<p><button id="button">Put payload in the clipboard</button></p> | ||
<div id="output"></div> | ||
|
||
<script> | ||
let testFailed = false; | ||
function fail() { | ||
testFailed = true; | ||
} | ||
|
||
button.onclick = () => document.execCommand('copy'); | ||
document.oncopy = ev => { | ||
ev.preventDefault(); | ||
ev.clipboardData.setData( | ||
'text/html', | ||
`<form><math><mtext></form><form><mglyph><xmp></math><img src=invalid onerror=fail()></xmp>`); | ||
}; | ||
|
||
promise_test(async test => { | ||
await test_driver.set_permission({name: 'clipboard-read'}, 'granted'); | ||
await test_driver.click(button); | ||
|
||
const items = await navigator.clipboard.read(); | ||
const htmlBlob = await items[0].getType("text/html"); | ||
const html = await htmlBlob.text(); | ||
|
||
// This inserts an image with `onerror` handler if `html` is not properly sanitized | ||
output.innerHTML = html; | ||
|
||
// Allow the 'error' event to be dispatched asynchronously | ||
await new Promise(resolve => test.step_timeout(resolve, 100)); | ||
|
||
assert_false(testFailed); | ||
}); | ||
</script> |