[PATCH] Support for bookmarklets

David Faure faure at kde.org
Fri Feb 6 18:52:45 GMT 2009


On Thursday 05 February 2009, Aurélien Gâteau wrote:
> David Faure wrote:
> > On Wednesday 04 February 2009, Maksim Orlovich wrote:
> >>> Here is a improved version of the khtml patch, which keeps the current
> >>> url instead of replacing it with the bookmarklet.
> >> I cannot be confident that this patch does not introduce XSS vurnerabilities,
> >> so I'll want to re-read it a few times. 
> > 
> > Hmm indeed... strange, I thought openUrl already handled javascript urls...
> > I guess it was only in the link handler up to now.
> > 
> > Then yes I guess this change might make it possible to do things like
> > redirect to javascript urls, unless we catch that earlier on...
> 
> Do you mean javascript urls should not work from web page links?

No, that works (and is done in urlSelected internally, not in openURL called by konq).
But I'm wondering about redirections (HTTP redirections, http-equiv redirections
and location.href = url redirections in Javascript).

-- 
David Faure, faure at kde.org, sponsored by Qt Software @ Nokia to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).




More information about the kde-core-devel mailing list