Allowing "javascript:xxx" frames
Koos Vriezen
koos.vriezen at xs4all.nl
Sun Feb 27 14:44:10 GMT 2005
On Sat, Feb 26, 2005 at 06:23:21PM +0100, Koos Vriezen wrote:
> On Sat, Feb 26, 2005 at 04:04:27PM +0100, Koos Vriezen wrote:
> > Hi,
> >
> > Consider this testcase, both as local file and non-local (eg. cp to
> > public_html and http://localhost/~me/testcase.html) and see the
> > differences:
> > <html>
> > <frameset cols="25%,75%" >
> > <frame src="javascript:'<HTML></HTML>'" name="toc">
> > <frame src="javascript:'<HTML></HTML>'" name="body">
> > </frameset>
> > </html>
> >
> > Most likely it's some accessing restriction. But it doesn't print a
> > warning, so maybe someone on this list can tell where this is blocked.
>
> Never mind, couldn't resist looking myself anyways :-). So it's in
> xml/dom_docimpl.cpp:2130:
> if ( !kapp || !kapp->authorizeURLAction("redirect", w->part()->url(), newURL) )
> return false;
>
> I've been looking where this should be handled, javascript urls, and I
> can imagine each element has to decide for itself if it should run the
> script engine for an attribute or not. However, in case of SRC, some
> attributes may have to be evaluated always.
Err, javascript urls are already handled in KHTMLPart::requestFrame and
KHTMLPart::processObjectRequest. The outcome of the script is not a new
url, but the content of the document. So there is not need for
kapp->authorizeURLAction, as we stay in the same domain as parent
document.
So a proper fix would be:
diff -u -3 -p -r1.308 dom_docimpl.cpp
--- xml/dom_docimpl.cpp 16 Feb 2005 22:16:19 -0000 1.308
+++ xml/dom_docimpl.cpp 27 Feb 2005 14:41:46 -0000
@@ -2127,7 +2127,7 @@ bool DocumentImpl::isURLAllowed(const QS
return false;
// do we allow this suburl ?
- if ( !kapp || !kapp->authorizeURLAction("redirect", w->part()->url(), newURL) )
+ if ( !kapp || (newURL.protocol() != "javascript" && !kapp->authorizeURLAction("redirect", w->part()->url(), newURL)) )
return false;
Koos
> You khtml developers have to find the right place for it, because I can
> only guess.
>
> Anyhow, this q&d patch makes it work for me:
>
> diff -u -3 -p -r1.203 html_baseimpl.cpp
> --- html/html_baseimpl.cpp 21 Dec 2004 15:31:18 -0000 1.203
> +++ html/html_baseimpl.cpp 26 Feb 2005 17:18:03 -0000
> @@ -237,13 +237,20 @@ NodeImpl::Id HTMLFrameElementImpl::id()
> {
> return ID_FRAME;
> }
> -
> +#include <qvariant.h>
> void HTMLFrameElementImpl::parseAttribute(AttributeImpl *attr)
> {
> switch(attr->id())
> {
> - case ATTR_SRC:
> - setLocation(khtml::parseURL(attr->val()));
> + case ATTR_SRC: {
> + QString v = DOMString(attr->val()).string();
> + if (v.startsWith(QString::fromLatin1("javascript:"))) {
> + KHTMLView* w = getDocument()->view();
> + if (w)
> + v = w->part()->executeScript(this, v).toString();
> + }
> + setLocation(khtml::parseURL(v));
> + }
> break;
> case ATTR_ID:
> case ATTR_NAME:
>
> Pages if found that work w/ this patch, and just a white screen w/o, are
> http://www.myelectronics.nl/
> http://service.real.com/help/library/guides/realone/ProductionGuide/HTML/realpgd.htm?page=htmfiles/smilintr.htm%23overview
>
> This is a regression against kde-3.3 btw.
>
>
> > I don't think it should, no?
> >
> > Koos
More information about the kfm-devel
mailing list