[Backport] Fix for CVE-2020-6464

Fix customized built-in element constructor behavior This CL implements two changes: 1. It fixes the implementation to better match the spec for the "create an element for the token" [1] algorithm. Prior to this CL, step 7 of that algorithm was skipping directly to step 6 of the "create an element" [2] algorithm, skipping over step 5 for customized built-in elements. This is now fixed. This case is illustrated by the issue and example at [3] and [4]. This becomes the first test in customized-built-in-constructor-exceptions.html. 2. It updates the comments to match the new behavior discussed in [3] and the [5] spec PR, which changes the return value in the case that a customized built-in element constructor throws an exception. With the change above, that is actually already the behavior. So this is just a comment change. Two new tests are added to customized-built-in-constructor-exceptions.html. [1] https://html.spec.whatwg.org/multipage/parsing.html#create-an-element-for-the-token [2] https://dom.spec.whatwg.org/#concept-create-element [3] whatwg/html#5084 [4] https://crbug.com/1024866 [5] whatwg/dom#797 [email protected] (cherry picked from commit 7101418f85a0f17e4f9a35dfe3a9acff76340a93) Bug: 1071059, 1024866 Change-Id: I814c81991eb5e83501304bcb3d2da476743aef52 Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qt · Jun 10, 2020 · 7c34012 · 7c34012
1 parent b3b4d5a
commit 7c34012
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/chromium/third_party/blink/renderer/bindings/core/v8/script_custom_element_definition.cc b/chromium/third_party/blink/renderer/bindings/core/v8/script_custom_element_definition.cc
@@ -149,6 +149,7 @@ HTMLElement* ScriptCustomElementDefinition::HandleCreateElementSyncException(
 HTMLElement* ScriptCustomElementDefinition::CreateAutonomousCustomElementSync(
     Document& document,
     const QualifiedName& tag_name) {
+  DCHECK(CustomElement::ShouldCreateCustomElement(tag_name)) << tag_name;
   if (!script_state_->ContextIsValid())
     return CustomElement::CreateFailedElement(document, tag_name);
   ScriptState::Scope scope(script_state_);

diff --git a/chromium/third_party/blink/renderer/core/html/custom/custom_element.cc b/chromium/third_party/blink/renderer/core/html/custom/custom_element.cc
@@ -163,7 +163,8 @@ Element* CustomElement::CreateUncustomizedOrUndefinedElement(
 
 HTMLElement* CustomElement::CreateFailedElement(Document& document,
                                                 const QualifiedName& tag_name) {
-  DCHECK(ShouldCreateCustomElement(tag_name));
+  CHECK(ShouldCreateCustomElement(tag_name))
+      << "HTMLUnknownElement with built-in tag name: " << tag_name;
 
   // "create an element for a token":
   // https://html.spec.whatwg.org/multipage/syntax.html#create-an-element-for-the-token

diff --git a/chromium/third_party/blink/renderer/core/html/parser/html_construction_site.cc b/chromium/third_party/blink/renderer/core/html/parser/html_construction_site.cc
@@ -906,8 +906,11 @@ Element* HTMLConstructionSite::CreateElement(
     // reactions stack."
     CEReactionsScope reactions;
 
-    // 7.
-    element = definition->CreateAutonomousCustomElementSync(document, tag_name);
+    // 7. Let element be the result of creating an element given document,
+    // localName, given namespace, null, and is. If will execute script is true,
+    // set the synchronous custom elements flag; otherwise, leave it unset.
+    element =
+        definition->CreateElement(document, tag_name, GetCreateElementFlags());
 
     // "8. Append each attribute in the given token to element." We don't use
     // setAttributes here because the custom element constructor may have