DescriptionPrevent recursive call of Document::execCommand() to protect from attack code
This patch prevents recursive call of Document::execCommand() to protect from attack code, e.g. executing editing operation in <iframe onload="... editing command">, <iframe src="javascript:...">.
Before this patch, editing operations moving iframe executes JavaScript script, specified in load event handler or src with javascript protocol. Although, implementation of editing operations don't handle DOM tree modification during executing editing operation.
Note: This change reduces security risk but introduces browser incompatibility to Blink. However, compatibility risk is low because use case of recursive execution of Document::execCommand() is very tricky and the result is different in each browser. We've seen usage of this in attack code only so far.
BUG=314609
TEST=LayoutTests/editing/execCommand/apply-style-iframe-crash.html
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=162080
Patch Set 1 : 2013-11-13T18:35:41 #
Total comments: 1
Patch Set 2 : 2013-11-14T13:56:25 #
Total comments: 1
Patch Set 3 : 2013-11-15T12:44:04 #
Total comments: 4
Messages
Total messages: 13 (0 generated)
|