[PATCH] Support for bookmarklets

Aurélien Gâteau aurelien.gateau at free.fr
Mon Feb 9 22:57:40 GMT 2009


David Faure wrote:
> On Thursday 05 February 2009, Aurélien Gâteau wrote:
>> David Faure wrote:
>>> On Wednesday 04 February 2009, Maksim Orlovich wrote:
>>>>> Here is a improved version of the khtml patch, which keeps the current
>>>>> url instead of replacing it with the bookmarklet.
>>>> I cannot be confident that this patch does not introduce XSS vurnerabilities,
>>>> so I'll want to re-read it a few times. 
>>> Hmm indeed... strange, I thought openUrl already handled javascript urls...
>>> I guess it was only in the link handler up to now.
>>>
>>> Then yes I guess this change might make it possible to do things like
>>> redirect to javascript urls, unless we catch that earlier on...
>> Do you mean javascript urls should not work from web page links?
> 
> No, that works (and is done in urlSelected internally, not in openURL called by konq).
> But I'm wondering about redirections (HTTP redirections, http-equiv redirections
> and location.href = url redirections in Javascript).
> 
True, but it's not very different than a link to an uri using the "data" 
  scheme.

In current Konqueror, these two uris run Javascript:

data:text/html,<html><body onload="alert('Boom');">Hello</body></html>

data:text/html;base64,PGh0bWw+PGJvZHkgb25sb2FkPSJhbGVydCgnQm9vbScpOyI+SGVsbG88L2JvZHk+PC9odG1sPgo=

It works in Firefox too. One can find more about this on Wikipedia (but 
I guess you already know about the "data" scheme :) )
http://en.wikipedia.org/wiki/Data_URI_scheme

Aurélien




More information about the kde-core-devel mailing list