224521 - apply security fix from seamonkey 161546 - loading javascript or data urls from history causes them to execute in the context of the current page.

browser/components/history/content/history.js

@@ -104,6 +104,26 @@ function onDoubleClick(event)
     OpenURL(0);
 }
 
+function checkURLSecurity(aURL)
+{
+  var uri = Components.classes["@mozilla.org/network/standard-url;1"].
+              createInstance(Components.interfaces.nsIURI);
+  uri.spec = aURL;
+  if (uri.schemeIs("javascript") || uri.schemeIs("data")) {
+    var strBundleService = Components.classes["@mozilla.org/intl/stringbundle;1"]
+                                      .getService(Components.interfaces.nsIStringBundleService);
+    var promptService = Components.classes["@mozilla.org/embedcomp/prompt-service;1"]
+                                  .getService(Components.interfaces.nsIPromptService);
+    var historyBundle = strBundleService.createBundle("chrome://communicator/locale/history/history.properties");
+    var brandBundle = strBundleService.createBundle("chrome://global/locale/brand.properties");      
+    var brandStr = brandBundle.GetStringFromName("brandShortName");
+    var errorStr = historyBundle.GetStringFromName("load-js-data-url-error");
+    promptService.alert(window, brandStr, errorStr);
+    return false;
+  }
+  return true;
+}
+
 function OpenURL(aWhere, event)
 {
   var count = gHistoryTree.treeBoxObject.view.selection.count;
@@ -116,6 +136,9 @@ function OpenURL(aWhere, event)
  
   var builder = gHistoryTree.builder.QueryInterface(Components.interfaces.nsIXULTreeBuilder);
   var url = builder.getResourceAtIndex(currentIndex).Value;
+  
+  if (!checkURLSecurity(url)) 
+    return;
 
   if (aWhere == 0)
     openTopWin(url);