Bug 396263 - Don't allow javascript: or data: with 'set url'. Patch by Peter Jaros <peter.a.jaros@gmail.com>, r=smorgan, sr=mento

camino/src/appleevents/ScriptingSupport.mm

@@ -304,6 +304,15 @@
 // This method lets "tab's URL" be a read/write property.
 - (void)setCurrentURI:(NSString *)newURI
 {
+  // Don't allow javascript: or data: URLs for security reasons.
+  NSString *scheme = [[[NSURL URLWithString:newURI] scheme] lowercaseString];
+  if ([scheme isEqualToString:@"javascript"] ||
+      [scheme isEqualToString:@"data"]) {
+    [[NSScriptCommand currentCommand] setScriptErrorNumber:NSArgumentsWrongScriptError];
+    [[NSScriptCommand currentCommand] setScriptErrorString:[NSString stringWithFormat:@"Can't set URL of tab to a '%@:' URL.", scheme]];
+    return;
+  }
+
   [self loadURI:newURI referrer:nil flags:NSLoadFlagsNone focusContent:YES allowPopups:NO];
 }