Falkon/falkonOfficial
Falkon/falkonOfficial
1
Fork 0
mirror of https://invent.kde.org/network/falkon.git synced 2024-12-20 10:46:35 +01:00
Code Releases Activity

LocationBar: Don't suggest to search for javascript: scheme

Browse Source
This commit is contained in:
David Rosca 2018-01-29 22:18:01 +01:00
parent a89fcf9002
commit 0d71069122
No known key found for this signature in database
GPG Key ID: EBC3FC294452C6D8
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
autotests/locationbartest.cpp
View File

@ -172,6 +172,14 @@ void LocationBarTest::loadActionSpecialSchemesTest()
action = LocationBar::loadAction("about:blank");
QCOMPARE(action.type, LocationBar::LoadAction::Url);
QCOMPARE(action.loadRequest.url(), QUrl("about:blank"));
action = LocationBar::loadAction("javascript:test");
QCOMPARE(action.type, LocationBar::LoadAction::Url);
QCOMPARE(action.loadRequest.url(), QUrl("javascript:test"));
action = LocationBar::loadAction("javascript:alert(' test ');");
QCOMPARE(action.type, LocationBar::LoadAction::Url);
QCOMPARE(action.loadRequest.url(), QUrl("javascript:alert('%20test%20');"));
}
void LocationBarTest::loadAction_issue2578()

11
src/lib/navigation/locationbar.cpp
View File

@ -183,7 +183,8 @@ void LocationBar::showDomainCompletion(const QString &completion)
QString LocationBar::convertUrlToText(const QUrl &url)
{
// It was most probably entered by user, so don't urlencode it
if (url.scheme().isEmpty()) {
// Also don't urlencode JavaScript code
if (url.scheme().isEmpty() || url.scheme() == QL1S("javascript")) {
return QUrl::fromPercentEncoding(url.toEncoded());
}
@ -267,14 +268,16 @@ LocationBar::LoadAction LocationBar::loadAction(const QString &text)
// Otherwise load as url
const QUrl &guessedUrl = QUrl::fromUserInput(t);
if (guessedUrl.isValid()) {
// Always allow javascript: to be loaded
const bool forceLoad = guessedUrl.scheme() == QL1S("javascript");
// Only allow spaces in query
if (!QzTools::containsSpace(guessedUrl.toString(QUrl::RemoveQuery))) {
if (forceLoad || !QzTools::containsSpace(guessedUrl.toString(QUrl::RemoveQuery))) {
// Only allow whitelisted schemes
const QSet<QString> whitelistedSchemes = {
static const QSet<QString> whitelistedSchemes = {
QSL("http"), QSL("https"), QSL("ftp"), QSL("file"),
QSL("data"), QSL("about"), QSL("falkon")
};
if (whitelistedSchemes.contains(guessedUrl.scheme())) {
if (forceLoad || whitelistedSchemes.contains(guessedUrl.scheme())) {
action.type = LoadAction::Url;
action.loadRequest = guessedUrl;
return action;