[PATCH] Support for bookmarklets
Aurélien Gâteau
aurelien.gateau at free.fr
Thu Feb 5 15:11:04 GMT 2009
David Faure wrote:
> On Wednesday 04 February 2009, Maksim Orlovich wrote:
>>> Here is a improved version of the khtml patch, which keeps the current
>>> url instead of replacing it with the bookmarklet.
>> I cannot be confident that this patch does not introduce XSS vurnerabilities,
>> so I'll want to re-read it a few times.
>
> Hmm indeed... strange, I thought openUrl already handled javascript urls...
> I guess it was only in the link handler up to now.
>
> Then yes I guess this change might make it possible to do things like
> redirect to javascript urls, unless we catch that earlier on...
Do you mean javascript urls should not work from web page links? this
works in other browser (checked in Firefox, IE7, Arora, Chrome), so I
guess sites which do not want users to post javascript urls must already
escape them.
Aurélien
More information about the kde-core-devel
mailing list