'Allowing "javascript:xxx" frames' for backport?

Koos Vriezen koos.vriezen at xs4all.nl
Wed Mar 2 19:45:47 GMT 2005 

Hi,

This one below doesn't get reviewed on kfm-devel. I think it's pretty
much a showstopper for konqueror. Please review for backport.

Thanks,

Koos

----- Forwarded message from Koos Vriezen <koos.vriezen at xs4all.nl> -----

Date: Sat, 26 Feb 2005 18:23:21 +0100
From: Koos Vriezen <koos.vriezen at xs4all.nl>
To: kfm-devel at kde.org
Subject: Re: Allowing "javascript:xxx" frames

On Sat, Feb 26, 2005 at 04:04:27PM +0100, Koos Vriezen wrote:
> Hi,
> 
> Consider this testcase, both as local file and non-local (eg. cp to
> public_html and http://localhost/~me/testcase.html) and see the
> differences:
>  <html>
>   <frameset cols="25%,75%" >
>    <frame src="javascript:'<HTML></HTML>'" name="toc">
>    <frame src="javascript:'<HTML></HTML>'" name="body">
>   </frameset>
>  </html>
> 
> Most likely it's some accessing restriction. But it doesn't print a
> warning, so maybe someone on this list can tell where this is blocked.

Never mind, couldn't resist looking myself anyways :-). So it's in
xml/dom_docimpl.cpp:2130:
  if ( !kapp || !kapp->authorizeURLAction("redirect", w->part()->url(), newURL) )
      return false;

I've been looking where this should be handled, javascript urls, and I
can imagine each element has to decide for itself if it should run the
script engine for an attribute or not. However, in case of SRC, some
attributes may have to be evaluated always.
You khtml developers have to find the right place for it, because I can
only guess.

Anyhow, this q&d patch makes it work for me:

diff -u -3 -p -r1.203 html_baseimpl.cpp
--- html/html_baseimpl.cpp      21 Dec 2004 15:31:18 -0000      1.203
+++ html/html_baseimpl.cpp      26 Feb 2005 17:18:03 -0000
@@ -237,13 +237,20 @@ NodeImpl::Id HTMLFrameElementImpl::id()
 {
     return ID_FRAME;
 }
-
+#include <qvariant.h>
 void HTMLFrameElementImpl::parseAttribute(AttributeImpl *attr)
 {
     switch(attr->id())
     {
-    case ATTR_SRC:
-        setLocation(khtml::parseURL(attr->val()));
+    case ATTR_SRC: {
+        QString v = DOMString(attr->val()).string();
+        if (v.startsWith(QString::fromLatin1("javascript:"))) {
+            KHTMLView* w = getDocument()->view();
+            if (w)
+                v = w->part()->executeScript(this, v).toString();
+        }
+        setLocation(khtml::parseURL(v));
+                   }
         break;
     case ATTR_ID:
     case ATTR_NAME:

Pages if found that work w/ this patch, and just a white screen w/o,  are
http://www.myelectronics.nl/
http://service.real.com/help/library/guides/realone/ProductionGuide/HTML/realpgd.htm?page=htmfiles/smilintr.htm%23overview

[..]
> Koos

----- End forwarded message -----

More information about the kde-core-devel mailing list