'Allowing "javascript:xxx" frames' for backport?
Koos Vriezen
koos.vriezen at xs4all.nl
Wed Mar 2 19:48:49 GMT 2005
Ooops, this is the one ...
----- Forwarded message from Koos Vriezen <koos.vriezen at xs4all.nl> -----
Date: Sun, 27 Feb 2005 15:44:10 +0100
From: Koos Vriezen <koos.vriezen at xs4all.nl>
To: kfm-devel at kde.org
Subject: Re: Allowing "javascript:xxx" frames
On Sat, Feb 26, 2005 at 06:23:21PM +0100, Koos Vriezen wrote:
> On Sat, Feb 26, 2005 at 04:04:27PM +0100, Koos Vriezen wrote:
> > Hi,
> >
> > Consider this testcase, both as local file and non-local (eg. cp to
> > public_html and http://localhost/~me/testcase.html) and see the
> > differences:
> > <html>
> > <frameset cols="25%,75%" >
> > <frame src="javascript:'<HTML></HTML>'" name="toc">
> > <frame src="javascript:'<HTML></HTML>'" name="body">
> > </frameset>
> > </html>
> >
> > Most likely it's some accessing restriction. But it doesn't print a
> > warning, so maybe someone on this list can tell where this is blocked.
>
> Never mind, couldn't resist looking myself anyways :-). So it's in
> xml/dom_docimpl.cpp:2130:
> if ( !kapp || !kapp->authorizeURLAction("redirect", w->part()->url(), newURL) )
> return false;
>
> I've been looking where this should be handled, javascript urls, and I
> can imagine each element has to decide for itself if it should run the
> script engine for an attribute or not. However, in case of SRC, some
> attributes may have to be evaluated always.
Err, javascript urls are already handled in KHTMLPart::requestFrame and
KHTMLPart::processObjectRequest. The outcome of the script is not a new
url, but the content of the document. So there is not need for
kapp->authorizeURLAction, as we stay in the same domain as parent
document.
So a proper fix would be:
diff -u -3 -p -r1.308 dom_docimpl.cpp
--- xml/dom_docimpl.cpp 16 Feb 2005 22:16:19 -0000 1.308
+++ xml/dom_docimpl.cpp 27 Feb 2005 14:41:46 -0000
@@ -2127,7 +2127,7 @@ bool DocumentImpl::isURLAllowed(const QS
return false;
// do we allow this suburl ?
- if ( !kapp || !kapp->authorizeURLAction("redirect", w->part()->url(), newURL) )
+ if ( !kapp || (newURL.protocol() != "javascript" && !kapp->authorizeURLAction("redirect", w->part()->url(), newURL)) )
return false;
Koos
More information about the kde-core-devel
mailing list