Disable html() in d3 at the request of security, so that d3 can be us…

…ed in web-facing tools. BUG= NOTRY=true Review URL: https://codereview.chromium.org/216813002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@260528 0039d316-1c4b-4281-b951-d872f2087c98
hylschwy · Mar 31, 2014 · 846cc3e · 846cc3e
1 parent ce0475b
commit 846cc3e
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 4 deletions.
diff --git a/third_party/d3/README.chromium b/third_party/d3/README.chromium
@@ -12,12 +12,20 @@ License Android Compatible: Yes
 Description:
 A JavaScript library for manipulating documents based on data.
 
-IMPORTANT:
-This library is currently used only for internal tools, and has not been
-security reviewed for use in any shipping or web-facing code.
+Subject to the security patch(es) described below, you MAY include d3 in web-facing content, such
+as in pages generated by bots or tools.
+
 
 Local Modifications:
-Deleted everything except for:
+1. Deleted everything except for:
 * d3.js         the standalone non-minified library
 * LICENSE       the BSD-style 3-Clause license
 * README.md     the readme file from github, for basic information
+
+2. Applied the following patches at the request of security:
+patches/001_no_html.patch        Disables the html() convenience functions, which could be used to
+                                 inject arbitrary content into the page. Instead of using html(),
+                                 programmatically create the individual nodes and/or text that you
+                                 require.
+                                 The html() methods have been modified to throw exceptions that
+                                 make it obvious that this feature is disabled for security.
diff --git a/third_party/d3/patches/001_no_html.patch b/third_party/d3/patches/001_no_html.patch
@@ -0,0 +1,24 @@
+diff --git a/third_party/d3/src/d3.js b/third_party/d3/src/d3.js
+index a3e4b95..8a98c4d 100644
+--- a/third_party/d3/src/d3.js
++++ b/third_party/d3/src/d3.js
+@@ -713,6 +713,7 @@
+     }) : this.node().textContent;
+   };
+   d3_selectionPrototype.html = function(value) {
++    throw "disallowed by chromium security";
+     return arguments.length ? this.each(typeof value === "function" ? function() {
+       var v = value.apply(this, arguments);
+       this.innerHTML = v == null ? "" : v;
+@@ -9274,9 +9275,11 @@
+     return JSON.parse(request.responseText);
+   }
+   d3.html = function(url, callback) {
++    throw "disallowed by chromium security";
+     return d3_xhr(url, "text/html", d3_html, callback);
+   };
+   function d3_html(request) {
++    throw "disallowed by chromium security";
+     var range = d3_document.createRange();
+     range.selectNode(d3_document.body);
+     return range.createContextualFragment(request.responseText);
diff --git a/third_party/d3/src/d3.js b/third_party/d3/src/d3.js
@@ -713,6 +713,7 @@
     }) : this.node().textContent;
   };
   d3_selectionPrototype.html = function(value) {
+    throw "disallowed by chromium security";
     return arguments.length ? this.each(typeof value === "function" ? function() {
       var v = value.apply(this, arguments);
       this.innerHTML = v == null ? "" : v;
@@ -9274,9 +9275,11 @@
     return JSON.parse(request.responseText);
   }
   d3.html = function(url, callback) {
+    throw "disallowed by chromium security";
     return d3_xhr(url, "text/html", d3_html, callback);
   };
   function d3_html(request) {
+    throw "disallowed by chromium security";
     var range = d3_document.createRange();
     range.selectNode(d3_document.body);
     return range.createContextualFragment(request.responseText);