Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 112325 Security: Copy-paste preserves <embed> tags containing active content
Starred by 2 users Reported by, Feb 1 2012 Back to list
Status: Fixed
Closed: Jan 2013
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

Sign in to add a comment
Copying an HTML snippet that includes an <embed> tag and then pasting into a content-editable div box (e.g., gmail compose area) can result in XSS on the pastee host page.

Credit: This was originally reported to Google Security by Subho Halder, Aditya Gupta, and Dev Kar of xys3c (

Chrome Version: 17.0.963.44 beta
Operating System: Ubuntu 10.04

This also works across if the contenteditable div is within a page in a different origin.
Labels: -Pri-0 -Area-Undefined Pri-2 Area-WebKit OS-All SecImpacts-Stable SecSeverity-Medium Mstone-16 WebKit-Editing
Status: Available
Confirmed to work by pasting into this rich edit control sample:

The repro also works with drag+drop, which may be easier to trick a user into doing. Assigning Severity Medium (not High because of required user interaction).

This is WebKit specific and it also affects Safari.

Btw. the payload is an EMBED tag that loads an .swf file of an attacker controlled server. The Flash object has access to the DOM of the page in which the HTML snippet is pasted.
Comment 3 by, Feb 2 2012
Please cc me on the WebKit  bug 77625 .
Labels: -Mstone-16 Mstone-17
moving m16 bugs to m17.
Hey Ryosuke, I noticed in the WebKit bug that things stalled after you asked for help. Could you try to get things going again?
 Issue 117183  has been merged into this issue.
Cc:, do you want to register on, so that we can cc you on the upstream bug ?
Registered on with the email CC.
Labels: -Mstone-17 Mstone-18
Updating milestone. m18 is already out.
Comment 12 by, Mar 30 2012
Labels: -Mstone-18 Mstone-20
Comment 13 by, Mar 30 2012
Labels: MovedFrom18
Labels: -Mstone-20 -MovedFrom18 Mstone-18
Reverting wrong marking of security bugs by release management.
Labels: -Mstone-18 Mstone-19
m19 is out, moving milestone m18 bugs to m19.
Labels: reward-topanel
Labels: -Mstone-19 Mstone-20
Bulk Edit: m20 is shipped. Rolling open m19 bugs forward.
Comment 18 by, Jul 11 2012
Labels: -Mstone-20 Mstone-21 SecImpacts-Beta
Labels: Security-CodeYellow
Please do read Mark's email titled "Code Yellow: Security Bug Backlog" on chrome-team mailing list.
What do other browsers do in this case ? Do we wanna to keep this bug open ?
Webkit community has still not come into a proper decision !
Labels: -Mstone-21 Mstone-24
Status: Assigned
Adam, didn't you express an interest in this one?
If not, perhaps Tom?

Seems this one is indeed getting a bit long in the tooth.
If we are already stripping script (e.g. event handlers in divs), it seems obvious to also strip embeds. What's the confusion?

The Gmail people are concerned about this problem.
This is on the WebKit side of things, so we have to accomodate everybody, and some clients want it one way and other clients insist it not be changed.  To appease everyone, this needs to be a new setting, and I started to cobble up a patch to add the plumbing, but I didn't finish. 
Comment 26 by, Dec 22 2012
>If we are already stripping script (e.g. event handlers in divs), it seems obvious to also strip embeds. What's the confusion?

On the WebKit side, Apple's Mail uses object element to represent attachments. But stripping of the embed tag only on pasting event still doesn't collides with this feature ! I dont get it why such a simple stripping of an embed element is going to block the feature?
Comment 28 Deleted
It seems like webkit has just fixed it from their end.
Changelog :
Yeah, that was my patch in 139111.  There's a (hopefully) 1-line change to chromium that's required to take advantage of this.  
Comment 31 by, Jan 10 2013
yup, that was a nice patch, had gone through your patch, seems a better solution. Hope chromium implements this soon, this bug is open for nearly 11 months !
Status: Assigned
Project Member Comment 34 by, Jan 15 2013
The following revision refers to this bug:

r176856 | | 2013-01-15T08:42:11.841167Z

Changed paths:

Copy-paste preserves <embed> tags containing active content.
BUG= 112325 

Enable webkit preference for Chromium to disallow unsafe plugin pasting.

Review URL:
Labels: -Restrict-View-SecurityTeam -Mstone-24 Restrict-View-SecurityNotify Mstone-26
Status: Fixed
I'd suggest *not* merging this to m25 and just letting it roll out; some folks might be disrupted.
Labels: Release-0
Good idea, Tom! Thanks for pushing this through.

BTW, if we're just going to let this roll into M26 then we should also set the "Release-0" label since the bug does affect shipping stable Chrome.
Labels: -reward-topanel
Project Member Comment 38 by, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecImpacts-Stable -SecSeverity-Medium -WebKit-Editing -Mstone-26 -SecImpacts-Beta Cr-Content Security-Impact-Stable Cr-Content-Editing Security-Impact-Beta Security-Severity-Medium M-26 Type-Bug-Security
Project Member Comment 39 by, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 40 by, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 41 by, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Labels: CVE-2013-0926
Project Member Comment 43 by, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 44 by, Apr 6 2013
Labels: -Cr-Content-Editing Cr-Blink-Editing
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Project Member Comment 46 by, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 47 by, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member Comment 48 by, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment