Changeset 223440 in webkit

Timestamp:

Oct 16, 2017 2:44:28 PM (7 years ago)

Author:

rniwa@webkit.org

Message:

Cannot access images included in the content pasted from Microsoft Word
​https://bugs.webkit.org/show_bug.cgi?id=124391
<rdar://problem/26862741>

Reviewed by Antti Koivisto.

Source/WebCore:

The bug is caused by the fact Microsoft Word generates HTML content which references an image using file URL.
Because the websites don't have access to arbtirary file URLs, this prevents editors such as TinyMCE to save
those images.

This patch fixes the problem by converting file URLs for images and all other subresources in the web archive
generated by Microsoft Word by blob URLs like r222839 for RTF/RTFD and r222119 for images.

To avoid revealing privacy sensitive information such as the absolute local file path to the user's home directory
Microsoft Word and other applications in the system includes in the web archive placed in the system pasteboard,
this patch also introduces the mechanism to sanitize when the HTML content is read by DataTransfer's getData.

This patch also introduces the sanitization for when writing HTML into the pasteboard since other applications
in the syste which is capable to processing web archives are not necessarily equipped to pretect itself and the
rest of the system from potentially dangerous JavaScript included in the web archive placed in the system pasteboard.

Finally, this patch expands the list of clipboard types that are exposed as "text/html" to the Web platform by
adding the capability to convert RTF, RTFD, and web archive into HTML markup by introducing WebContentMarkupReader,
a new subclass of PasteboardWebContentReader which creates a HTML markup instead of a document fragment. Most of
the sanitization process happens in this new class, and will be expanded to WebContentReader to make pasting safer.

Tests: editing/pasteboard/data-transfer-get-data-on-pasting-html-uses-blob-url.html

editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-in-null-origin.html
editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying.html
editing/pasteboard/data-transfer-set-data-sanitlize-html-when-dragging-in-null-origin.html
http/tests/security/clipboard/copy-paste-html-across-origin-sanitizes-html.html
CopyHTML.Sanitizes
DataInteractionTests.DataTransferSanitizeHTML
PasteRTF.ExposesHTMLTypeInDataTransfer
PasteRTFD.ExposesHTMLTypeInDataTransfer
PasteRTFD.ImageElementUsesBlobURLInHTML
PasteWebArchive.ExposesHTMLTypeInDataTransfer

• dom/DataTransfer.cpp:

(WebCore::originIdentifierForDocument): Moved to Document::originIdentifierForPasteboard.
(WebCore::DataTransfer::createForCopyAndPaste):
(WebCore::DataTransfer::getDataForItem const): Use WebContentMarkupReader read HTMl content so that we can read
web arhive, RTF, and RTFD as text/html.
(WebCore::DataTransfer::getData const):
(WebCore::DataTransfer::setData):
(WebCore::DataTransfer::setDataFromItemList): Sanitize the HTML before placing into the system pasteboard.
(WebCore::DataTransfer::createForDragStartEvent):
(WebCore::DataTransfer::createForDrop):
(WebCore::DataTransfer::createForUpdatingDropTarget):

• dom/DataTransfer.h:
• dom/DataTransfer.idl:
• dom/DataTransferItem.cpp:

(WebCore::DataTransferItem::getAsString const):

• dom/Document.cpp:

(WebCore::Document::originIdentifierForPasteboard): Renamed from uniqueIdentifier. Moved the code to use the origin
string and then falling back to the UUID here from originIdentifierForDocument in DataTransfer.cpp.

• dom/Document.h:
• editing/WebContentReader.cpp:

(WebCore::WebContentMarkupReader::shouldSanitize const): Added.

• editing/WebContentReader.h:

(WebCore::WebContentMarkupReader): Added.
(WebCore::WebContentMarkupReader::WebContentMarkupReader):

• editing/cocoa/WebContentReaderCocoa.mm:

(WebCore::createFragmentFromWebArchive): Extracted out of WebContentReader::readWebArchive to share code.
(WebCore::WebContentReader::readWebArchive):
(WebCore::WebContentMarkupReader::readWebArchive): Added. Reads the web archive, replace all subresource URLs by
blob URLs, and re-generate the markup using our copy & paste code. The last step is requied to strip away any privacy
sensitive information as well as potentially dangerous JavaScript code.
(WebCore::stripMicrosoftPrefix): Extracted out of WebContentReader::readHTML to share code.
(WebCore::WebContentReader::readHTML):
(WebCore::WebContentMarkupReader::readHTML): Added. Only sanitize the markup when it comes from a different origin.
(WebCore::WebContentReader::readRTFD): Added a nullity check for frame.document().
(WebCore::WebContentMarkupReader::readRTFD): Added.
(WebCore::WebContentMarkupReader::readRTF): Added.

• editing/markup.h:
• editing/markup.cpp:

(WebCore::createPageForSanitizingWebContent): Added.
(WebCore::sanitizeMarkup): Added. This function "pastes" the markup into a new isolated document then reserializes
using our serialization code for copy. It strips away all invisible information such as comments, and strips away
event handlers and script elements to remove potentially dangerous scripts.

• platform/Pasteboard.h:
• platform/ios/PasteboardIOS.mm:

(WebCore::Pasteboard::readPasteboardWebContentDataForType): Now that this code can be called by DataTransfer, added
the checks for the change count to make sure we stop letting web content read if the pasteboard had been changed by
some other applications. To do this, turned this function into a member of Pasteboard. Also changed the return type
to an enum with tri-state to exist the loop early in the call sites.
(WebCore::Pasteboard::read):
(WebCore::Pasteboard::readRespectingUTIFidelities):

• platform/ios/PlatformPasteboardIOS.mm:

(WebCore::safeTypeForDOMToReadAndWriteForPlatformType): Treat RTF, RTFD, and web archive as HTML.

• platform/mac/PasteboardMac.mm:

(WebCore::Pasteboard::read): Add the change count checks now that this code can be called by DataTransfer.

• platform/mac/PlatformPasteboardMac.mm:

(WebCore::safeTypeForDOMToReadAndWriteForPlatformType): Treat RTF, RTFD, and web archive as HTML.

Tools:

Added tests for sanitizing HTML contents for copy & paste and drag & drop.

• TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
• TestWebKitAPI/Tests/WebKitCocoa/CopyHTML.mm: Added.

(readHTMLFromPasteboard): Added.
(createWebViewWithCustomPasteboardDataEnabled): Added.
(CopyHTML.Sanitizes): Added.

• TestWebKitAPI/Tests/WebKitCocoa/CopyURL.mm:

(createWebViewWithCustomPasteboardDataEnabled): Added to enable more tests on bots.

• TestWebKitAPI/Tests/WebKitCocoa/PasteRTFD.mm:

(writeRTFToPasteboard): Added.
(createWebViewWithCustomPasteboardDataEnabled): Added.
(createHelloWorldString): Added.
(PasteRTF.ExposesHTMLTypeInDataTransfer): Added.
(PasteRTFD.ExposesHTMLTypeInDataTransfer): Added.
(PasteRTFD.ImageElementUsesBlobURLInHTML): Added.

• TestWebKitAPI/Tests/WebKitCocoa/copy-html.html: Added.
• TestWebKitAPI/Tests/WebKitCocoa/paste-rtfd.html: Store the clipboardData contents for

PasteRTF.ExposesHTMLTypeInDataTransfer and PasteRTFD.ExposesHTMLTypeInDataTransfer.

• TestWebKitAPI/Tests/ios/DataInteractionTests.mm:

(DataInteractionTests.DataTransferSanitizeHTML):

LayoutTests:

Added tests for copying & pasting and dragging & dropping HTML contents.

• TestExpectations:
• editing/pasteboard/data-transfer-get-data-on-drop-rich-text-expected.txt: Rebaselined.
• editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt: Ditto.
• editing/pasteboard/data-transfer-get-data-on-paste-rich-text.html: Modified the test to strip away platform specific

inline style properties.

• editing/pasteboard/data-transfer-get-data-on-pasting-html-uses-blob-url-expected.txt: Added.
• editing/pasteboard/data-transfer-get-data-on-pasting-html-uses-blob-url.html: Added.
• editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-expected.txt: Added.
• editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-in-null-origin-expected.txt: Added.
• editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-in-null-origin.html: Added.
• editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying.html: Added.
• editing/pasteboard/data-transfer-set-data-sanitizes-html-when-dragging-in-null-origin-expected.txt: Added.
• editing/pasteboard/data-transfer-set-data-sanitizes-html-when-dragging-in-null-origin.html: Added.
• editing/pasteboard/data-transfer-set-data-sanitizes-url-when-dragging-in-null-origin.html: Removed the superflous

call to setTimeout that was errornously added during debugging. Also updated the test to not claim all URL and
HTML values are read in the same origin, and updated the assertion for cross-origin case as it's now sanitized.

• editing/pasteboard/onpaste-text-html-expected.txt: Rebaselined. The order of CSS properties have changed.
• http/tests/security/clipboard/copy-paste-html-across-origin-sanitizes-html-expected.txt: Added.
• http/tests/security/clipboard/copy-paste-html-across-origin-sanitizes-html.html: Added.
• http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html:
• http/tests/security/clipboard/resources/copy-html.html: Added.
• http/tests/security/clipboard/resources/copy-url.html: Renamed from copy.html.
• platform/ios-wk2/editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt: Remoevd.
• platform/ios-wk1/editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt: Remoevd.
• platform/mac-wk1/TestExpectations:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/editing/pasteboard/data-transfer-get-data-on-drop-rich-text-expected.txt (modified) (1 diff)
• LayoutTests/editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt (modified) (1 diff)
• LayoutTests/editing/pasteboard/data-transfer-get-data-on-paste-rich-text.html (modified) (1 diff)
• LayoutTests/editing/pasteboard/data-transfer-get-data-on-pasting-html-uses-blob-url-expected.txt (added)
• LayoutTests/editing/pasteboard/data-transfer-get-data-on-pasting-html-uses-blob-url.html (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitize-html-when-dragging-in-null-origin-expected.txt (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitize-html-when-dragging-in-null-origin.html (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitize-url-when-dragging-in-null-origin-expected.txt (modified) (1 diff)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitize-url-when-dragging-in-null-origin.html (modified) (2 diffs)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-expected.txt (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-in-null-origin-expected.txt (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-in-null-origin.html (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying.html (added)
• LayoutTests/editing/pasteboard/onpaste-text-html-expected.txt (modified) (1 diff)
• LayoutTests/fast/events/ondrop-text-html-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/clipboard/copy-paste-html-across-origin-sanitizes-html-expected.txt (added)
• LayoutTests/http/tests/security/clipboard/copy-paste-html-across-origin-sanitizes-html.html (added)
• LayoutTests/http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html (modified) (1 diff)
• LayoutTests/http/tests/security/clipboard/resources/copy-html.html (added)
• LayoutTests/http/tests/security/clipboard/resources/copy-url.html (added)
• LayoutTests/http/tests/security/clipboard/resources/copy.html (deleted)
• LayoutTests/platform/ios-wk1/editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt (deleted)
• LayoutTests/platform/ios-wk2/editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt (deleted)
• LayoutTests/platform/mac-wk1/TestExpectations (modified) (1 diff)
• LayoutTests/platform/win/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/DataTransfer.cpp (modified) (9 diffs)
• Source/WebCore/dom/DataTransfer.h (modified) (1 diff)
• Source/WebCore/dom/DataTransfer.idl (modified) (1 diff)
• Source/WebCore/dom/DataTransferItem.cpp (modified) (3 diffs)
• Source/WebCore/dom/DataTransferItem.h (modified) (1 diff)
• Source/WebCore/dom/DataTransferItem.idl (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (1 diff)
• Source/WebCore/dom/Document.h (modified) (1 diff)
• Source/WebCore/editing/WebContentReader.cpp (modified) (2 diffs)
• Source/WebCore/editing/WebContentReader.h (modified) (1 diff)
• Source/WebCore/editing/cocoa/WebContentReaderCocoa.mm (modified) (5 diffs)
• Source/WebCore/editing/markup.cpp (modified) (4 diffs)
• Source/WebCore/editing/markup.h (modified) (1 diff)
• Source/WebCore/platform/Pasteboard.h (modified) (2 diffs)
• Source/WebCore/platform/ios/PasteboardIOS.mm (modified) (4 diffs)
• Source/WebCore/platform/ios/PlatformPasteboardIOS.mm (modified) (1 diff)
• Source/WebCore/platform/mac/PasteboardMac.mm (modified) (12 diffs)
• Source/WebCore/platform/mac/PlatformPasteboardMac.mm (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (modified) (8 diffs)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/CopyHTML.mm (added)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/CopyURL.mm (modified) (4 diffs)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/PasteRTFD.mm (modified) (6 diffs)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/PasteWebArchive.mm (added)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/copy-html.html (added)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/paste-rtfd.html (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/ios/DataInteractionTests.mm (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-10-15  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Cannot access images included in the content pasted from Microsoft Word
+        https://bugs.webkit.org/show_bug.cgi?id=124391
+        <rdar://problem/26862741>
+
+        Reviewed by Antti Koivisto.
+
+        Added tests for copying & pasting and dragging & dropping HTML contents.
+
+        * TestExpectations:
+        * editing/pasteboard/data-transfer-get-data-on-drop-rich-text-expected.txt: Rebaselined.
+        * editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt: Ditto.
+        * editing/pasteboard/data-transfer-get-data-on-paste-rich-text.html: Modified the test to strip away platform specific
+        inline style properties.
+        * editing/pasteboard/data-transfer-get-data-on-pasting-html-uses-blob-url-expected.txt: Added.
+        * editing/pasteboard/data-transfer-get-data-on-pasting-html-uses-blob-url.html: Added.
+        * editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-expected.txt: Added.
+        * editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-in-null-origin-expected.txt: Added.
+        * editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-in-null-origin.html: Added.
+        * editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying.html: Added.
+        * editing/pasteboard/data-transfer-set-data-sanitizes-html-when-dragging-in-null-origin-expected.txt: Added.
+        * editing/pasteboard/data-transfer-set-data-sanitizes-html-when-dragging-in-null-origin.html: Added.
+        * editing/pasteboard/data-transfer-set-data-sanitizes-url-when-dragging-in-null-origin.html: Removed the superflous
+        call to setTimeout that was errornously added during debugging. Also updated the test to not claim all URL and
+        HTML values are read in the same origin, and updated the assertion for cross-origin case as it's now sanitized.
+        * editing/pasteboard/onpaste-text-html-expected.txt: Rebaselined. The order of CSS properties have changed.
+        * http/tests/security/clipboard/copy-paste-html-across-origin-sanitizes-html-expected.txt: Added.
+        * http/tests/security/clipboard/copy-paste-html-across-origin-sanitizes-html.html: Added.
+        * http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html:
+        * http/tests/security/clipboard/resources/copy-html.html: Added.
+        * http/tests/security/clipboard/resources/copy-url.html: Renamed from copy.html.
+        * platform/ios-wk2/editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt: Remoevd.
+        * platform/ios-wk1/editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt: Remoevd.
+        * platform/mac-wk1/TestExpectations:
+
 2017-10-16  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/LayoutTests/TestExpectations

@@ -75 +75 @@
 editing/pasteboard/data-transfer-get-data-on-drop-url.html [ Skip ]
 editing/pasteboard/data-transfer-is-unique-for-dragenter-and-dragleave.html [ Skip ]
+editing/pasteboard/data-transfer-set-data-sanitize-html-when-dragging-in-null-origin.html [ Skip ]
 editing/pasteboard/data-transfer-set-data-sanitize-url-when-dragging-in-null-origin.html [ Skip ]
+
 editing/pasteboard/drag-end-crash-accessing-item-list.html [ Skip ]
 editing/pasteboard/data-transfer-item-list-add-file-on-drag.html [ Skip ]

trunk/LayoutTests/editing/pasteboard/data-transfer-get-data-on-drop-rich-text-expected.txt

@@ -6 +6 @@
     },
     "drop": {
-        "text/html": "<strong style=\"font-family: -apple-system; font-size: 150px; font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: nowrap; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; color: purple;\">Rich text</strong>",
+        "text/html": "<strong style=\"font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-family: -apple-system; font-size: 150px; white-space: nowrap; color: purple;\">Rich text</strong>",
         "text/plain": "Rich text"
     }

trunk/LayoutTests/editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt

@@ -2 +2 @@
 {
     "paste": {
-        "text/html": "<span style=\"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: -apple-system; font-size: 150px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: nowrap; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none;\">Rich text</span>",
+        "text/html": "<span style=\"...\"\">Rich text</span>",
         "text/plain": "Rich text"
     }

trunk/LayoutTests/editing/pasteboard/data-transfer-get-data-on-paste-rich-text.html

@@ -36 +36 @@
     const eventData = {};
     for (const type of event.clipboardData.types)
-        eventData[type] = event.clipboardData.getData(type);
+        eventData[type] = event.clipboardData.getData(type).replace(/style="[^"]+"/g, 'style="...""');
     result[event.type] = eventData;
     output.textContent = JSON.stringify(result, null, "    ");

trunk/LayoutTests/editing/pasteboard/data-transfer-set-data-sanitize-url-when-dragging-in-null-origin-expected.txt

@@ -5 +5 @@
 
 dragstart in the null origin document:
-PASS urlReadInSameDocument is "http://webkit.org/b/🤔?x=8 + 6"
-PASS htmlReadInSameDocument is "testing"
-PASS JSON.stringify(typesInSameDocument) is "[\"text/uri-list\",\"text/html\"]"
-PASS JSON.stringify(itemsInSameDocument) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
+PASS url is "http://webkit.org/b/🤔?x=8 + 6"
+PASS html is "testing"
+PASS JSON.stringify(types) is "[\"text/uri-list\",\"text/html\"]"
+PASS JSON.stringify(items) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
 
 dragover in the null origin document:
-PASS urlReadInSameDocument is ""
-PASS htmlReadInSameDocument is ""
-PASS JSON.stringify(typesInSameDocument) is "[\"text/uri-list\",\"text/html\"]"
-PASS JSON.stringify(itemsInSameDocument) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
+PASS url is ""
+PASS html is ""
+PASS JSON.stringify(types) is "[\"text/uri-list\",\"text/html\"]"
+PASS JSON.stringify(items) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
 
 drop in the null origin document:
-PASS urlReadInSameDocument is "http://webkit.org/b/🤔?x=8 + 6"
-PASS htmlReadInSameDocument is "testing"
-PASS JSON.stringify(typesInSameDocument) is "[\"text/uri-list\",\"text/html\"]"
-PASS JSON.stringify(itemsInSameDocument) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
+PASS url is "http://webkit.org/b/🤔?x=8 + 6"
+PASS html is "testing"
+PASS JSON.stringify(types) is "[\"text/uri-list\",\"text/html\"]"
+PASS JSON.stringify(items) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
 
 dragstart in the null origin document:
-PASS urlReadInSameDocument is "http://webkit.org/b/🤔?x=8 + 6"
-PASS htmlReadInSameDocument is "testing"
-PASS JSON.stringify(typesInSameDocument) is "[\"text/uri-list\",\"text/html\"]"
-PASS JSON.stringify(itemsInSameDocument) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
+PASS url is "http://webkit.org/b/🤔?x=8 + 6"
+PASS html is "testing"
+PASS JSON.stringify(types) is "[\"text/uri-list\",\"text/html\"]"
+PASS JSON.stringify(items) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
 
 dragover in the file URL document:
-PASS urlReadInSameDocument is ""
-PASS htmlReadInSameDocument is ""
-PASS JSON.stringify(typesInSameDocument) is "[\"text/uri-list\",\"text/html\"]"
-PASS JSON.stringify(itemsInSameDocument) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
+PASS url is ""
+PASS html is ""
+PASS JSON.stringify(types) is "[\"text/uri-list\",\"text/html\"]"
+PASS JSON.stringify(items) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
 
 drop in the file URL document:
-PASS urlReadInSameDocument is "http://webkit.org/b/%F0%9F%A4%94?x=8%20+%206"
-PASS htmlReadInSameDocument is "testing"
-PASS JSON.stringify(typesInSameDocument) is "[\"text/uri-list\",\"text/html\"]"
-PASS JSON.stringify(itemsInSameDocument) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
+PASS url is "http://webkit.org/b/%F0%9F%A4%94?x=8%20+%206"
+PASS html.includes("testing") is true
+PASS JSON.stringify(types) is "[\"text/uri-list\",\"text/html\"]"
+PASS JSON.stringify(items) is "[{\"kind\":\"string\",\"type\":\"text/uri-list\"},{\"kind\":\"string\",\"type\":\"text/html\"}]"
 PASS successfullyParsed is true
 

trunk/LayoutTests/editing/pasteboard/data-transfer-set-data-sanitize-url-when-dragging-in-null-origin.html

@@ -84 +84 @@
     switch (kind) {
     case 'dragstart':
-        urlReadInSameDocument = event.data.url;
-        shouldBeEqualToString('urlReadInSameDocument', originalURL);
-        htmlReadInSameDocument = event.data.html;
-        shouldBeEqualToString('htmlReadInSameDocument', "testing");
-        typesInSameDocument = event.data.types;
-        shouldBeEqualToString('JSON.stringify(typesInSameDocument)', '["text/uri-list","text/html"]');
-        itemsInSameDocument = event.data.items;
-        shouldBeEqualToString('JSON.stringify(itemsInSameDocument)', '[{"kind":"string","type":"text/uri-list"},{"kind":"string","type":"text/html"}]');
+        url = event.data.url;
+        shouldBeEqualToString('url', originalURL);
+        html = event.data.html;
+        shouldBeEqualToString('html', "testing");
+        types = event.data.types;
+        shouldBeEqualToString('JSON.stringify(types)', '["text/uri-list","text/html"]');
+        items = event.data.items;
+        shouldBeEqualToString('JSON.stringify(items)', '[{"kind":"string","type":"text/uri-list"},{"kind":"string","type":"text/html"}]');
         break;
     case 'dragover':
-        urlReadInSameDocument = event.data.url;
-        shouldBeEqualToString('urlReadInSameDocument', '');
-        htmlReadInSameDocument = event.data.html;
-        shouldBeEqualToString('htmlReadInSameDocument', '');
-        typesInSameDocument = event.data.types;
-        shouldBeEqualToString('JSON.stringify(typesInSameDocument)', '["text/uri-list","text/html"]');
-        itemsInSameDocument = event.data.items;
-        shouldBeEqualToString('JSON.stringify(itemsInSameDocument)', '[{"kind":"string","type":"text/uri-list"},{"kind":"string","type":"text/html"}]');
+        url = event.data.url;
+        shouldBeEqualToString('url', '');
+        html = event.data.html;
+        shouldBeEqualToString('html', '');
+        types = event.data.types;
+        shouldBeEqualToString('JSON.stringify(types)', '["text/uri-list","text/html"]');
+        items = event.data.items;
+        shouldBeEqualToString('JSON.stringify(items)', '[{"kind":"string","type":"text/uri-list"},{"kind":"string","type":"text/html"}]');
         break;
     case 'drop':
-        urlReadInSameDocument = event.data.url;
-        shouldBeEqualToString('urlReadInSameDocument', event.data.documentLabel.includes('null') ? originalURL : (new URL(originalURL)).href);
-        htmlReadInSameDocument = event.data.html;
-        shouldBeEqualToString('htmlReadInSameDocument', "testing");
-        typesInSameDocument = event.data.types;
-        shouldBeEqualToString('JSON.stringify(typesInSameDocument)', '["text/uri-list","text/html"]');
-        itemsInSameDocument = event.data.items;
-        shouldBeEqualToString('JSON.stringify(itemsInSameDocument)', '[{"kind":"string","type":"text/uri-list"},{"kind":"string","type":"text/html"}]');
+        url = event.data.url;
+        isSameOrigin = event.data.documentLabel.includes('null');
+        shouldBeEqualToString('url', isSameOrigin ? originalURL : (new URL(originalURL)).href);
+        html = event.data.html;
+        if (isSameOrigin)
+            shouldBeEqualToString('html', 'testing');
+        else
+            shouldBeTrue('html.includes("testing")');
+        types = event.data.types;
+        shouldBeEqualToString('JSON.stringify(types)', '["text/uri-list","text/html"]');
+        items = event.data.items;
+        shouldBeEqualToString('JSON.stringify(items)', '[{"kind":"string","type":"text/uri-list"},{"kind":"string","type":"text/html"}]');
         if (!event.data.documentLabel.includes('null')) {
             document.getElementById('container').remove();
@@ -159 +163 @@
 }
 
-setTimeout(finishJSTest, 3000);
-
 </script>
 <script src="../../resources/js-test-post.js"></script>

trunk/LayoutTests/editing/pasteboard/onpaste-text-html-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: line 21: text/plain: This test verifies that we can get text/html from the clipboard during an onpaste event. 
-CONSOLE MESSAGE: line 23: text/html: <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">This test verifies that we can get text/html from the clipboard during an onpaste event.<span class="Apple-converted-space"> </span></span>
+CONSOLE MESSAGE: line 23: text/html: <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; float: none; display: inline !important;">This test verifies that we can get text/html from the clipboard during an onpaste event.<span class="Apple-converted-space"> </span></span>
 This test verifies that we can get text/html from the clipboard during an onpaste event. This test requires DRT.
 Paste content in this div.This test verifies that we can get text/html from the clipboard during an onpaste event. 

trunk/LayoutTests/fast/events/ondrop-text-html-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: line 21: text/plain: This test verifies that we can get text/html from the drag object during an ondrop event. 
-CONSOLE MESSAGE: line 23: text/html: <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">This test verifies that we can get text/html from the drag object during an ondrop event.<span class="Apple-converted-space"> </span></span>
+CONSOLE MESSAGE: line 23: text/html: <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; float: none; display: inline !important;">This test verifies that we can get text/html from the drag object during an ondrop event.<span class="Apple-converted-space"> </span></span>
 This test verifies that we can get text/html from the drag object during an ondrop event. This test requires DRT.
 PASS

trunk/LayoutTests/http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html

@@ -34 +34 @@
 
 </script>
-<iframe src="http://localhost:8000/security/clipboard/resources/copy.html"></iframe>
+<iframe src="http://localhost:8000/security/clipboard/resources/copy-url.html"></iframe>
 <div id="destination" onpaste="doPaste(event)" contenteditable>3. Paste here</div>
 <script src="/resources/js-test-post.js"></script>

trunk/LayoutTests/platform/mac-wk1/TestExpectations

@@ -13 +13 @@
 editing/pasteboard/data-transfer-get-data-on-drop-url.html [ Pass ]
 editing/pasteboard/data-transfer-is-unique-for-dragenter-and-dragleave.html [ Pass ]
+editing/pasteboard/data-transfer-set-data-sanitize-html-when-dragging-in-null-origin.html [ Pass ]
 editing/pasteboard/data-transfer-set-data-sanitize-url-when-dragging-in-null-origin.html [ Pass ]
 editing/pasteboard/drag-end-crash-accessing-item-list.html [ Pass ]

trunk/LayoutTests/platform/win/TestExpectations

@@ -1136 +1136 @@
 
 # Custom pasteboard data is not supported on Windows.
-http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html
+http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html [ Skip ]
+http/tests/security/clipboard/copy-paste-html-across-origin-sanitizes-html.html [ Skip ]
 
 webkit.org/b/140783 [ Release ] editing/pasteboard/copy-standalone-image.html [ Failure ImageOnlyFailure ]

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-10-15  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Cannot access images included in the content pasted from Microsoft Word
+        https://bugs.webkit.org/show_bug.cgi?id=124391
+        <rdar://problem/26862741>
+
+        Reviewed by Antti Koivisto.
+
+        The bug is caused by the fact Microsoft Word generates HTML content which references an image using file URL.
+        Because the websites don't have access to arbtirary file URLs, this prevents editors such as TinyMCE to save
+        those images.
+
+        This patch fixes the problem by converting file URLs for images and all other subresources in the web archive
+        generated by Microsoft Word by blob URLs like r222839 for RTF/RTFD and r222119 for images.
+
+        To avoid revealing privacy sensitive information such as the absolute local file path to the user's home directory
+        Microsoft Word and other applications in the system includes in the web archive placed in the system pasteboard,
+        this patch also introduces the mechanism to sanitize when the HTML content is read by DataTransfer's getData.
+
+        This patch also introduces the sanitization for when writing HTML into the pasteboard since other applications
+        in the syste which is capable to processing web archives are not necessarily equipped to pretect itself and the
+        rest of the system from potentially dangerous JavaScript included in the web archive placed in the system pasteboard.
+
+        Finally, this patch expands the list of clipboard types that are exposed as "text/html" to the Web platform by
+        adding the capability to convert RTF, RTFD, and web archive into HTML markup by introducing WebContentMarkupReader,
+        a new subclass of PasteboardWebContentReader which creates a HTML markup instead of a document fragment. Most of
+        the sanitization process happens in this new class, and will be expanded to WebContentReader to make pasting safer.
+
+        Tests: editing/pasteboard/data-transfer-get-data-on-pasting-html-uses-blob-url.html
+               editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-in-null-origin.html
+               editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying.html
+               editing/pasteboard/data-transfer-set-data-sanitlize-html-when-dragging-in-null-origin.html
+               http/tests/security/clipboard/copy-paste-html-across-origin-sanitizes-html.html
+               CopyHTML.Sanitizes
+               DataInteractionTests.DataTransferSanitizeHTML
+               PasteRTF.ExposesHTMLTypeInDataTransfer
+               PasteRTFD.ExposesHTMLTypeInDataTransfer
+               PasteRTFD.ImageElementUsesBlobURLInHTML
+               PasteWebArchive.ExposesHTMLTypeInDataTransfer
+
+        * dom/DataTransfer.cpp:
+        (WebCore::originIdentifierForDocument): Moved to Document::originIdentifierForPasteboard.
+        (WebCore::DataTransfer::createForCopyAndPaste):
+        (WebCore::DataTransfer::getDataForItem const): Use WebContentMarkupReader read HTMl content so that we can read
+        web arhive, RTF, and RTFD as text/html.
+        (WebCore::DataTransfer::getData const):
+        (WebCore::DataTransfer::setData):
+        (WebCore::DataTransfer::setDataFromItemList): Sanitize the HTML before placing into the system pasteboard.
+        (WebCore::DataTransfer::createForDragStartEvent):
+        (WebCore::DataTransfer::createForDrop):
+        (WebCore::DataTransfer::createForUpdatingDropTarget):
+        * dom/DataTransfer.h:
+        * dom/DataTransfer.idl:
+        * dom/DataTransferItem.cpp:
+        (WebCore::DataTransferItem::getAsString const):
+        * dom/Document.cpp:
+        (WebCore::Document::originIdentifierForPasteboard): Renamed from uniqueIdentifier. Moved the code to use the origin
+        string and then falling back to the UUID here from originIdentifierForDocument in DataTransfer.cpp.
+        * dom/Document.h:
+        * editing/WebContentReader.cpp:
+        (WebCore::WebContentMarkupReader::shouldSanitize const): Added.
+        * editing/WebContentReader.h:
+        (WebCore::WebContentMarkupReader): Added.
+        (WebCore::WebContentMarkupReader::WebContentMarkupReader):
+        * editing/cocoa/WebContentReaderCocoa.mm:
+        (WebCore::createFragmentFromWebArchive): Extracted out of WebContentReader::readWebArchive to share code.
+        (WebCore::WebContentReader::readWebArchive):
+        (WebCore::WebContentMarkupReader::readWebArchive): Added. Reads the web archive, replace all subresource URLs by
+        blob URLs, and re-generate the markup using our copy & paste code. The last step is requied to strip away any privacy
+        sensitive information as well as potentially dangerous JavaScript code.
+        (WebCore::stripMicrosoftPrefix): Extracted out of WebContentReader::readHTML to share code.
+        (WebCore::WebContentReader::readHTML):
+        (WebCore::WebContentMarkupReader::readHTML): Added. Only sanitize the markup when it comes from a different origin.
+        (WebCore::WebContentReader::readRTFD): Added a nullity check for frame.document().
+        (WebCore::WebContentMarkupReader::readRTFD): Added.
+        (WebCore::WebContentMarkupReader::readRTF): Added.
+        * editing/markup.h:
+        * editing/markup.cpp:
+        (WebCore::createPageForSanitizingWebContent): Added.
+        (WebCore::sanitizeMarkup): Added. This function "pastes" the markup into a new isolated document then reserializes
+        using our serialization code for copy. It strips away all invisible information such as comments, and strips away
+        event handlers and script elements to remove potentially dangerous scripts.
+        * platform/Pasteboard.h:
+        * platform/ios/PasteboardIOS.mm:
+        (WebCore::Pasteboard::readPasteboardWebContentDataForType): Now that this code can be called by DataTransfer, added
+        the checks for the change count to make sure we stop letting web content read if the pasteboard had been changed by
+        some other applications. To do this, turned this function into a member of Pasteboard. Also changed the return type
+        to an enum with tri-state to exist the loop early in the call sites.
+        (WebCore::Pasteboard::read):
+        (WebCore::Pasteboard::readRespectingUTIFidelities):
+        * platform/ios/PlatformPasteboardIOS.mm:
+        (WebCore::safeTypeForDOMToReadAndWriteForPlatformType): Treat RTF, RTFD, and web archive as HTML.
+        * platform/mac/PasteboardMac.mm:
+        (WebCore::Pasteboard::read): Add the change count checks now that this code can be called by DataTransfer.
+        * platform/mac/PlatformPasteboardMac.mm:
+        (WebCore::safeTypeForDOMToReadAndWriteForPlatformType): Treat RTF, RTFD, and web archive as HTML.
+
 2017-10-16  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/Source/WebCore/dom/DataTransfer.cpp

@@ -31 +31 @@
 #include "DataTransferItem.h"
 #include "DataTransferItemList.h"
+#include "DocumentFragment.h"
 #include "DragData.h"
 #include "Editor.h"
@@ -43 +44 @@
 #include "StaticPasteboard.h"
 #include "URLParser.h"
+#include "WebContentReader.h"
 #include "WebCorePasteboardFileReader.h"
+#include "markup.h"
 
 namespace WebCore {
@@ -79 +82 @@
 }
 
-static String originIdentifierForDocument(Document& document)
-{
-    auto origin = document.securityOrigin().toString();
-    if (origin == "null")
-        return document.uniqueIdentifier();
-    return origin;
-}
-
 Ref<DataTransfer> DataTransfer::createForCopyAndPaste(Document& document, StoreMode storeMode, std::unique_ptr<Pasteboard>&& pasteboard)
 {
     auto dataTransfer = adoptRef(*new DataTransfer(storeMode, WTFMove(pasteboard)));
-    dataTransfer->m_originIdentifier = originIdentifierForDocument(document);
+    dataTransfer->m_originIdentifier = document.originIdentifierForPasteboard();
     return dataTransfer;
 }
@@ -147 +142 @@
 }
 
-String DataTransfer::getDataForItem(const String& type) const
+String DataTransfer::getDataForItem(Document& document, const String& type) const
 {
     if (!canReadData())
@@ -165 +160 @@
         return m_pasteboard->readString(lowercaseType);
 
-    bool isSameOrigin = false;
-    if (is<StaticPasteboard>(*m_pasteboard)) {
-        // StaticPasteboard is only used to stage data written by websites before being committed to the system pasteboard.
-        isSameOrigin = true;
-    } else if (!m_originIdentifier.isNull()) {
-        String originOfPasteboard = m_pasteboard->readOrigin();
-        isSameOrigin = m_originIdentifier == originOfPasteboard;
-    }
-
-    if (!isSameOrigin) {
-        if (!Pasteboard::isSafeTypeForDOMToReadAndWrite(lowercaseType))
+    // StaticPasteboard is only used to stage data written by websites before being committed to the system pasteboard.
+    bool isSameOrigin = is<StaticPasteboard>(*m_pasteboard) || (!m_originIdentifier.isNull() && m_originIdentifier == m_pasteboard->readOrigin());
+    if (isSameOrigin) {
+        String value = m_pasteboard->readStringInCustomData(lowercaseType);
+        if (!value.isNull())
+            return value;
+    }
+    if (!Pasteboard::isSafeTypeForDOMToReadAndWrite(lowercaseType))
+        return { };
+
+    if (!is<StaticPasteboard>(*m_pasteboard) && type == "text/html") {
+        if (!document.frame())
             return { };
-        return m_pasteboard->readString(lowercaseType);
-    }
-
-    String value = m_pasteboard->readStringInCustomData(lowercaseType);
-    if (value.isNull() && Pasteboard::isSafeTypeForDOMToReadAndWrite(lowercaseType))
-        value = m_pasteboard->readString(lowercaseType);
-    return value;
-}
-
-String DataTransfer::getData(const String& type) const
-{
-    return getDataForItem(normalizeType(type));
+        WebContentMarkupReader reader { *document.frame() };
+        m_pasteboard->read(reader);
+        return reader.markup;
+    }
+
+    return m_pasteboard->readString(type);
+}
+
+String DataTransfer::getData(Document& document, const String& type) const
+{
+    return getDataForItem(document, normalizeType(type));
 }
 
@@ -223 +218 @@
 
     String sanitizedData;
-    if (type == "text/uri-list") {
+    if (type == "text/html")
+        sanitizedData = sanitizeMarkup(data);
+    else if (type == "text/uri-list") {
         auto url = URLParser(data).result();
         if (url.isValid())
             sanitizedData = url.string();
-    } else if (type == "text/plain" || type == "text/html")
+    } else if (type == "text/plain")
         sanitizedData = data; // Nothing to sanitize.
 
@@ -431 +428 @@
 {
     auto dataTransfer = adoptRef(*new DataTransfer(StoreMode::ReadWrite, std::make_unique<StaticPasteboard>(), Type::DragAndDropData));
-    dataTransfer->m_originIdentifier = originIdentifierForDocument(document);
+    dataTransfer->m_originIdentifier = document.originIdentifierForPasteboard();
     return dataTransfer;
 }
@@ -439 +436 @@
     auto dataTransfer = adoptRef(*new DataTransfer(DataTransfer::StoreMode::Readonly, WTFMove(pasteboard), draggingFiles ? Type::DragAndDropFiles : Type::DragAndDropData));
     dataTransfer->setSourceOperation(sourceOperation);
-    dataTransfer->m_originIdentifier = originIdentifierForDocument(document);
+    dataTransfer->m_originIdentifier = document.originIdentifierForPasteboard();
     return dataTransfer;
 }
@@ -454 +451 @@
     auto dataTransfer = adoptRef(*new DataTransfer(mode, WTFMove(pasteboard), draggingFiles ? Type::DragAndDropFiles : Type::DragAndDropData));
     dataTransfer->setSourceOperation(sourceOperation);
-    dataTransfer->m_originIdentifier = originIdentifierForDocument(document);
+    dataTransfer->m_originIdentifier = document.originIdentifierForPasteboard();
     return dataTransfer;
 }

trunk/Source/WebCore/dom/DataTransfer.h

@@ -65 +65 @@
     void clearData(const String& type = String());
 
-    String getData(const String& type) const;
-    String getDataForItem(const String& type) const;
+    String getData(Document&, const String& type) const;
+    String getDataForItem(Document&, const String& type) const;
 
     void setData(const String& type, const String& data);

trunk/Source/WebCore/dom/DataTransfer.idl

@@ -39 +39 @@
 
     readonly attribute FrozenArray<DOMString> types;
-    DOMString getData(DOMString format);
+    [CallWith=Document] DOMString getData(DOMString format);
     void setData(DOMString format, DOMString data);
     void clearData(optional DOMString format);

trunk/Source/WebCore/dom/DataTransferItem.cpp

@@ -35 +35 @@
 #include "DOMFileSystem.h"
 #include "DataTransferItemList.h"
+#include "Document.h"
 #include "File.h"
 #include "FileSystem.h"
@@ -86 +87 @@
 }
 
-void DataTransferItem::getAsString(ScriptExecutionContext& context, RefPtr<StringCallback>&& callback) const
+void DataTransferItem::getAsString(Document& document, RefPtr<StringCallback>&& callback) const
 {
     if (!callback || !m_list || m_file)
@@ -96 +97 @@
 
     // FIXME: Make this async.
-    callback->scheduleCallback(context, dataTransfer.getDataForItem(m_type));
+    callback->scheduleCallback(document, dataTransfer.getDataForItem(document, m_type));
 }
 

trunk/Source/WebCore/dom/DataTransferItem.h

@@ -61 +61 @@
     String kind() const;
     String type() const;
-    void getAsString(ScriptExecutionContext&, RefPtr<StringCallback>&&) const;
+    void getAsString(Document&, RefPtr<StringCallback>&&) const;
     RefPtr<File> getAsFile() const;
     RefPtr<FileSystemEntry> getAsEntry(ScriptExecutionContext&) const;

trunk/Source/WebCore/dom/DataTransferItem.idl

@@ -37 +37 @@
     readonly attribute DOMString type;
 
-    [CallWith=ScriptExecutionContext] void getAsString(StringCallback? callback);
+    [CallWith=Document] void getAsString(StringCallback? callback);
     File getAsFile();
 

trunk/Source/WebCore/dom/Document.cpp

@@ -5301 +5301 @@
 #endif
 
-String Document::uniqueIdentifier()
-{
+String Document::originIdentifierForPasteboard()
+{
+    auto origin = securityOrigin().toString();
+    if (origin != "null")
+        return origin;
     if (!m_uniqueIdentifier)
         m_uniqueIdentifier = "null:" + createCanonicalUUIDString();

trunk/Source/WebCore/dom/Document.h

@@ -957 +957 @@
     uint64_t domTreeVersion() const { return m_domTreeVersion; }
 
-    String uniqueIdentifier();
+    String originIdentifierForPasteboard();
 
     // XPathEvaluator methods

trunk/Source/WebCore/editing/WebContentReader.cpp

@@ -27 +27 @@
 #include "WebContentReader.h"
 
+#include "Document.h"
 #include "DocumentFragment.h"
 
@@ -39 +40 @@
 }
 
+bool WebContentMarkupReader::shouldSanitize() const
+{
+    return frame.document() && frame.document()->originIdentifierForPasteboard() != contentOrigin;
 }
 
+}
+

trunk/Source/WebCore/editing/WebContentReader.h

@@ -66 +66 @@
 };
 
+class WebContentMarkupReader final : public PasteboardWebContentReader {
+public:
+    Frame& frame;
+    String markup;
+
+    explicit WebContentMarkupReader(Frame& frame)
+        : frame(frame)
+    {
+    }
+
+private:
+    bool shouldSanitize() const;
+
+#if PLATFORM(COCOA)
+    bool readWebArchive(SharedBuffer&) override;
+    bool readFilenames(const Vector<String>&) override { return false; }
+    bool readHTML(const String&) override;
+    bool readRTFD(SharedBuffer&) override;
+    bool readRTF(SharedBuffer&) override;
+    bool readImage(Ref<SharedBuffer>&&, const String&) override { return false; }
+    bool readURL(const URL&, const String&) override { return false; }
+#endif
+    bool readPlainText(const String&) override { return false; }
+};
+
 #if PLATFORM(COCOA) && defined(__OBJC__)
 struct FragmentAndResources {

trunk/Source/WebCore/editing/cocoa/WebContentReaderCocoa.mm

@@ -40 +40 @@
 #import "HTMLImageElement.h"
 #import "LegacyWebArchive.h"
+#import "MainFrame.h"
 #import "Page.h"
 #import "Settings.h"
+#import "SocketProvider.h"
 #import "WebArchiveResourceFromNSAttributedString.h"
 #import "WebArchiveResourceWebResourceHandler.h"
@@ -180 +182 @@
 }
 
-bool WebContentReader::readWebArchive(SharedBuffer& buffer)
-{
-    if (frame.settings().preferMIMETypeForImages() || !frame.document())
-        return false;
-
+struct FragmentAndArchive {
+    Ref<DocumentFragment> fragment;
+    Ref<Archive> archive;
+};
+
+static std::optional<FragmentAndArchive> createFragmentFromWebArchive(Document& document, SharedBuffer& buffer, const std::function<bool(const String)>& canShowMIMETypeAsHTML)
+{
     auto archive = LegacyWebArchive::create(URL(), buffer);
     if (!archive)
-        return false;
+        return std::nullopt;
 
     RefPtr<ArchiveResource> mainResource = archive->mainResource();
     if (!mainResource)
-        return false;
+        return std::nullopt;
 
     auto type = mainResource->mimeType();
-    if (!frame.loader().client().canShowMIMETypeAsHTML(type))
+    if (!canShowMIMETypeAsHTML(type))
+        return std::nullopt;
+
+    auto markupString = String::fromUTF8(mainResource->data().data(), mainResource->data().size());
+    auto fragment = createFragmentFromMarkup(document, markupString, mainResource->url(), DisallowScriptingAndPluginContent);
+
+    return FragmentAndArchive { WTFMove(fragment), archive.releaseNonNull() };
+}
+
+bool WebContentReader::readWebArchive(SharedBuffer& buffer)
+{
+    if (frame.settings().preferMIMETypeForImages() || !frame.document())
         return false;
 
     DeferredLoadingScope scope(frame);
-    auto markupString = String::fromUTF8(mainResource->data().data(), mainResource->data().size());
-    addFragment(createFragmentFromMarkup(*frame.document(), markupString, mainResource->url(), DisallowScriptingAndPluginContent));
-
+    auto result = createFragmentFromWebArchive(*frame.document(), buffer, [&] (const String& type) {
+        return frame.loader().client().canShowMIMETypeAsHTML(type);
+    });
+    if (!result)
+        return false;
+
+    fragment = WTFMove(result->fragment);
     if (DocumentLoader* loader = frame.loader().documentLoader())
-        loader->addAllArchiveResources(*archive);
-
-    return true;
-}
-
-bool WebContentReader::readHTML(const String& string)
-{
-    String stringOmittingMicrosoftPrefix = string;
-    
+        loader->addAllArchiveResources(result->archive.get());
+
+    return true;
+}
+
+bool WebContentMarkupReader::readWebArchive(SharedBuffer& buffer)
+{
+    auto page = createPageForSanitizingWebContent();
+    Document* stagingDocument = page->mainFrame().document();
+    ASSERT(stagingDocument);
+
+    DeferredLoadingScope scope(frame);
+    auto result = createFragmentFromWebArchive(*stagingDocument, buffer, [&] (const String& type) {
+        return frame.loader().client().canShowMIMETypeAsHTML(type);
+    });
+    if (!result)
+        return false;
+
+    HashMap<AtomicString, AtomicString> blobURLMap;
+    for (const Ref<ArchiveResource>& subresource : result->archive->subresources()) {
+        auto blob = Blob::create(subresource->data(), subresource->mimeType());
+        String blobURL = DOMURL::createObjectURL(*frame.document(), blob);
+        blobURLMap.set(subresource->url().string(), blobURL);
+    }
+    replaceSubresourceURLs(result->fragment.get(), WTFMove(blobURLMap));
+
+    auto* bodyElement = stagingDocument->body();
+    ASSERT(bodyElement);
+    bodyElement->appendChild(result->fragment);
+
+    auto range = Range::create(*stagingDocument);
+    range->selectNodeContents(*bodyElement);
+    markup = createMarkup(range.get(), nullptr, AnnotateForInterchange, false, ResolveNonLocalURLs);
+
+    return true;
+}
+
+static String stripMicrosoftPrefix(const String& string)
+{
 #if PLATFORM(MAC)
     // This code was added to make HTML paste from Microsoft Word on Mac work, back in 2004.
@@ -218 +267 @@
         size_t location = string.findIgnoringCase("<html");
         if (location != notFound)
-            stringOmittingMicrosoftPrefix = string.substring(location);
-    }
-#endif
-
+            return string.substring(location);
+    }
+#endif
+    return string;
+}
+
+bool WebContentReader::readHTML(const String& string)
+{
+    if (frame.settings().preferMIMETypeForImages() || !frame.document())
+        return false;
+    Document& document = *frame.document();
+
+    String stringOmittingMicrosoftPrefix = stripMicrosoftPrefix(string);
     if (stringOmittingMicrosoftPrefix.isEmpty())
         return false;
 
+    addFragment(createFragmentFromMarkup(document, stringOmittingMicrosoftPrefix, emptyString(), DisallowScriptingAndPluginContent));
+    return true;
+}
+
+bool WebContentMarkupReader::readHTML(const String& string)
+{
     if (!frame.document())
         return false;
-    Document& document = *frame.document();
-
-    addFragment(createFragmentFromMarkup(document, stringOmittingMicrosoftPrefix, emptyString(), DisallowScriptingAndPluginContent));
-    return true;
+
+    String rawHTML = stripMicrosoftPrefix(string);
+    if (shouldSanitize())
+        markup = sanitizeMarkup(rawHTML);
+    else
+        markup = rawHTML;
+
+    return !markup.isEmpty();
 }
 
 bool WebContentReader::readRTFD(SharedBuffer& buffer)
 {
-    if (frame.settings().preferMIMETypeForImages())
+    if (frame.settings().preferMIMETypeForImages() || !frame.document())
         return false;
 
@@ -246 +314 @@
 }
 
+bool WebContentMarkupReader::readRTFD(SharedBuffer& buffer)
+{
+    if (!frame.document())
+        return false;
+    auto fragment = createFragmentAndAddResources(frame, adoptNS([[NSAttributedString alloc] initWithRTFD:buffer.createNSData().get() documentAttributes:nullptr]).get());
+    markup = createMarkup(*fragment);
+    return true;
+}
+
 bool WebContentReader::readRTF(SharedBuffer& buffer)
 {
@@ -256 +333 @@
     addFragment(fragment.releaseNonNull());
 
+    return true;
+}
+
+bool WebContentMarkupReader::readRTF(SharedBuffer& buffer)
+{
+    if (!frame.document())
+        return false;
+    auto fragment = createFragmentAndAddResources(frame, adoptNS([[NSAttributedString alloc] initWithRTF:buffer.createNSData().get() documentAttributes:nullptr]).get());
+    if (!fragment)
+        return false;
+    markup = createMarkup(*fragment);
     return true;
 }

trunk/Source/WebCore/editing/markup.cpp

@@ -35 +35 @@
 #include "CSSValue.h"
 #include "CSSValueKeywords.h"
+#include "CacheStorageProvider.h"
 #include "ChildListMutationScope.h"
 #include "DocumentFragment.h"
@@ -41 +42 @@
 #include "Editing.h"
 #include "Editor.h"
+#include "EditorClient.h"
 #include "ElementIterator.h"
+#include "EmptyClients.h"
 #include "File.h"
 #include "Frame.h"
@@ -56 +59 @@
 #include "HTMLTextAreaElement.h"
 #include "HTMLTextFormControlElement.h"
-#include "URL.h"
+#include "LibWebRTCProvider.h"
+#include "MainFrame.h"
 #include "MarkupAccumulator.h"
 #include "NodeList.h"
+#include "Page.h"
+#include "PageConfiguration.h"
 #include "Range.h"
 #include "RenderBlock.h"
 #include "Settings.h"
+#include "SocketProvider.h"
 #include "StyleProperties.h"
 #include "TextIterator.h"
 #include "TypedElementDescendantIterator.h"
+#include "URL.h"
 #include "VisibleSelection.h"
 #include "VisibleUnits.h"
@@ -136 +144 @@
         change.apply();
 }
+
+std::unique_ptr<Page> createPageForSanitizingWebContent()
+{
+    PageConfiguration pageConfiguration(createEmptyEditorClient(), SocketProvider::create(), LibWebRTCProvider::create(), CacheStorageProvider::create());
+
+    fillWithEmptyClients(pageConfiguration);
+    
+    auto page = std::make_unique<Page>(WTFMove(pageConfiguration));
+    page->settings().setMediaEnabled(false);
+    page->settings().setScriptEnabled(false);
+    page->settings().setPluginsEnabled(false);
+    page->settings().setAcceleratedCompositingEnabled(false);
+
+    Frame& frame = page->mainFrame();
+    frame.setView(FrameView::create(frame));
+    frame.init();
+
+    FrameLoader& loader = frame.loader();
+    static char markup[] = "<!DOCTYPE html><html><body></body></html>";
+    ASSERT(loader.activeDocumentLoader());
+    loader.activeDocumentLoader()->writer().setMIMEType("text/html");
+    loader.activeDocumentLoader()->writer().begin();
+    loader.activeDocumentLoader()->writer().addData(markup, sizeof(markup));
+    loader.activeDocumentLoader()->writer().end();
+
+    return page;
+}
+
+
+String sanitizeMarkup(const String& rawHTML)
+{
+    auto page = createPageForSanitizingWebContent();
+    Document* stagingDocument = page->mainFrame().document();
+    ASSERT(stagingDocument);
+    auto* bodyElement = stagingDocument->body();
+    ASSERT(bodyElement);
+
+    auto fragment = createFragmentFromMarkup(*stagingDocument, rawHTML, emptyString(), DisallowScriptingAndPluginContent);
+    bodyElement->appendChild(fragment.get());
+
+    auto range = Range::create(*stagingDocument);
+    range->selectNodeContents(*bodyElement);
+    return createMarkup(range.get(), nullptr, AnnotateForInterchange, false, ResolveNonLocalURLs);
+}
+
     
 class StyledMarkupAccumulator final : public MarkupAccumulator {

trunk/Source/WebCore/editing/markup.h

@@ -43 +43 @@
 class URL;
 class Node;
+class Page;
 class QualifiedName;
 class Range;
 
 void replaceSubresourceURLs(Ref<DocumentFragment>&&, HashMap<AtomicString, AtomicString>&&);
+std::unique_ptr<Page> createPageForSanitizingWebContent();
+String sanitizeMarkup(const String&);
 
 enum EChildrenOnly { IncludeNode, ChildrenOnly };

trunk/Source/WebCore/platform/Pasteboard.h

@@ -128 +128 @@
 class PasteboardWebContentReader {
 public:
+    String contentOrigin;
+
     virtual ~PasteboardWebContentReader() { }
 
-#if !(PLATFORM(GTK) || PLATFORM(WIN))
+#if PLATFORM(COCOA)
     virtual bool readWebArchive(SharedBuffer&) = 0;
     virtual bool readFilenames(const Vector<String>&) = 0;
@@ -271 +273 @@
     bool respectsUTIFidelities() const;
     void readRespectingUTIFidelities(PasteboardWebContentReader&);
+
+    enum class ReaderResult {
+        ReadType,
+        DidNotReadType,
+        PasteboardWasChangedExternally
+    };
+    ReaderResult readPasteboardWebContentDataForType(PasteboardWebContentReader&, PasteboardStrategy&, NSString *type, int itemIndex);
 #endif
 

trunk/Source/WebCore/platform/ios/PasteboardIOS.mm

@@ -163 +163 @@
 }
 
-static bool readPasteboardWebContentDataForType(PasteboardWebContentReader& reader, PasteboardStrategy& strategy, NSString *type, int itemIndex, const String& pasteboardName)
+Pasteboard::ReaderResult Pasteboard::readPasteboardWebContentDataForType(PasteboardWebContentReader& reader, PasteboardStrategy& strategy, NSString *type, int itemIndex)
 {
     if ([type isEqualToString:WebArchivePboardType]) {
-        auto buffer = strategy.readBufferFromPasteboard(itemIndex, WebArchivePboardType, pasteboardName);
-        return buffer && reader.readWebArchive(*buffer);
+        auto buffer = strategy.readBufferFromPasteboard(itemIndex, WebArchivePboardType, m_pasteboardName);
+        if (m_changeCount != changeCount())
+            return ReaderResult::PasteboardWasChangedExternally;
+        return buffer && reader.readWebArchive(*buffer) ? ReaderResult::ReadType : ReaderResult::DidNotReadType;
     }
 
     if ([type isEqualToString:(NSString *)kUTTypeHTML]) {
-        String htmlString = strategy.readStringFromPasteboard(itemIndex, kUTTypeHTML, pasteboardName);
-        return !htmlString.isNull() && reader.readHTML(htmlString);
+        String htmlString = strategy.readStringFromPasteboard(itemIndex, kUTTypeHTML, m_pasteboardName);
+        if (m_changeCount != changeCount())
+            return ReaderResult::PasteboardWasChangedExternally;
+        return !htmlString.isNull() && reader.readHTML(htmlString) ? ReaderResult::ReadType : ReaderResult::DidNotReadType;
     }
 
     if ([type isEqualToString:(NSString *)kUTTypeFlatRTFD]) {
-        RefPtr<SharedBuffer> buffer = strategy.readBufferFromPasteboard(itemIndex, kUTTypeFlatRTFD, pasteboardName);
-        return buffer && reader.readRTFD(*buffer);
+        RefPtr<SharedBuffer> buffer = strategy.readBufferFromPasteboard(itemIndex, kUTTypeFlatRTFD, m_pasteboardName);
+        if (m_changeCount != changeCount())
+            return ReaderResult::PasteboardWasChangedExternally;
+        return buffer && reader.readRTFD(*buffer) ? ReaderResult::ReadType : ReaderResult::DidNotReadType;
     }
 
     if ([type isEqualToString:(NSString *)kUTTypeRTF]) {
-        RefPtr<SharedBuffer> buffer = strategy.readBufferFromPasteboard(itemIndex, kUTTypeRTF, pasteboardName);
-        return buffer && reader.readRTF(*buffer);
+        RefPtr<SharedBuffer> buffer = strategy.readBufferFromPasteboard(itemIndex, kUTTypeRTF, m_pasteboardName);
+        if (m_changeCount != changeCount())
+            return ReaderResult::PasteboardWasChangedExternally;
+        return buffer && reader.readRTF(*buffer) ? ReaderResult::ReadType : ReaderResult::DidNotReadType;
     }
 
     if ([supportedImageTypes() containsObject:type]) {
-        RefPtr<SharedBuffer> buffer = strategy.readBufferFromPasteboard(itemIndex, type, pasteboardName);
-        return buffer && reader.readImage(buffer.releaseNonNull(), type);
+        RefPtr<SharedBuffer> buffer = strategy.readBufferFromPasteboard(itemIndex, type, m_pasteboardName);
+        if (m_changeCount != changeCount())
+            return ReaderResult::PasteboardWasChangedExternally;
+        return buffer && reader.readImage(buffer.releaseNonNull(), type) ? ReaderResult::ReadType : ReaderResult::DidNotReadType;
     }
 
     if ([type isEqualToString:(NSString *)kUTTypeURL]) {
         String title;
-        URL url = strategy.readURLFromPasteboard(itemIndex, kUTTypeURL, pasteboardName, title);
-        return !url.isNull() && reader.readURL(url, title);
+        URL url = strategy.readURLFromPasteboard(itemIndex, kUTTypeURL, m_pasteboardName, title);
+        if (m_changeCount != changeCount())
+            return ReaderResult::PasteboardWasChangedExternally;
+        return !url.isNull() && reader.readURL(url, title) ? ReaderResult::ReadType : ReaderResult::DidNotReadType;
     }
 
     if (UTTypeConformsTo((CFStringRef)type, kUTTypePlainText)) {
-        String string = strategy.readStringFromPasteboard(itemIndex, kUTTypePlainText, pasteboardName);
-        return !string.isNull() && reader.readPlainText(string);
+        String string = strategy.readStringFromPasteboard(itemIndex, kUTTypePlainText, m_pasteboardName);
+        if (m_changeCount != changeCount())
+            return ReaderResult::PasteboardWasChangedExternally;
+        return !string.isNull() && reader.readPlainText(string) ? ReaderResult::ReadType : ReaderResult::DidNotReadType;
     }
 
     if (UTTypeConformsTo((CFStringRef)type, kUTTypeText)) {
-        String string = strategy.readStringFromPasteboard(itemIndex, kUTTypeText, pasteboardName);
-        return !string.isNull() && reader.readPlainText(string);
-    }
-
-    return false;
+        String string = strategy.readStringFromPasteboard(itemIndex, kUTTypeText, m_pasteboardName);
+        if (m_changeCount != changeCount())
+            return ReaderResult::PasteboardWasChangedExternally;
+        return !string.isNull() && reader.readPlainText(string) ? ReaderResult::ReadType : ReaderResult::DidNotReadType;
+    }
+
+    return ReaderResult::DidNotReadType;
 }
 
@@ -223 +239 @@
         return;
 
+    reader.contentOrigin = readOrigin();
+
     NSArray *types = supportedWebContentPasteboardTypes();
     int numberOfTypes = [types count];
@@ -228 +246 @@
     for (int i = 0; i < numberOfItems; i++) {
         for (int typeIndex = 0; typeIndex < numberOfTypes; typeIndex++) {
-            if (readPasteboardWebContentDataForType(reader, strategy, [types objectAtIndex:typeIndex], i, m_pasteboardName))
+            auto result = readPasteboardWebContentDataForType(reader, strategy, [types objectAtIndex:typeIndex], i);
+            if (result == ReaderResult::PasteboardWasChangedExternally)
+                return;
+            if (result == ReaderResult::ReadType)
                 break;
         }
@@ -252 +273 @@
         strategy.getTypesByFidelityForItemAtIndex(typesForItemInOrderOfFidelity, index, m_pasteboardName);
         for (auto& type : typesForItemInOrderOfFidelity) {
-            if (readPasteboardWebContentDataForType(reader, strategy, type, index, m_pasteboardName))
+            auto result = readPasteboardWebContentDataForType(reader, strategy, type, index);
+            if (result == ReaderResult::PasteboardWasChangedExternally)
+                return;
+            if (result == ReaderResult::ReadType)
                 break;
         }

trunk/Source/WebCore/platform/ios/PlatformPasteboardIOS.mm

@@ -356 +356 @@
         return ASCIILiteral("text/plain");
 
-    if (UTTypeConformsTo(cfType.get(), kUTTypeHTML))
+    if (UTTypeConformsTo(cfType.get(), kUTTypeHTML) || UTTypeConformsTo(cfType.get(), (CFStringRef)WebArchivePboardType)
+        || UTTypeConformsTo(cfType.get(), kUTTypeRTF) || UTTypeConformsTo(cfType.get(), kUTTypeFlatRTFD))
         return ASCIILiteral("text/html");
 

trunk/Source/WebCore/platform/mac/PasteboardMac.mm

@@ -333 +333 @@
     strategy.getTypes(types, m_pasteboardName);
 
+    reader.contentOrigin = readOrigin();
+
     if (types.contains(WebArchivePboardType)) {
         if (auto buffer = strategy.bufferForType(WebArchivePboardType, m_pasteboardName)) {
-            if (reader.readWebArchive(*buffer))
+            if (m_changeCount != changeCount() || reader.readWebArchive(*buffer))
                 return;
         }
@@ -343 +345 @@
         Vector<String> paths;
         strategy.getPathnamesForType(paths, NSFilenamesPboardType, m_pasteboardName);
-        if (reader.readFilenames(paths))
+        if (m_changeCount != changeCount() || reader.readFilenames(paths))
             return;
     }
@@ -349 +351 @@
     if (types.contains(String(NSHTMLPboardType))) {
         String string = strategy.stringForType(NSHTMLPboardType, m_pasteboardName);
-        if (!string.isNull() && reader.readHTML(string))
+        if (m_changeCount != changeCount() || (!string.isNull() && reader.readHTML(string)))
             return;
     }
@@ -355 +357 @@
     if (types.contains(String(NSRTFDPboardType))) {
         if (RefPtr<SharedBuffer> buffer = strategy.bufferForType(NSRTFDPboardType, m_pasteboardName)) {
-            if (reader.readRTFD(*buffer))
+            if (m_changeCount != changeCount() || reader.readRTFD(*buffer))
                 return;
         }
@@ -362 +364 @@
     if (types.contains(String(NSRTFPboardType))) {
         if (RefPtr<SharedBuffer> buffer = strategy.bufferForType(NSRTFPboardType, m_pasteboardName)) {
-            if (reader.readRTF(*buffer))
+            if (m_changeCount != changeCount() || reader.readRTF(*buffer))
                 return;
         }
@@ -369 +371 @@
     if (types.contains(String(NSTIFFPboardType))) {
         if (RefPtr<SharedBuffer> buffer = strategy.bufferForType(NSTIFFPboardType, m_pasteboardName)) {
-            if (reader.readImage(buffer.releaseNonNull(), ASCIILiteral("image/tiff")))
+            if (m_changeCount != changeCount() || reader.readImage(buffer.releaseNonNull(), ASCIILiteral("image/tiff")))
                 return;
         }
@@ -376 +378 @@
     if (types.contains(String(NSPDFPboardType))) {
         if (RefPtr<SharedBuffer> buffer = strategy.bufferForType(NSPDFPboardType, m_pasteboardName)) {
-            if (reader.readImage(buffer.releaseNonNull(), ASCIILiteral("application/pdf")))
+            if (m_changeCount != changeCount() || reader.readImage(buffer.releaseNonNull(), ASCIILiteral("application/pdf")))
                 return;
         }
@@ -383 +385 @@
     if (types.contains(String(kUTTypePNG))) {
         if (RefPtr<SharedBuffer> buffer = strategy.bufferForType(kUTTypePNG, m_pasteboardName)) {
-            if (reader.readImage(buffer.releaseNonNull(), ASCIILiteral("image/png")))
+            if (m_changeCount != changeCount() || reader.readImage(buffer.releaseNonNull(), ASCIILiteral("image/png")))
                 return;
         }
@@ -390 +392 @@
     if (types.contains(String(kUTTypeJPEG))) {
         if (RefPtr<SharedBuffer> buffer = strategy.bufferForType(kUTTypeJPEG, m_pasteboardName)) {
-            if (reader.readImage(buffer.releaseNonNull(), ASCIILiteral("image/jpeg")))
+            if (m_changeCount != changeCount() || reader.readImage(buffer.releaseNonNull(), ASCIILiteral("image/jpeg")))
                 return;
         }
@@ -398 +400 @@
         URL url = strategy.url(m_pasteboardName);
         String title = strategy.stringForType(WebURLNamePboardType, m_pasteboardName);
-        if (!url.isNull() && reader.readURL(url, title))
+        if (m_changeCount != changeCount() || (!url.isNull() && reader.readURL(url, title)))
             return;
     }
@@ -404 +406 @@
     if (types.contains(String(NSStringPboardType))) {
         String string = strategy.stringForType(NSStringPboardType, m_pasteboardName);
-        if (!string.isNull() && reader.readPlainText(string))
+        if (m_changeCount != changeCount() || (!string.isNull() && reader.readPlainText(string)))
             return;
     }
@@ -410 +412 @@
     if (types.contains(String(kUTTypeUTF8PlainText))) {
         String string = strategy.stringForType(kUTTypeUTF8PlainText, m_pasteboardName);
-        if (!string.isNull() && reader.readPlainText(string))
+        if (m_changeCount != changeCount() || (!string.isNull() && reader.readPlainText(string)))
             return;
     }

trunk/Source/WebCore/platform/mac/PlatformPasteboardMac.mm

@@ -108 +108 @@
         return ASCIILiteral("text/uri-list");
 
-    if (platformType == String(NSHTMLPboardType))
+    if (platformType == String(NSHTMLPboardType) || platformType == String(WebArchivePboardType)
+        || platformType == String(NSRTFDPboardType) || platformType == String(NSRTFPboardType))
         return ASCIILiteral("text/html");
 

trunk/Tools/ChangeLog

@@ +1 @@
+2017-10-15  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Cannot access images included in the content pasted from Microsoft Word
+        https://bugs.webkit.org/show_bug.cgi?id=124391
+        <rdar://problem/26862741>
+
+        Reviewed by Antti Koivisto.
+
+        Added tests for sanitizing HTML contents for copy & paste and drag & drop.
+
+        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+        * TestWebKitAPI/Tests/WebKitCocoa/CopyHTML.mm: Added.
+        (readHTMLFromPasteboard): Added.
+        (createWebViewWithCustomPasteboardDataEnabled): Added.
+        (CopyHTML.Sanitizes): Added.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/CopyURL.mm:
+        (createWebViewWithCustomPasteboardDataEnabled): Added to enable more tests on bots.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/PasteRTFD.mm:
+        (writeRTFToPasteboard): Added.
+        (createWebViewWithCustomPasteboardDataEnabled): Added.
+        (createHelloWorldString): Added.
+        (PasteRTF.ExposesHTMLTypeInDataTransfer): Added.
+        (PasteRTFD.ExposesHTMLTypeInDataTransfer): Added.
+        (PasteRTFD.ImageElementUsesBlobURLInHTML): Added.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/copy-html.html: Added.
+        * TestWebKitAPI/Tests/WebKitCocoa/paste-rtfd.html: Store the clipboardData contents for
+        PasteRTF.ExposesHTMLTypeInDataTransfer and PasteRTFD.ExposesHTMLTypeInDataTransfer.
+
+        * TestWebKitAPI/Tests/ios/DataInteractionTests.mm:
+        (DataInteractionTests.DataTransferSanitizeHTML):
+
 2017-10-16  Youenn Fablet  <youenn@apple.com>
 

trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

@@ -543 +543 @@
                 9B0786A51C5885C300D159E3 /* InjectedBundleMakeAllShadowRootsOpen_Bundle.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 9B0786A41C5885C300D159E3 /* InjectedBundleMakeAllShadowRootsOpen_Bundle.cpp */; };
                 9B19CDA01F06DFE3000548DD /* NetworkProcessCrashWithPendingConnection.mm in Sources */ = {isa = PBXBuildFile; fileRef = 9B19CD9E1F06DFE3000548DD /* NetworkProcessCrashWithPendingConnection.mm */; };
+                9B1F6F781F90558400B55744 /* CopyHTML.mm in Sources */ = {isa = PBXBuildFile; fileRef = 9B1056411F9045C700D5583F /* CopyHTML.mm */; };
+                9B1F6F791F90559E00B55744 /* copy-html.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9B1056421F9047CC00D5583F /* copy-html.html */; };
+                9B2346421F943E2700DB1D23 /* PasteWebArchive.mm in Sources */ = {isa = PBXBuildFile; fileRef = 9B2346411F943A2400DB1D23 /* PasteWebArchive.mm */; };
                 9B26FCCA159D16DE00CC3765 /* HTMLFormCollectionNamedItem.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9B26FCB4159D15E700CC3765 /* HTMLFormCollectionNamedItem.html */; };
                 9B270FEE1DDC2C0B002D53F3 /* closed-shadow-tree-test.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9B270FED1DDC25FD002D53F3 /* closed-shadow-tree-test.html */; };
@@ -844 +847 @@
                                 CD0BD0A81F79982D001AB2CF /* ContextMenuImgWithVideo.html in Copy Resources */,
                                 5C2936961D5C00ED00DEAB1E /* CookieMessage.html in Copy Resources */,
+                                9B1F6F791F90559E00B55744 /* copy-html.html in Copy Resources */,
                                 9B62630C1F8C25C8007EE29B /* copy-url.html in Copy Resources */,
                                 7AEAD4811E20122700416EFE /* CrossPartitionFileSchemeAccess.html in Copy Resources */,
@@ -1508 +1512 @@
                 9B0786A21C58830F00D159E3 /* InjectedBundleMakeAllShadowRootsOpen.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InjectedBundleMakeAllShadowRootsOpen.cpp; sourceTree = "<group>"; };
                 9B0786A41C5885C300D159E3 /* InjectedBundleMakeAllShadowRootsOpen_Bundle.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InjectedBundleMakeAllShadowRootsOpen_Bundle.cpp; sourceTree = "<group>"; };
+                9B1056411F9045C700D5583F /* CopyHTML.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = CopyHTML.mm; sourceTree = "<group>"; };
+                9B1056421F9047CC00D5583F /* copy-html.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "copy-html.html"; sourceTree = "<group>"; };
                 9B19CD9E1F06DFE3000548DD /* NetworkProcessCrashWithPendingConnection.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = NetworkProcessCrashWithPendingConnection.mm; path = WebKit/NetworkProcessCrashWithPendingConnection.mm; sourceTree = "<group>"; };
+                9B2346411F943A2400DB1D23 /* PasteWebArchive.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = PasteWebArchive.mm; sourceTree = "<group>"; };
                 9B26FC6B159D061000CC3765 /* HTMLFormCollectionNamedItem.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = HTMLFormCollectionNamedItem.mm; sourceTree = "<group>"; };
                 9B26FCB4159D15E700CC3765 /* HTMLFormCollectionNamedItem.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = HTMLFormCollectionNamedItem.html; sourceTree = "<group>"; };
@@ -1987 +1994 @@
                                 5CA1DED81F74A87100E71BD3 /* ContentRuleListNotification.mm */,
                                 5C2936911D5BF63E00DEAB1E /* CookieAcceptPolicy.mm */,
+                                9B1056411F9045C700D5583F /* CopyHTML.mm */,
                                 9999108A1F393C8B008AD455 /* Copying.mm */,
                                 9B7A37C21F8AEBA5004AA228 /* CopyURL.mm */,
@@ -2027 +2035 @@
                                 9BDCCD851F7D0B0700009A18 /* PasteImage.mm */,
                                 9BDD95561F83683600D20C60 /* PasteRTFD.mm */,
+                                9B2346411F943A2400DB1D23 /* PasteWebArchive.mm */,
                                 3FCC4FE41EC4E8520076E37C /* PictureInPictureDelegate.mm */,
                                 83BAEE8C1EF4625500DDE894 /* PluginLoadClientPolicies.mm */,
@@ -2237 +2246 @@
                                 A16F66B91C40EA2000BD4D24 /* ContentFiltering.html */,
                                 5C2936941D5BFD1900DEAB1E /* CookieMessage.html */,
+                                9B1056421F9047CC00D5583F /* copy-html.html */,
                                 9B62630B1F8C2510007EE29B /* copy-url.html */,
                                 F4AB57891F65164B00DB0DA1 /* custom-draggable-div.html */,
@@ -3230 +3240 @@
                                 5C2936931D5BF70D00DEAB1E /* CookieAcceptPolicy.mm in Sources */,
                                 51D1249B1E785425002B2820 /* CookieManager.cpp in Sources */,
+                                9B1F6F781F90558400B55744 /* CopyHTML.mm in Sources */,
                                 9999108B1F393C96008AD455 /* Copying.mm in Sources */,
                                 9B7A37C41F8AEBA5004AA228 /* CopyURL.mm in Sources */,
@@ -3390 +3401 @@
                                 9BDCCD871F7D0B0700009A18 /* PasteImage.mm in Sources */,
                                 9BDD95581F83683600D20C60 /* PasteRTFD.mm in Sources */,
+                                9B2346421F943E2700DB1D23 /* PasteWebArchive.mm in Sources */,
                                 7C83E0531D0A643A00FEBCF3 /* PendingAPIRequestURL.cpp in Sources */,
                                 3FCC4FE51EC4E8520076E37C /* PictureInPictureDelegate.mm in Sources */,

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/CopyURL.mm

@@ -58 +58 @@
 #endif
 
+static RetainPtr<TestWKWebView> createWebViewWithCustomPasteboardDataEnabled()
+{
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 400, 400)]);
+    auto preferences = (WKPreferencesRef)[[webView configuration] preferences];
+    WKPreferencesSetDataTransferItemsEnabled(preferences, true);
+    WKPreferencesSetCustomPasteboardDataEnabled(preferences, true);
+    return webView;
+}
+
 TEST(CopyURL, ValidURL)
 {
-    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 400, 400)]);
+    auto webView = createWebViewWithCustomPasteboardDataEnabled();
     [webView synchronouslyLoadTestPageNamed:@"copy-url"];
     [webView stringByEvaluatingJavaScript:@"URLToCopy = 'http://webkit.org/b/123';"];
@@ -71 +80 @@
 }
 
-// FIXME: We should add a mechanism to enable custom pasteboard data in older OS for testing purposes.
-#if (PLATFORM(IOS) && __IPHONE_OS_VERSION_MAX_ALLOWED >= 110300) || (PLATFORM(MAC) && __MAC_OS_X_VERSION_MAX_ALLOWED > 101300)
-
 TEST(CopyURL, UnescapedURL)
 {
-    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 400, 400)]);
+    auto webView = createWebViewWithCustomPasteboardDataEnabled();
     [webView synchronouslyLoadTestPageNamed:@"copy-url"];
     [webView stringByEvaluatingJavaScript:@"URLToCopy = 'http://webkit.org/b/\u4F60\u597D;?x=8 + 6';"];
@@ -89 +95 @@
 TEST(CopyURL, MalformedURL)
 {
-    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 400, 400)]);
+    auto webView = createWebViewWithCustomPasteboardDataEnabled();
     [webView synchronouslyLoadTestPageNamed:@"copy-url"];
     [webView stringByEvaluatingJavaScript:@"URLToCopy = 'bad url';"];
@@ -100 +106 @@
 }
 
-#endif
-
 #endif // WK_API_ENABLED && PLATFORM(MAC)
 

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/PasteRTFD.mm

@@ -30 +30 @@
 #import "PlatformUtilities.h"
 #import "TestWKWebView.h"
+#import <WebKit/WKPreferencesPrivate.h>
+#import <WebKit/WKPreferencesRefPrivate.h>
+#import <WebKit/WKWebViewConfigurationPrivate.h>
 #import <wtf/RetainPtr.h>
 #import <wtf/text/WTFString.h>
@@ -42 +45 @@
 
 #if PLATFORM(MAC)
+void writeRTFToPasteboard(NSData *data)
+{
+    [[NSPasteboard generalPasteboard] declareTypes:@[NSPasteboardTypeRTF] owner:nil];
+    [[NSPasteboard generalPasteboard] setData:data forType:NSPasteboardTypeRTF];
+}
+
 void writeRTFDToPasteboard(NSData *data)
 {
@@ -57 +66 @@
 @end
 
+void writeRTFToPasteboard(NSData *data)
+{
+    [[UIPasteboard generalPasteboard] setItems:@[@{ (NSString *)kUTTypeRTF : data}]];
+}
+
 void writeRTFDToPasteboard(NSData *data)
 {
@@ -63 +77 @@
 #endif
 
+static RetainPtr<TestWKWebView> createWebViewWithCustomPasteboardDataEnabled()
+{
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 400, 400)]);
+    auto preferences = (WKPreferencesRef)[[webView configuration] preferences];
+    WKPreferencesSetDataTransferItemsEnabled(preferences, true);
+    WKPreferencesSetCustomPasteboardDataEnabled(preferences, true);
+    return webView;
+}
+
+static RetainPtr<NSAttributedString> createHelloWorldString()
+{
+    auto hello = adoptNS([[NSAttributedString alloc] initWithString:@"hello" attributes:@{ NSUnderlineStyleAttributeName : @(NSUnderlineStyleSingle) }]);
+    auto world = adoptNS([[NSAttributedString alloc] initWithString:@", world" attributes:@{ }]);
+    auto string = adoptNS([[NSMutableAttributedString alloc] init]);
+    [string appendAttributedString:hello.get()];
+    [string appendAttributedString:world.get()];
+    return string;
+}
+
+TEST(PasteRTF, ExposesHTMLTypeInDataTransfer)
+{
+    auto webView = createWebViewWithCustomPasteboardDataEnabled();
+    [webView synchronouslyLoadTestPageNamed:@"paste-rtfd"];
+
+    auto string = createHelloWorldString();
+    writeRTFToPasteboard([string RTFFromRange:NSMakeRange(0, [string length]) documentAttributes:@{ }]);
+    [webView paste:nil];
+
+    EXPECT_TRUE([webView stringByEvaluatingJavaScript:@"clipboardData.types.includes('text/html')"]);
+    [webView stringByEvaluatingJavaScript:@"editor.innerHTML = clipboardData.values[0]; editor.focus()"];
+    EXPECT_TRUE([webView stringByEvaluatingJavaScript:@"document.queryCommandState('underline')"].boolValue);
+    [webView stringByEvaluatingJavaScript:@"getSelection().modify('move', 'forward', 'lineboundary')"];
+    EXPECT_FALSE([webView stringByEvaluatingJavaScript:@"document.queryCommandState('underline')"].boolValue);
+    EXPECT_WK_STREQ("hello, world", [webView stringByEvaluatingJavaScript:@"editor.textContent"]);
+}
+
 TEST(PasteRTFD, EmptyRTFD)
 {
-    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 400, 400)]);
+    auto webView = createWebViewWithCustomPasteboardDataEnabled();
     [webView synchronouslyLoadHTMLString:@"<!DOCTYPE html><html><body><div id='editor' contenteditable></div></body></html>"];
 
@@ -73 +123 @@
 }
 
-TEST(PasteRTFD, ImageElementsUseBlobURL)
+TEST(PasteRTFD, ExposesHTMLTypeInDataTransfer)
 {
-    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 400, 400)]);
+    auto webView = createWebViewWithCustomPasteboardDataEnabled();
+    [webView synchronouslyLoadTestPageNamed:@"paste-rtfd"];
+
+    auto string = createHelloWorldString();
+    writeRTFDToPasteboard([string RTFDFromRange:NSMakeRange(0, [string length]) documentAttributes:@{ }]);
+    [webView paste:nil];
+
+    EXPECT_TRUE([webView stringByEvaluatingJavaScript:@"clipboardData.types.includes('text/html')"]);
+    [webView stringByEvaluatingJavaScript:@"editor.innerHTML = clipboardData.values[0]; editor.focus()"];
+    EXPECT_TRUE([webView stringByEvaluatingJavaScript:@"document.queryCommandState('underline')"].boolValue);
+    [webView stringByEvaluatingJavaScript:@"getSelection().modify('move', 'forward', 'lineboundary')"];
+    EXPECT_FALSE([webView stringByEvaluatingJavaScript:@"document.queryCommandState('underline')"].boolValue);
+    EXPECT_WK_STREQ("hello, world", [webView stringByEvaluatingJavaScript:@"editor.textContent"]);
+}
+
+TEST(PasteRTFD, ImageElementUsesBlobURL)
+{
+    auto webView = createWebViewWithCustomPasteboardDataEnabled();
     [webView synchronouslyLoadTestPageNamed:@"paste-rtfd"];
 
@@ -91 +158 @@
 }
 
+TEST(PasteRTFD, ImageElementUsesBlobURLInHTML)
+{
+    auto webView = createWebViewWithCustomPasteboardDataEnabled();
+    [webView synchronouslyLoadTestPageNamed:@"paste-rtfd"];
+
+    auto *pngData = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"sunset-in-cupertino-200px" ofType:@"png" inDirectory:@"TestWebKitAPI.resources"]];
+    auto attachment = adoptNS([[NSTextAttachment alloc] initWithData:pngData ofType:(NSString *)kUTTypePNG]);
+    NSAttributedString *string = [NSAttributedString attributedStringWithAttachment:attachment.get()];
+    NSData *RTFDData = [string RTFDFromRange:NSMakeRange(0, [string length]) documentAttributes:@{ }];
+
+    writeRTFDToPasteboard(RTFDData);
+    [webView paste:nil];
+
+    [webView waitForMessage:@"loaded"];
+    EXPECT_WK_STREQ("[\"text/html\"]", [webView stringByEvaluatingJavaScript:@"JSON.stringify(clipboardData.types)"]);
+    EXPECT_TRUE([webView stringByEvaluatingJavaScript:@"imageElement = (new DOMParser).parseFromString(clipboardData.values[0], 'text/html').querySelector('img'); !!imageElement"].boolValue);
+    EXPECT_WK_STREQ("blob:", [webView stringByEvaluatingJavaScript:@"new URL(imageElement.src).protocol"]);
+}
+
 #endif // WK_API_ENABLED && PLATFORM(MAC)
 

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/paste-rtfd.html

@@ -7 +7 @@
 editor.focus();
 
+var clipboardData = {};
 editor.addEventListener('paste', (event) => {
+    clipboardData.types = Array.from(event.clipboardData.types);
+    clipboardData.items = Array.from(event.clipboardData.items).map((item) => ({kind: item.kind, type: item.type}));
+    clipboardData.values = clipboardData.types.map((type) => event.clipboardData.getData(type));
+    clipboardData.files = Array.from(event.clipboardData.files);
+
     setTimeout(() => {
        let img = document.querySelector('img');

trunk/Tools/TestWebKitAPI/Tests/ios/DataInteractionTests.mm

@@ -1765 +1765 @@
 }
 
+TEST(DataInteractionTests, DataTransferSanitizeHTML)
+{
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 320, 500)]);
+    [webView synchronouslyLoadTestPageNamed:@"dump-datatransfer-types"];
+    auto simulator = adoptNS([[DataInteractionSimulator alloc] initWithWebView:webView.get()]);
+
+    [webView stringByEvaluatingJavaScript:@"select(rich)"];
+    [webView stringByEvaluatingJavaScript:@"customData = { 'text/html' : '<meta content=\"secret\">"
+        "<b onmouseover=\"dangerousCode()\">hello</b><!-- secret-->, world<script>dangerousCode()</script>' }"];
+    [webView stringByEvaluatingJavaScript:@"writeCustomData = true"];
+
+    __block bool done = false;
+    [simulator.get() setOverridePerformDropBlock:^NSArray<UIDragItem *> *(id <UIDropSession> session)
+    {
+        EXPECT_EQ(1UL, session.items.count);
+        auto *item = session.items[0].itemProvider;
+        EXPECT_TRUE([item.registeredTypeIdentifiers containsObject:(NSString *)kUTTypeHTML]);
+        [item loadDataRepresentationForTypeIdentifier:(NSString *)kUTTypeHTML completionHandler:^(NSData *data, NSError *error) {
+            NSString *markup = [[[NSString alloc] initWithData:(NSData *)data encoding:NSUTF8StringEncoding] autorelease];
+            EXPECT_TRUE([markup containsString:@"hello"]);
+            EXPECT_TRUE([markup containsString:@", world"]);
+            EXPECT_FALSE([markup containsString:@"secret"]);
+            EXPECT_FALSE([markup containsString:@"dangerousCode"]);
+            done = true;
+        }];
+        return session.items;
+    }];
+    [simulator runFrom:CGPointMake(50, 225) to:CGPointMake(50, 375)];
+
+    checkJSONWithLogging([webView stringByEvaluatingJavaScript:@"output.value"], @{
+        @"dragover": @{
+            @"text/html": @"",
+        },
+        @"drop": @{
+            @"text/html": @"<meta content=\"secret\"><b onmouseover=\"dangerousCode()\">hello</b><!-- secret-->, world<script>dangerousCode()</script>",
+        }
+    });
+    TestWebKitAPI::Util::run(&done);
+}
+
 #endif // __IPHONE_OS_VERSION_MIN_REQUIRED >= 110300