From 774704221845e3e8658f5e5035e745d25b0f88d6 Mon Sep 17 00:00:00 2001 From: "ben%bengoodger.com" Date: Tue, 30 Dec 2003 22:40:36 +0000 Subject: [PATCH] 224521 - apply security fix from seamonkey 161546 - loading javascript or data urls from history causes them to execute in the context of the current page. --- browser/components/history/content/history.js | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/browser/components/history/content/history.js b/browser/components/history/content/history.js index 5a93364d438..de2216c226f 100644 --- a/browser/components/history/content/history.js +++ b/browser/components/history/content/history.js @@ -104,6 +104,26 @@ function onDoubleClick(event) OpenURL(0); } +function checkURLSecurity(aURL) +{ + var uri = Components.classes["@mozilla.org/network/standard-url;1"]. + createInstance(Components.interfaces.nsIURI); + uri.spec = aURL; + if (uri.schemeIs("javascript") || uri.schemeIs("data")) { + var strBundleService = Components.classes["@mozilla.org/intl/stringbundle;1"] + .getService(Components.interfaces.nsIStringBundleService); + var promptService = Components.classes["@mozilla.org/embedcomp/prompt-service;1"] + .getService(Components.interfaces.nsIPromptService); + var historyBundle = strBundleService.createBundle("chrome://communicator/locale/history/history.properties"); + var brandBundle = strBundleService.createBundle("chrome://global/locale/brand.properties"); + var brandStr = brandBundle.GetStringFromName("brandShortName"); + var errorStr = historyBundle.GetStringFromName("load-js-data-url-error"); + promptService.alert(window, brandStr, errorStr); + return false; + } + return true; +} + function OpenURL(aWhere, event) { var count = gHistoryTree.treeBoxObject.view.selection.count; @@ -116,6 +136,9 @@ function OpenURL(aWhere, event) var builder = gHistoryTree.builder.QueryInterface(Components.interfaces.nsIXULTreeBuilder); var url = builder.getResourceAtIndex(currentIndex).Value; + + if (!checkURLSecurity(url)) + return; if (aWhere == 0) openTopWin(url);