diff options
| author | wolfbeast <mcwerewolf@gmail.com> | 2018-02-05 13:07:58 +0100 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@gmail.com> | 2018-02-05 13:07:58 +0100 |
| commit | e021cb5c71464de14aa332ec013501e9a37038f7 (patch) | |
| tree | af8f63ea32effe141297a835af67435b989c671c /browser/base/content | |
| parent | 2d652d1c355c8bdde03a6c278b5b7b444424e394 (diff) | |
| download | UXP-e021cb5c71464de14aa332ec013501e9a37038f7.tar UXP-e021cb5c71464de14aa332ec013501e9a37038f7.tar.gz UXP-e021cb5c71464de14aa332ec013501e9a37038f7.tar.lz UXP-e021cb5c71464de14aa332ec013501e9a37038f7.tar.xz UXP-e021cb5c71464de14aa332ec013501e9a37038f7.zip | |
Avoid drag-and-drop of javascript: URIs
Diffstat (limited to 'browser/base/content')
| -rwxr-xr-x | browser/base/content/browser.js | 2 | ||||
| -rw-r--r-- | browser/base/content/urlbarBindings.xml | 53 |
2 files changed, 34 insertions, 21 deletions
diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js index 7aaaa09aa..5a54dcc58 100755 --- a/browser/base/content/browser.js +++ b/browser/base/content/browser.js @@ -5688,7 +5688,7 @@ function middleMousePaste(event) { function stripUnsafeProtocolOnPaste(pasteData) { // Don't allow pasting javascript URIs since we don't support // LOAD_FLAGS_DISALLOW_INHERIT_PRINCIPAL for those. - return pasteData.replace(/^(?:\s*javascript:)+/i, ""); + return pasteData.replace(/\r?\n/g, "").replace(/^(?:\s*javascript:)+/i, ""); } // handleDroppedLink has the following 2 overloads: diff --git a/browser/base/content/urlbarBindings.xml b/browser/base/content/urlbarBindings.xml index 84ed693ff..689c7c5a7 100644 --- a/browser/base/content/urlbarBindings.xml +++ b/browser/base/content/urlbarBindings.xml @@ -701,38 +701,51 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/. ]]></body> </method> - <method name="onDragOver"> - <parameter name="aEvent"/> - <body> - var types = aEvent.dataTransfer.types; - if (types.includes("application/x-moz-file") || - types.includes("text/x-moz-url") || - types.includes("text/uri-list") || - types.includes("text/unicode")) - aEvent.preventDefault(); - </body> - </method> - - <method name="onDrop"> + <method name="_getDroppableLink"> <parameter name="aEvent"/> <body><![CDATA[ let links = browserDragAndDrop.dropLinks(aEvent); - // The URL bar automatically handles inputs with newline characters, // so we can get away with treating text/x-moz-url flavours as text/plain. if (links.length > 0 && links[0].url) { - let url = links[0].url; aEvent.preventDefault(); - this.value = url; - SetPageProxyState("invalid"); - this.focus(); + let url = links[0].url; + let strippedURL = stripUnsafeProtocolOnPaste(url); + if (strippedURL != url) { + aEvent.stopImmediatePropagation(); + return null; + } try { urlSecurityCheck(url, gBrowser.contentPrincipal, Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL); } catch (ex) { - return; + return null; } + return url; + } + return null; + ]]></body> + </method> + + <method name="onDragOver"> + <parameter name="aEvent"/> + <body><![CDATA[ + // We don't need the link here, so we ignore the return value. + if (!this._getDroppableLink(aEvent)) { + aEvent.dataTransfer.dropEffect = "none"; + } + ]]></body> + </method> + + <method name="onDrop"> + <parameter name="aEvent"/> + <body><![CDATA[ + let url = this._getDroppableLink(aEvent); + if (url) { + this.value = url; + SetPageProxyState("invalid"); + this.focus(); this.handleCommand(); // Force not showing the dropped URI immediately. gBrowser.userTypedValue = null; @@ -932,7 +945,7 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/. // Unfortunately we're not allowed to set the bits being pasted // so cancel this event: aEvent.preventDefault(); - aEvent.stopPropagation(); + aEvent.stopImmediatePropagation(); this.inputField.value = oldStart + pasteData + oldEnd; // Fix up cursor/selection: |