Changeset 227351 in webkit
- Timestamp:
- Jan 22, 2018 1:13:37 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r227350 r227351 1 2018-01-22 Ryosuke Niwa <rniwa@webkit.org> 2 3 Blob conversion and sanitization doesn't work with Microsoft Word for Mac 2011 4 https://bugs.webkit.org/show_bug.cgi?id=181616 5 <rdar://problem/36484908> 6 7 Reviewed by Wenson Hsieh. 8 9 The bug was caused by WebContentReader::readHTML and WebContentMarkupReader::readHTML not sanitizing plain HTML string 10 as done for web archives even when custom pasteboard data is enabled. Fixed the bug by doing the sanitization. 11 12 Unfortunately, we can't make file URLs available in this case because WebContent process doesn't have sandbox extensions 13 to access local files referenced by the HTML source in the clipboard, and we can't make WebContent process request for 14 a sandbox extension¸on an arbitrary local file, as it would defeat the whole point of sandboxing. 15 16 Instead, we strip away all HTML attributes referencing a URL whose scheme is not HTTP, HTTPS, or data when sanitizing 17 text/html from the clipboard to avoid exposing local file paths, which can reveal privacy & security sensitive data 18 such as the user's full name, and the location of private containers of other applications in the system. 19 20 Tests: PasteHTML.DoesNotSanitizeHTMLWhenCustomPasteboardDataIsDisabled 21 PasteHTML.DoesNotStripFileURLsWhenCustomPasteboardDataIsDisabled 22 PasteHTML.ExposesHTMLTypeInDataTransfer 23 PasteHTML.KeepsHTTPURLs 24 PasteHTML.SanitizesHTML 25 PasteHTML.StripsFileURLs 26 27 * editing/cocoa/WebContentReaderCocoa.mm: 28 (WebCore::WebContentReader::readHTML): Fixed the bug by sanitizing the markup, and stripping away file URLs. 29 (WebCore::WebContentMarkupReader::readHTML): Ditto. 30 * editing/markup.cpp: 31 (WebCore::removeSubresourceURLAttributes): Added. 32 (WebCore::sanitizeMarkup): Added. 33 * editing/markup.h: 34 1 35 2018-01-22 Chris Dumez <cdumez@apple.com> 2 36 -
trunk/Source/WebCore/editing/cocoa/WebContentReaderCocoa.mm
r227282 r227351 528 528 return false; 529 529 530 addFragment(createFragmentFromMarkup(document, stringOmittingMicrosoftPrefix, emptyString(), DisallowScriptingAndPluginContent)); 530 String markup; 531 if (RuntimeEnabledFeatures::sharedFeatures().customPasteboardDataEnabled() && shouldSanitize()) { 532 markup = sanitizeMarkup(stringOmittingMicrosoftPrefix, WTF::Function<void (DocumentFragment&)> { [] (DocumentFragment& fragment) { 533 removeSubresourceURLAttributes(fragment, [] (const URL& url) { 534 return shouldReplaceSubresourceURL(url); 535 }); 536 } }); 537 } else 538 markup = stringOmittingMicrosoftPrefix; 539 540 addFragment(createFragmentFromMarkup(document, markup, emptyString(), DisallowScriptingAndPluginContent)); 531 541 return true; 532 542 } … … 538 548 539 549 String rawHTML = stripMicrosoftPrefix(string); 540 if (shouldSanitize()) 541 markup = sanitizeMarkup(rawHTML); 542 else 550 if (shouldSanitize()) { 551 markup = sanitizeMarkup(rawHTML, WTF::Function<void (DocumentFragment&)> { [] (DocumentFragment& fragment) { 552 removeSubresourceURLAttributes(fragment, [] (const URL& url) { 553 return shouldReplaceSubresourceURL(url); 554 }); 555 } }); 556 } else 543 557 markup = rawHTML; 544 558 -
trunk/Source/WebCore/editing/markup.cpp
r226539 r227351 73 73 #include "TypedElementDescendantIterator.h" 74 74 #include "URL.h" 75 #include "URLParser.h" 75 76 #include "VisibleSelection.h" 76 77 #include "VisibleUnits.h" … … 145 146 } 146 147 148 struct ElementAttribute { 149 Ref<Element> element; 150 QualifiedName attributeName; 151 }; 152 153 void removeSubresourceURLAttributes(Ref<DocumentFragment>&& fragment, WTF::Function<bool(const URL&)> shouldRemoveURL) 154 { 155 Vector<ElementAttribute> attributesToRemove; 156 for (auto& element : descendantsOfType<Element>(fragment)) { 157 if (!element.hasAttributes()) 158 continue; 159 for (const Attribute& attribute : element.attributesIterator()) { 160 // FIXME: This won't work for srcset. 161 if (element.attributeContainsURL(attribute) && !attribute.value().isEmpty()) { 162 URL url = URLParser { attribute.value() }.result(); 163 if (shouldRemoveURL(url)) 164 attributesToRemove.append({ element, attribute.name() }); 165 } 166 } 167 } 168 for (auto& item : attributesToRemove) 169 item.element->removeAttribute(item.attributeName); 170 } 171 147 172 std::unique_ptr<Page> createPageForSanitizingWebContent() 148 173 { … … 173 198 174 199 175 String sanitizeMarkup(const String& rawHTML )200 String sanitizeMarkup(const String& rawHTML, std::optional<WTF::Function<void(DocumentFragment&)>> fragmentSanitizer) 176 201 { 177 202 auto page = createPageForSanitizingWebContent(); … … 182 207 183 208 auto fragment = createFragmentFromMarkup(*stagingDocument, rawHTML, emptyString(), DisallowScriptingAndPluginContent); 209 210 if (fragmentSanitizer) 211 (*fragmentSanitizer)(fragment); 212 184 213 bodyElement->appendChild(fragment.get()); 185 214 -
trunk/Source/WebCore/editing/markup.h
r223440 r227351 30 30 #include "HTMLInterchange.h" 31 31 #include <wtf/Forward.h> 32 #include <wtf/Function.h> 32 33 #include <wtf/HashMap.h> 33 34 … … 48 49 49 50 void replaceSubresourceURLs(Ref<DocumentFragment>&&, HashMap<AtomicString, AtomicString>&&); 51 void removeSubresourceURLAttributes(Ref<DocumentFragment>&&, WTF::Function<bool(const URL&)> shouldRemoveURL); 52 50 53 std::unique_ptr<Page> createPageForSanitizingWebContent(); 51 String sanitizeMarkup(const String& );54 String sanitizeMarkup(const String&, std::optional<WTF::Function<void(DocumentFragment&)>> fragmentSanitizer = std::nullopt); 52 55 53 56 enum EChildrenOnly { IncludeNode, ChildrenOnly }; -
trunk/Tools/ChangeLog
r227342 r227351 1 2018-01-22 Ryosuke Niwa <rniwa@webkit.org> 2 3 Blob conversion and sanitization doesn't work with Microsoft Word for Mac 2011 4 https://bugs.webkit.org/show_bug.cgi?id=181616 5 <rdar://problem/36484908> 6 7 Reviewed by Wenson Hsieh. 8 9 Added tests to make sure we sanitize plain HTML, not just web archives, 10 when and only when custom pasteboard data is enabled. 11 12 * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj: 13 * TestWebKitAPI/Tests/WebKitCocoa/PasteHTML.mm: Added. 14 (writeHTMLToPasteboard): Added. 15 (createWebViewWithCustomPasteboardDataSetting): Added. 16 1 17 2018-01-22 Alexey Proskuryakov <ap@apple.com> 2 18 -
trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
r227242 r227351 578 578 9B7A37C41F8AEBA5004AA228 /* CopyURL.mm in Sources */ = {isa = PBXBuildFile; fileRef = 9B7A37C21F8AEBA5004AA228 /* CopyURL.mm */; }; 579 579 9B7D740F1F8378770006C432 /* paste-rtfd.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9B7D740E1F8377E60006C432 /* paste-rtfd.html */; }; 580 9BCB7C2820130600003E7C0C /* PasteHTML.mm in Sources */ = {isa = PBXBuildFile; fileRef = 9BCB7C2620130600003E7C0C /* PasteHTML.mm */; }; 580 581 9BD4239A1E04BD9800200395 /* AttributedSubstringForProposedRangeWithImage.mm in Sources */ = {isa = PBXBuildFile; fileRef = 9BD423991E04BD9800200395 /* AttributedSubstringForProposedRangeWithImage.mm */; }; 581 582 9BD4239C1E04C01C00200395 /* chinese-character-with-image.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9BD4239B1E04BFD000200395 /* chinese-character-with-image.html */; }; … … 1590 1591 9B7A37C21F8AEBA5004AA228 /* CopyURL.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = CopyURL.mm; sourceTree = "<group>"; }; 1591 1592 9B7D740E1F8377E60006C432 /* paste-rtfd.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "paste-rtfd.html"; sourceTree = "<group>"; }; 1593 9BCB7C2620130600003E7C0C /* PasteHTML.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = PasteHTML.mm; sourceTree = "<group>"; }; 1592 1594 9BD423991E04BD9800200395 /* AttributedSubstringForProposedRangeWithImage.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = AttributedSubstringForProposedRangeWithImage.mm; sourceTree = "<group>"; }; 1593 1595 9BD4239B1E04BFD000200395 /* chinese-character-with-image.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "chinese-character-with-image.html"; sourceTree = "<group>"; }; … … 2116 2118 9BDCCD851F7D0B0700009A18 /* PasteImage.mm */, 2117 2119 9BDD95561F83683600D20C60 /* PasteRTFD.mm */, 2120 9BCB7C2620130600003E7C0C /* PasteHTML.mm */, 2118 2121 9B2346411F943A2400DB1D23 /* PasteWebArchive.mm */, 2119 2122 3FCC4FE41EC4E8520076E37C /* PictureInPictureDelegate.mm */, … … 3397 3400 2D51A0C71C8BF00C00765C45 /* DOMHTMLVideoElementWrapper.mm in Sources */, 3398 3401 46397B951DC2C850009A78AE /* DOMNode.mm in Sources */, 3402 9BCB7C2820130600003E7C0C /* PasteHTML.mm in Sources */, 3399 3403 7CCE7EBC1A411A7E00447C4C /* DOMNodeFromJSObject.mm in Sources */, 3400 3404 7CCE7EBD1A411A7E00447C4C /* DOMRangeOfString.mm in Sources */,
Note: See TracChangeset
for help on using the changeset viewer.