electron/patches/chromium/backport_1073409.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Cheng Zhao <[email protected]>
Date: Thu, 4 Oct 2018 14:57:02 -0700
Subject: fix: use parseHTMLSubset() in chrome://histograms.

[1073409] [Low] [CVE-2020-6535]: XSS on chrome://histograms/ with a compromised renderer
Backport https://chromium.googlesource.com/chromium/src/+/9a31a7ea51e0c7548f4ed77f5007e4a924ef0fbb

diff --git a/content/browser/resources/histograms/BUILD.gn b/content/browser/resources/histograms/BUILD.gn
index cc4ce92ab285567195aac47d260dc9c819c69ae4..529ffa95c146b5e9afb95e091486faf1cdcf3005 100644
--- a/content/browser/resources/histograms/BUILD.gn
+++ b/content/browser/resources/histograms/BUILD.gn
@@ -11,6 +11,7 @@ js_type_check("closure_compile") {
 js_library("histograms_internals") {
   deps = [
     "//ui/webui/resources/js:cr",
+    "//ui/webui/resources/js:parse_html_subset",
     "//ui/webui/resources/js:util",
   ]
 }
diff --git a/content/browser/resources/histograms/histograms_internals.html b/content/browser/resources/histograms/histograms_internals.html
index 37e45404843d70bd2621fffc6f5f4e4e69786005..b997e6d2ff88f86c00bf4e4a099cd4999d66c061 100644
--- a/content/browser/resources/histograms/histograms_internals.html
+++ b/content/browser/resources/histograms/histograms_internals.html
@@ -8,6 +8,7 @@
   <script src="chrome://resources/js/cr.js"></script>
   <script src="chrome://resources/js/promise_resolver.js"></script>
   <script src="chrome://resources/js/util.js"></script>
+  <script src="chrome://resources/js/parse_html_subset.js"></script>
   <script src="histograms_internals.js"></script>
   <title>Histograms</title>
 </head>
diff --git a/content/browser/resources/histograms/histograms_internals.js b/content/browser/resources/histograms/histograms_internals.js
index 24c55fb23c9f390a484572fe098e0cdcc79bc4ac..b70641ed43512391e4b75383b68196ba99590638 100644
--- a/content/browser/resources/histograms/histograms_internals.js
+++ b/content/browser/resources/histograms/histograms_internals.js
@@ -24,9 +24,12 @@ function addHistograms(histograms) {
     htmlOutput += histogram;
   }
 
-  // NOTE: This is generally unsafe due to XSS attacks. Make sure |htmlOutput|
-  // cannot be modified by an external party.
-  $('histograms').innerHTML = htmlOutput;
+  // The following HTML tags are coming from
+  // |HistogramsMessageHandler::HandleRequestHistograms|.
+  const sanitizedHTML = parseHtmlSubset(`<span>${htmlOutput}</span>`, [
+                          'PRE', 'H4', 'BR', 'HR'
+                        ]).firstChild.innerHTML;
+  $('histograms').innerHTML = sanitizedHTML;
 }
 
 /**