<!DOCTYPE html>
<meta charset="utf8">
<script src="../../resources/testharness.js"></script>
<script src="../../resources/testharnessreport.js"></script>
<script src="../assert_selection.js"></script>
<script>
// crbug.com/1040755
selection_test(
'<div contenteditable>|</div>',
selection => {
selection.setClipboardData(`
<svg>
<use href="data:application/xml,
<svg id=x>
<a href='javascript:alert(1)'>
<rect width=100 height=100 fill=blue />
</a>
</svg>#x">
</use>
</svg>`);
selection.document.execCommand('paste');
},
'<div contenteditable>|<svg></svg></div>',
'Paste blocks data URI in SVG use elements');
// crbug.com/1065761
selection_test(
'<div contenteditable>|</div>',
selection => {
selection.setClipboardData(`
<noscript><u title="</noscript><div contenteditable=false>
<svg>
<use href=data:application/xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJz4KPGEgaHJlZj0namF2YXNjcmlwdDphbGVydCgxMjMpJz4KICAgIDxyZWN0IHdpZHRoPScxMDAlJyBoZWlnaHQ9JzEwMCUnIGZpbGw9J2xpZ2h0Ymx1ZScgLz4KICAgICA8dGV4dCB4PScwJyB5PScwJyBmaWxsPSdibGFjayc+CiAgICAgICA8dHNwYW4geD0nMCcgZHk9JzEuMmVtJz5Pb3BzLCB0aGVyZSdzIHNvbWV0aGluZyB3cm9uZyB3aXRoIHRoZSBwYWdlITwvdHNwYW4+CiAgICAgPHRzcGFuIHg9JzAnIGR5PScxLjJlbSc+UGxlYXNlIGNsaWNrIGhlcmUgdG8gcmVsb2FkLjwvdHNwYW4+Cjwvc3ZnPg==#x>"></noscript>asdasd`);
selection.document.execCommand('paste');
},
'<div contenteditable><div><br></div><div> <u title="</div><div> </div><div> ">asdasd|</div></div>',
'Paste blocks data URI in SVG use element injection via <noscript>');
// crbug.com/1490811
selection_test(
'<div contenteditable>|</div>',
selection => {
selection.setClipboardData(
`<svg><use xlink:href="https://example.com/external.svg#xss" /></svg>` +
`<svg><use href="https://example.com/external.svg#xss" /></svg>`);
selection.document.execCommand('paste');
},
'<div contenteditable>|<svg></svg><svg></svg></div>',
'Paste blocks non-local hrefs in SVG use elements');
</script>
Codebase Browser
chromium