[PATCH] Support for bookmarklets

Maksim Orlovich mo85 at cornell.edu
Tue Feb 10 02:13:55 GMT 2009


> David Faure wrote:
>> On Thursday 05 February 2009, Aurélien Gâteau wrote:
>>> David Faure wrote:
>>>> On Wednesday 04 February 2009, Maksim Orlovich wrote:
>>>>>> Here is a improved version of the khtml patch, which keeps the
>>>>>> current
>>>>>> url instead of replacing it with the bookmarklet.
>>>>> I cannot be confident that this patch does not introduce XSS
>>>>> vurnerabilities,
>>>>> so I'll want to re-read it a few times.
>>>> Hmm indeed... strange, I thought openUrl already handled javascript
>>>> urls...
>>>> I guess it was only in the link handler up to now.
>>>>
>>>> Then yes I guess this change might make it possible to do things like
>>>> redirect to javascript urls, unless we catch that earlier on...
>>> Do you mean javascript urls should not work from web page links?
>>
>> No, that works (and is done in urlSelected internally, not in openURL
>> called by konq).
>> But I'm wondering about redirections (HTTP redirections, http-equiv
>> redirections
>> and location.href = url redirections in Javascript).
>>
> True, but it's not very different than a link to an uri using the "data"
>   scheme.
>
> In current Konqueror, these two uris run Javascript:
>
> data:text/html,<html><body onload="alert('Boom');">Hello</body></html>
>
> data:text/html;base64,PGh0bWw+PGJvZHkgb25sb2FkPSJhbGVydCgnQm9vbScpOyI+SGVsbG88L2JvZHk+PC9odG1sPgo=
>
> It works in Firefox too. One can find more about this on Wikipedia (but
> I guess you already know about the "data" scheme :) )
> http://en.wikipedia.org/wiki/Data_URI_scheme

The redirects are fine, and javascript: URLs in them are handled properly
-- basically, the concern is if there is a way of passing one to openUrl
in a different frame; the paths within KHTML that handle them do domain
checks..







More information about the kde-core-devel mailing list