1
mirror of https://invent.kde.org/network/falkon.git synced 2024-12-20 10:46:35 +01:00

LocationBar: Don't suggest to search for javascript: scheme

This commit is contained in:
David Rosca 2018-01-29 22:18:01 +01:00
parent a89fcf9002
commit 0d71069122
No known key found for this signature in database
GPG Key ID: EBC3FC294452C6D8
2 changed files with 15 additions and 4 deletions

View File

@ -172,6 +172,14 @@ void LocationBarTest::loadActionSpecialSchemesTest()
action = LocationBar::loadAction("about:blank"); action = LocationBar::loadAction("about:blank");
QCOMPARE(action.type, LocationBar::LoadAction::Url); QCOMPARE(action.type, LocationBar::LoadAction::Url);
QCOMPARE(action.loadRequest.url(), QUrl("about:blank")); QCOMPARE(action.loadRequest.url(), QUrl("about:blank"));
action = LocationBar::loadAction("javascript:test");
QCOMPARE(action.type, LocationBar::LoadAction::Url);
QCOMPARE(action.loadRequest.url(), QUrl("javascript:test"));
action = LocationBar::loadAction("javascript:alert(' test ');");
QCOMPARE(action.type, LocationBar::LoadAction::Url);
QCOMPARE(action.loadRequest.url(), QUrl("javascript:alert('%20test%20');"));
} }
void LocationBarTest::loadAction_issue2578() void LocationBarTest::loadAction_issue2578()

View File

@ -183,7 +183,8 @@ void LocationBar::showDomainCompletion(const QString &completion)
QString LocationBar::convertUrlToText(const QUrl &url) QString LocationBar::convertUrlToText(const QUrl &url)
{ {
// It was most probably entered by user, so don't urlencode it // It was most probably entered by user, so don't urlencode it
if (url.scheme().isEmpty()) { // Also don't urlencode JavaScript code
if (url.scheme().isEmpty() || url.scheme() == QL1S("javascript")) {
return QUrl::fromPercentEncoding(url.toEncoded()); return QUrl::fromPercentEncoding(url.toEncoded());
} }
@ -267,14 +268,16 @@ LocationBar::LoadAction LocationBar::loadAction(const QString &text)
// Otherwise load as url // Otherwise load as url
const QUrl &guessedUrl = QUrl::fromUserInput(t); const QUrl &guessedUrl = QUrl::fromUserInput(t);
if (guessedUrl.isValid()) { if (guessedUrl.isValid()) {
// Always allow javascript: to be loaded
const bool forceLoad = guessedUrl.scheme() == QL1S("javascript");
// Only allow spaces in query // Only allow spaces in query
if (!QzTools::containsSpace(guessedUrl.toString(QUrl::RemoveQuery))) { if (forceLoad || !QzTools::containsSpace(guessedUrl.toString(QUrl::RemoveQuery))) {
// Only allow whitelisted schemes // Only allow whitelisted schemes
const QSet<QString> whitelistedSchemes = { static const QSet<QString> whitelistedSchemes = {
QSL("http"), QSL("https"), QSL("ftp"), QSL("file"), QSL("http"), QSL("https"), QSL("ftp"), QSL("file"),
QSL("data"), QSL("about"), QSL("falkon") QSL("data"), QSL("about"), QSL("falkon")
}; };
if (whitelistedSchemes.contains(guessedUrl.scheme())) { if (forceLoad || whitelistedSchemes.contains(guessedUrl.scheme())) {
action.type = LoadAction::Url; action.type = LoadAction::Url;
action.loadRequest = guessedUrl; action.loadRequest = guessedUrl;
return action; return action;