[PATCH] Support for bookmarklets

[Aurélien Gâteau]

Maksim Orlovich wrote:
>> David Faure wrote:
>>> On Thursday 05 February 2009, Aurélien Gâteau wrote:
>>>> David Faure wrote:
>>>>> On Wednesday 04 February 2009, Maksim Orlovich wrote:
>>>>>>> Here is a improved version of the khtml patch, which keeps the
>>>>>>> current
>>>>>>> url instead of replacing it with the bookmarklet.
>>>>>> I cannot be confident that this patch does not introduce XSS
>>>>>> vurnerabilities,
>>>>>> so I'll want to re-read it a few times.
>>>>> Hmm indeed... strange, I thought openUrl already handled javascript
>>>>> urls...
>>>>> I guess it was only in the link handler up to now.
>>>>>
>>>>> Then yes I guess this change might make it possible to do things like
>>>>> redirect to javascript urls, unless we catch that earlier on...
>>>> Do you mean javascript urls should not work from web page links?
>>> No, that works (and is done in urlSelected internally, not in openURL
>>> called by konq).
>>> But I'm wondering about redirections (HTTP redirections, http-equiv
>>> redirections
>>> and location.href = url redirections in Javascript).
>>>
>> True, but it's not very different than a link to an uri using the "data"
>>   scheme.
>>
>> In current Konqueror, these two uris run Javascript:
>>
>> data:text/html,<html><body onload="alert('Boom');">Hello</body></html>
>>
>> data:text/html;base64,PGh0bWw+PGJvZHkgb25sb2FkPSJhbGVydCgnQm9vbScpOyI+SGVsbG88L2JvZHk+PC9odG1sPgo=
>>
>> It works in Firefox too. One can find more about this on Wikipedia (but
>> I guess you already know about the "data" scheme :) )
>> http://en.wikipedia.org/wiki/Data_URI_scheme
> 
> The redirects are fine, and javascript: URLs in them are handled properly
> -- basically, the concern is if there is a way of passing one to openUrl
> in a different frame; the paths within KHTML that handle them do domain
> checks..

OK. Can you notify about the final decision? I am pretty sure I will 
forget to check this thread again :)

Aurélien