Google Git
Sign in
chromium / chromium / src / d16226271d4d501de19f019aba1c145930b45503
commitd16226271d4d501de19f019aba1c145930b45503[log] [tgz]
authorMason Freed <masonfreed@chromium.org>Sat Nov 30 07:48:15 2019
committerCommit Bot <commit-bot@chromium.org>Sat Nov 30 07:48:15 2019
tree751f60562b6899a301cd2dce924a72d56280ced9
parent373d764fb0056a63eb91cd332824417aa9022fb6 [diff]
Fix parser mXSS sanitizer bypass for <p> and <br> within foreign context

Prior to this CL, the following code:
 <svg></p></svg>
parsed to this innerHTML: <svg><p></p></svg>

This is in contrast to this code:
 <svg><p></svg>
which parses to <svg></svg><p></p>

The fact that the </p> is left inside the <svg> allowed sanitizer
bypasses as detailed in [1]. Please also see [2] for the spec
discussion.

With this CL, </p> and </br> within a foreign context now cause
the closing of the foreign context.

[1] https://research.securitum.com/dompurify-bypass-using-mxss/
[2] https://github.com/whatwg/html/issues/5113

Bug: 1005713
Change-Id: Ic07ee50de4eb1ef19b73a075bd83785c99f4f891
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1940722
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Commit-Queue: Mason Freed <masonfreed@chromium.org>
Cr-Commit-Position: refs/heads/master@{#720315}
3 files changed
tree: 751f60562b6899a301cd2dce924a72d56280ced9
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. cloud_print/
  13. components/
  14. content/
  15. courgette/
  16. crypto/
  17. dbus/
  18. device/
  19. docs/
  20. extensions/
  21. fuchsia/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. jingle/
  31. media/
  32. mojo/
  33. native_client_sdk/
  34. net/
  35. pdf/
  36. ppapi/
  37. printing/
  38. remoting/
  39. rlz/
  40. sandbox/
  41. services/
  42. skia/
  43. sql/
  44. storage/
  45. styleguide/
  46. testing/
  47. third_party/
  48. tools/
  49. ui/
  50. url/
  51. weblayer/
  52. .clang-format
  53. .clang-tidy
  54. .eslintrc.js
  55. .git-blame-ignore-revs
  56. .gitattributes
  57. .gitignore
  58. .gn
  59. .vpython
  60. .vpython3
  61. AUTHORS
  62. BUILD.gn
  63. CODE_OF_CONDUCT.md
  64. codereview.settings
  65. DEPS
  66. ENG_REVIEW_OWNERS
  67. LICENSE
  68. LICENSE.chromium_os
  69. OWNERS
  70. PRESUBMIT.py
  71. PRESUBMIT_test.py
  72. PRESUBMIT_test_mocks.py
  73. README.md
  74. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .