Allowing "javascript:xxx" frames

Koos Vriezen koos.vriezen at xs4all.nl
Sun Feb 27 14:44:10 GMT 2005 

On Sat, Feb 26, 2005 at 06:23:21PM +0100, Koos Vriezen wrote:
> On Sat, Feb 26, 2005 at 04:04:27PM +0100, Koos Vriezen wrote:
> > Hi,
> > 
> > Consider this testcase, both as local file and non-local (eg. cp to
> > public_html and http://localhost/~me/testcase.html) and see the
> > differences:
> >  <html>
> >   <frameset cols="25%,75%" >
> >    <frame src="javascript:'<HTML></HTML>'" name="toc">
> >    <frame src="javascript:'<HTML></HTML>'" name="body">
> >   </frameset>
> >  </html>
> > 
> > Most likely it's some accessing restriction. But it doesn't print a
> > warning, so maybe someone on this list can tell where this is blocked.
> 
> Never mind, couldn't resist looking myself anyways :-). So it's in
> xml/dom_docimpl.cpp:2130:
>   if ( !kapp || !kapp->authorizeURLAction("redirect", w->part()->url(), newURL) )
>       return false;
> 
> I've been looking where this should be handled, javascript urls, and I
> can imagine each element has to decide for itself if it should run the
> script engine for an attribute or not. However, in case of SRC, some
> attributes may have to be evaluated always.

Err, javascript urls are already handled in KHTMLPart::requestFrame and
KHTMLPart::processObjectRequest. The outcome of the script is not a new
url, but the content of the document. So there is not need for
kapp->authorizeURLAction, as we stay in the same domain as parent
document.
So a proper fix would be:

diff -u -3 -p -r1.308 dom_docimpl.cpp
--- xml/dom_docimpl.cpp 16 Feb 2005 22:16:19 -0000      1.308
+++ xml/dom_docimpl.cpp 27 Feb 2005 14:41:46 -0000
@@ -2127,7 +2127,7 @@ bool DocumentImpl::isURLAllowed(const QS
         return false;

     // do we allow this suburl ?
-    if ( !kapp || !kapp->authorizeURLAction("redirect", w->part()->url(), newURL) )
+    if ( !kapp || (newURL.protocol() != "javascript" && !kapp->authorizeURLAction("redirect", w->part()->url(), newURL)) )
         return false;

Koos

> You khtml developers have to find the right place for it, because I can
> only guess.
> 
> Anyhow, this q&d patch makes it work for me:
> 
> diff -u -3 -p -r1.203 html_baseimpl.cpp
> --- html/html_baseimpl.cpp      21 Dec 2004 15:31:18 -0000      1.203
> +++ html/html_baseimpl.cpp      26 Feb 2005 17:18:03 -0000
> @@ -237,13 +237,20 @@ NodeImpl::Id HTMLFrameElementImpl::id()
>  {
>      return ID_FRAME;
>  }
> -
> +#include <qvariant.h>
>  void HTMLFrameElementImpl::parseAttribute(AttributeImpl *attr)
>  {
>      switch(attr->id())
>      {
> -    case ATTR_SRC:
> -        setLocation(khtml::parseURL(attr->val()));
> +    case ATTR_SRC: {
> +        QString v = DOMString(attr->val()).string();
> +        if (v.startsWith(QString::fromLatin1("javascript:"))) {
> +            KHTMLView* w = getDocument()->view();
> +            if (w)
> +                v = w->part()->executeScript(this, v).toString();
> +        }
> +        setLocation(khtml::parseURL(v));
> +                   }
>          break;
>      case ATTR_ID:
>      case ATTR_NAME:
> 
> Pages if found that work w/ this patch, and just a white screen w/o,  are
> http://www.myelectronics.nl/
> http://service.real.com/help/library/guides/realone/ProductionGuide/HTML/realpgd.htm?page=htmfiles/smilintr.htm%23overview
> 
> This is a regression against kde-3.3 btw.
> 
> 
> > I don't think it should, no?
> > 
> > Koos

More information about the kfm-devel mailing list