From 8892182449238f02dce76e41fc2457792a71707e Mon Sep 17 00:00:00 2001
From: "alqahira%ardisson.org" <alqahira%ardisson.org>
Date: Sun, 20 Jan 2008 02:55:08 +0000
Subject: [PATCH] Bug 396263 - Don't allow javascript: or data: with 'set url'.
 Patch by Peter Jaros <peter.a.jaros@gmail.com>, r=smorgan, sr=mento

---
 camino/src/appleevents/ScriptingSupport.mm | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/camino/src/appleevents/ScriptingSupport.mm b/camino/src/appleevents/ScriptingSupport.mm
index aee9576c536..97588ea4bc1 100644
--- a/camino/src/appleevents/ScriptingSupport.mm
+++ b/camino/src/appleevents/ScriptingSupport.mm
@@ -304,6 +304,15 @@
 // This method lets "tab's URL" be a read/write property.
 - (void)setCurrentURI:(NSString *)newURI
 {
+  // Don't allow javascript: or data: URLs for security reasons.
+  NSString *scheme = [[[NSURL URLWithString:newURI] scheme] lowercaseString];
+  if ([scheme isEqualToString:@"javascript"] ||
+      [scheme isEqualToString:@"data"]) {
+    [[NSScriptCommand currentCommand] setScriptErrorNumber:NSArgumentsWrongScriptError];
+    [[NSScriptCommand currentCommand] setScriptErrorString:[NSString stringWithFormat:@"Can't set URL of tab to a '%@:' URL.", scheme]];
+    return;
+  }
+
   [self loadURI:newURI referrer:nil flags:NSLoadFlagsNone focusContent:YES allowPopups:NO];
 }