From e021cb5c71464de14aa332ec013501e9a37038f7 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 5 Feb 2018 13:07:58 +0100 Subject: Avoid drag-and-drop of javascript: URIs --- browser/base/content/browser.js | 2 +- browser/base/content/urlbarBindings.xml | 53 ++++++++++++++++++++------------- 2 files changed, 34 insertions(+), 21 deletions(-) (limited to 'browser/base/content') diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js index 7aaaa09aa..5a54dcc58 100755 --- a/browser/base/content/browser.js +++ b/browser/base/content/browser.js @@ -5688,7 +5688,7 @@ function middleMousePaste(event) { function stripUnsafeProtocolOnPaste(pasteData) { // Don't allow pasting javascript URIs since we don't support // LOAD_FLAGS_DISALLOW_INHERIT_PRINCIPAL for those. - return pasteData.replace(/^(?:\s*javascript:)+/i, ""); + return pasteData.replace(/\r?\n/g, "").replace(/^(?:\s*javascript:)+/i, ""); } // handleDroppedLink has the following 2 overloads: diff --git a/browser/base/content/urlbarBindings.xml b/browser/base/content/urlbarBindings.xml index 84ed693ff..689c7c5a7 100644 --- a/browser/base/content/urlbarBindings.xml +++ b/browser/base/content/urlbarBindings.xml @@ -701,38 +701,51 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/. ]]> - - - - var types = aEvent.dataTransfer.types; - if (types.includes("application/x-moz-file") || - types.includes("text/x-moz-url") || - types.includes("text/uri-list") || - types.includes("text/unicode")) - aEvent.preventDefault(); - - - - + 0 && links[0].url) { - let url = links[0].url; aEvent.preventDefault(); - this.value = url; - SetPageProxyState("invalid"); - this.focus(); + let url = links[0].url; + let strippedURL = stripUnsafeProtocolOnPaste(url); + if (strippedURL != url) { + aEvent.stopImmediatePropagation(); + return null; + } try { urlSecurityCheck(url, gBrowser.contentPrincipal, Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL); } catch (ex) { - return; + return null; } + return url; + } + return null; + ]]> + + + + + + + + + +