Allowing "javascript:xxx" frames

Koos Vriezen koos.vriezen at xs4all.nl
Sat Feb 26 17:23:21 GMT 2005 

On Sat, Feb 26, 2005 at 04:04:27PM +0100, Koos Vriezen wrote:
> Hi,
> 
> Consider this testcase, both as local file and non-local (eg. cp to
> public_html and http://localhost/~me/testcase.html) and see the
> differences:
>  <html>
>   <frameset cols="25%,75%" >
>    <frame src="javascript:'<HTML></HTML>'" name="toc">
>    <frame src="javascript:'<HTML></HTML>'" name="body">
>   </frameset>
>  </html>
> 
> Most likely it's some accessing restriction. But it doesn't print a
> warning, so maybe someone on this list can tell where this is blocked.

Never mind, couldn't resist looking myself anyways :-). So it's in
xml/dom_docimpl.cpp:2130:
  if ( !kapp || !kapp->authorizeURLAction("redirect", w->part()->url(), newURL) )
      return false;

I've been looking where this should be handled, javascript urls, and I
can imagine each element has to decide for itself if it should run the
script engine for an attribute or not. However, in case of SRC, some
attributes may have to be evaluated always.
You khtml developers have to find the right place for it, because I can
only guess.

Anyhow, this q&d patch makes it work for me:

diff -u -3 -p -r1.203 html_baseimpl.cpp
--- html/html_baseimpl.cpp      21 Dec 2004 15:31:18 -0000      1.203
+++ html/html_baseimpl.cpp      26 Feb 2005 17:18:03 -0000
@@ -237,13 +237,20 @@ NodeImpl::Id HTMLFrameElementImpl::id()
 {
     return ID_FRAME;
 }
-
+#include <qvariant.h>
 void HTMLFrameElementImpl::parseAttribute(AttributeImpl *attr)
 {
     switch(attr->id())
     {
-    case ATTR_SRC:
-        setLocation(khtml::parseURL(attr->val()));
+    case ATTR_SRC: {
+        QString v = DOMString(attr->val()).string();
+        if (v.startsWith(QString::fromLatin1("javascript:"))) {
+            KHTMLView* w = getDocument()->view();
+            if (w)
+                v = w->part()->executeScript(this, v).toString();
+        }
+        setLocation(khtml::parseURL(v));
+                   }
         break;
     case ATTR_ID:
     case ATTR_NAME:

Pages if found that work w/ this patch, and just a white screen w/o,  are
http://www.myelectronics.nl/
http://service.real.com/help/library/guides/realone/ProductionGuide/HTML/realpgd.htm?page=htmfiles/smilintr.htm%23overview

This is a regression against kde-3.3 btw.


> I don't think it should, no?
> 
> Koos

More information about the kfm-devel mailing list