224521 - apply security fix from seamonkey 161546 - loading javascript or data urls from history causes them to execute in the context of the current page.

2003-12-30 22:40:36 +00:00 · 2003-12-30 22:40:36 +00:00 · 4f22c98a39
--- a/browser/components/history/content/history.js
+++ b/browser/components/history/content/history.js
@ -104,6 +104,26 @@ function onDoubleClick(event)
    OpenURL(0);
 }

+function checkURLSecurity(aURL)
+{
+  var uri = Components.classes["@mozilla.org/network/standard-url;1"].
+              createInstance(Components.interfaces.nsIURI);
+  uri.spec = aURL;
+  if (uri.schemeIs("javascript") || uri.schemeIs("data")) {
+    var strBundleService = Components.classes["@mozilla.org/intl/stringbundle;1"]
+                                      .getService(Components.interfaces.nsIStringBundleService);
+    var promptService = Components.classes["@mozilla.org/embedcomp/prompt-service;1"]
+                                  .getService(Components.interfaces.nsIPromptService);
+    var historyBundle = strBundleService.createBundle("chrome://communicator/locale/history/history.properties");
+    var brandBundle = strBundleService.createBundle("chrome://global/locale/brand.properties");      
+    var brandStr = brandBundle.GetStringFromName("brandShortName");
+    var errorStr = historyBundle.GetStringFromName("load-js-data-url-error");
+    promptService.alert(window, brandStr, errorStr);
+    return false;
+  }
+  return true;
+}
+
 function OpenURL(aWhere, event)
 {
  var count = gHistoryTree.treeBoxObject.view.selection.count;
@ -116,6 +136,9 @@ function OpenURL(aWhere, event)
 
  var builder = gHistoryTree.builder.QueryInterface(Components.interfaces.nsIXULTreeBuilder);
  var url = builder.getResourceAtIndex(currentIndex).Value;
+  
+  if (!checkURLSecurity(url)) 
+    return;

  if (aWhere == 0)
    openTopWin(url);