'Allowing "javascript:xxx" frames' for backport?

Waldo Bastian bastian at kde.org
Wed Mar 2 20:09:06 GMT 2005 

Seems fine to me.

Cheers,
Waldo

On Wednesday 02 March 2005 20:48, Koos Vriezen wrote:
> Ooops, this is the one ...
>
> ----- Forwarded message from Koos Vriezen <koos.vriezen at xs4all.nl> -----
>
> Date: Sun, 27 Feb 2005 15:44:10 +0100
> From: Koos Vriezen <koos.vriezen at xs4all.nl>
> To: kfm-devel at kde.org
> Subject: Re: Allowing "javascript:xxx" frames
>
> On Sat, Feb 26, 2005 at 06:23:21PM +0100, Koos Vriezen wrote:
> > On Sat, Feb 26, 2005 at 04:04:27PM +0100, Koos Vriezen wrote:
> > > Hi,
> > >
> > > Consider this testcase, both as local file and non-local (eg. cp to
> > > public_html and http://localhost/~me/testcase.html) and see the
> > > differences:
> > >  <html>
> > >   <frameset cols="25%,75%" >
> > >    <frame src="javascript:'<HTML></HTML>'" name="toc">
> > >    <frame src="javascript:'<HTML></HTML>'" name="body">
> > >   </frameset>
> > >  </html>
> > >
> > > Most likely it's some accessing restriction. But it doesn't print a
> > > warning, so maybe someone on this list can tell where this is blocked.
> >
> > Never mind, couldn't resist looking myself anyways :-). So it's in
> > xml/dom_docimpl.cpp:2130:
> >   if ( !kapp || !kapp->authorizeURLAction("redirect", w->part()->url(),
> > newURL) ) return false;
> >
> > I've been looking where this should be handled, javascript urls, and I
> > can imagine each element has to decide for itself if it should run the
> > script engine for an attribute or not. However, in case of SRC, some
> > attributes may have to be evaluated always.
>
> Err, javascript urls are already handled in KHTMLPart::requestFrame and
> KHTMLPart::processObjectRequest. The outcome of the script is not a new
> url, but the content of the document. So there is not need for
> kapp->authorizeURLAction, as we stay in the same domain as parent
> document.
> So a proper fix would be:
>
> diff -u -3 -p -r1.308 dom_docimpl.cpp
> --- xml/dom_docimpl.cpp 16 Feb 2005 22:16:19 -0000      1.308
> +++ xml/dom_docimpl.cpp 27 Feb 2005 14:41:46 -0000
> @@ -2127,7 +2127,7 @@ bool DocumentImpl::isURLAllowed(const QS
>          return false;
>
>      // do we allow this suburl ?
> -    if ( !kapp || !kapp->authorizeURLAction("redirect", w->part()->url(),
> newURL) ) +    if ( !kapp || (newURL.protocol() != "javascript" &&
> !kapp->authorizeURLAction("redirect", w->part()->url(), newURL)) ) return
> false;
>
> Koos

-- 
bastian at kde.org   |   Free Novell Linux Desktop 9 Evaluation Download
bastian at suse.com  |   http://www.novell.com/products/desktop/eval.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20050302/e150c43e/attachment.sig>

More information about the kde-core-devel mailing list