<!DOCTYPE html>
<script src="../../resources/testharness.js"></script>
<script src="../../resources/testharnessreport.js"></script>
<script src="../assert_selection.js"></script>
<script>
selection_test(
'<math id="target">a</math>',
selection => {
const target = selection.document.getElementById('target');
const style = selection.window.getComputedStyle(target);
},
'<math id="target">a</math>',
'Check whether we have MathML or not');
function hasRedBackground(element) {
return window.getComputedStyle(element).
getPropertyValue("background-color") == "rgb(255, 0, 0)" ||
Array.from(element.children).some(hasRedBackground);
}
// crbug.com/1011950
selection_test(
'<div contenteditable>te|st</div>',
selection => {
selection.setClipboardData('<math><xss style=display:block>t<style>X<a title="</style><img src onerror=assert_unreached()>">.<a>.');
selection.document.execCommand('paste');
assert_false(hasRedBackground(document.documentElement));
},
'<div contenteditable>te<math><xss style="display:block"><style>X<a title="</style><img src onerror=assert_unreached()>">.<a></a></a></style></xss></math>t|st</div>',
'Paste blocks script injection');
// crbug.com/1017871
selection_test(
'<div contenteditable>te|st</div>',
selection => {
selection.setClipboardData('<math><xss style=display:block>t<style>X<a title="</style><style>*{background:red}</style>">.<a>.');
selection.document.execCommand('paste');
assert_false(hasRedBackground(document.documentElement));
},
'<div contenteditable>te<math><xss style="display:block"><style>X<a title="</style><style>*{background:red}</style>">.<a></a></a></style></xss></math>t|st</div>',
'Paste blocks HTML style injection');
// crbug.com/1017871
selection_test(
'<div contenteditable>te|st</div>',
selection => {
selection.setClipboardData('A<math>B<a style=display:block>C<title>D<a id="</title><svg><style>*{background:red}</style>">c');
selection.document.execCommand('paste');
assert_false(hasRedBackground(document.documentElement));
},
'<div contenteditable>teA<math>B<a style="display:block"><title>D<a id="</title><svg><style>*{background:red}</style>"></a></title></a></math>C|st</div>',
'Paste blocks SVG style injection');
// crbug.com/1141350
selection_test(
'<div contenteditable>|abc</div>',
selection => {
selection.setClipboardData(`<math><xss style=display:block>t<xmp>X<a title="</xmp><div style=position:fixed;left:0;top:0;width:100%;height:100%><svg><use href=data:application/xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJz4KPGEgaHJlZj0namF2YXNjcmlwdDphbGVydCgxMjMpJz4KICAgIDxyZWN0IHdpZHRoPScxMDAlJyBoZWlnaHQ9JzEwMCUnIGZpbGw9J2xpZ2h0Ymx1ZScgLz4KICAgICA8dGV4dCB4PScwJyB5PScwJyBmaWxsPSdibGFjayc+CiAgICAgICA8dHNwYW4geD0nMCcgZHk9JzEuMmVtJz5Pb3BzLCB0aGVyZSdzIHNvbWV0aGluZyB3cm9uZyB3aXRoIHRoZSBwYWdlITwvdHNwYW4+CiAgICAgPHRzcGFuIHg9JzAnIGR5PScxLjJlbSc+UGxlYXNlIGNsaWNrIGhlcmUgdG8gcmVsb2FkLjwvdHNwYW4+Cjwvc3ZnPg==#x>">.<a>.`),
selection.document.execCommand('paste');
assert_equals(selection.document.querySelector('use'), null, 'SVG <use> with data URI should not leak into main document');
},
'<div contenteditable><math><xss style="display:block"><xmp>X<a title="</xmp><div style=position:fixed;left:0;top:0;width:100%;height:100%><svg><use href=data:application/xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJz4KPGEgaHJlZj0namF2YXNjcmlwdDphbGVydCgxMjMpJz4KICAgIDxyZWN0IHdpZHRoPScxMDAlJyBoZWlnaHQ9JzEwMCUnIGZpbGw9J2xpZ2h0Ymx1ZScgLz4KICAgICA8dGV4dCB4PScwJyB5PScwJyBmaWxsPSdibGFjayc+CiAgICAgICA8dHNwYW4geD0nMCcgZHk9JzEuMmVtJz5Pb3BzLCB0aGVyZSdzIHNvbWV0aGluZyB3cm9uZyB3aXRoIHRoZSBwYWdlITwvdHNwYW4+CiAgICAgPHRzcGFuIHg9JzAnIGR5PScxLjJlbSc+UGxlYXNlIGNsaWNrIGhlcmUgdG8gcmVsb2FkLjwvdHNwYW4+Cjwvc3ZnPg==#x>">.<a></a></a></xmp></xss></math>t|abc</div>',
'Paste blocks data URI in SVG use element injection via <math>');
</script>
Codebase Browser
chromium