summaryrefslogtreecommitdiff
path: root/src/application.cpp
diff options
context:
space:
mode:
authorAndrea Diamantini <adjam7@gmail.com>2009-12-08 12:25:54 +0100
committerAndrea Diamantini <adjam7@gmail.com>2009-12-08 12:25:54 +0100
commitecbe1d942e41a29a8d0bffdb328643e4c2a278b1 (patch)
tree4763b4e632dc81081fb1066f4f3bd66818101187 /src/application.cpp
parentrekonq 0.3.19 (diff)
downloadrekonq-ecbe1d942e41a29a8d0bffdb328643e4c2a278b1.tar.xz
xss attach prevention.
I have to say, BRUTE prevention :) Hope this works. Also some fixes in Urlbar class to ensure that a KUrl is a KUrl and a QString is a QString. Removed the annoying "restore url on focus out" feature. No other browsers have it and I really cannot understand gain
Diffstat (limited to 'src/application.cpp')
-rw-r--r--src/application.cpp80
1 files changed, 25 insertions, 55 deletions
diff --git a/src/application.cpp b/src/application.cpp
index 3a0ce638..246d6aa5 100644
--- a/src/application.cpp
+++ b/src/application.cpp
@@ -52,6 +52,7 @@
#include <KUriFilter>
#include <KMessageBox>
#include <KWindowInfo>
+#include <KUrl>
// Qt Includes
#include <QRegExp>
@@ -265,71 +266,26 @@ KIcon Application::icon(const KUrl &url)
}
-KUrl Application::guessUrlFromString(const QString &string)
-{
- QString urlStr = string.trimmed();
- QRegExp test(QLatin1String("^[a-zA-Z]+\\:.*"));
-
- // Might be a file.
- if (QFile::exists(urlStr))
- {
- QFileInfo info(urlStr);
- return KUrl::fromPath(info.absoluteFilePath());
- }
-
- // Check if it looks like a qualified URL. Try parsing it and see.
- if (test.exactMatch(urlStr))
- {
- KUrl url(urlStr);
-
- if (url.isValid())
- {
- return url;
- }
- }
- else // Might be a shorturl - try to detect the schema.
- {
- int dotIndex = urlStr.indexOf(QLatin1Char(':'));
-
- if (dotIndex != -1)
- {
- QString prefix = urlStr.left(dotIndex).toLower();
- QString schema = (prefix == QLatin1String("ftp")) ? prefix : QLatin1String("http");
- QUrl qurl(schema + QLatin1String("://") + urlStr, QUrl::TolerantMode);
- KUrl url(qurl);
-
- if (url.isValid())
- {
- return url;
- }
- }
- }
-
- // Fall back to QUrl's own tolerant parser.
- KUrl url = KUrl(urlStr);
-
- return url;
-}
-
-
void Application::loadUrl(const KUrl& url, const Rekonq::OpenType& type)
{
if (url.isEmpty())
return;
- if ( !url.isValid() )
+ KUrl loadingUrl = xssSanitization(url);
+
+ if ( !loadingUrl.isValid() )
{
- KMessageBox::error(0, i18n("Malformed URL:\n%1", url.url()));
+ KMessageBox::error(0, i18n("Malformed URL:\n%1", loadingUrl.url(KUrl::RemoveTrailingSlash)));
return;
}
// loading home pages
- if (mainWindow()->newTabPage(url))
+ if (mainWindow()->newTabPage(loadingUrl))
return;
- if (url.scheme() == QLatin1String("mailto"))
+ if (loadingUrl.scheme() == QLatin1String("mailto"))
{
- KToolInvocation::invokeMailer(url);
+ KToolInvocation::invokeMailer(loadingUrl);
return;
}
@@ -365,8 +321,6 @@ void Application::loadUrl(const KUrl& url, const Rekonq::OpenType& type)
// - web shortcuts with space separator
// - relative urls
// - ...
- KUrl loadingUrl(url);
-
if (loadingUrl.isRelative())
{
QString fn = loadingUrl.url(KUrl::RemoveTrailingSlash);
@@ -408,7 +362,7 @@ void Application::loadUrl(const KUrl& url, const Rekonq::OpenType& type)
void Application::loadUrl(const QString& urlString, const Rekonq::OpenType& type)
{
- return loadUrl( guessUrlFromString(urlString), type );
+ return loadUrl( QUrl::fromUserInput(urlString), type );
}
@@ -445,3 +399,19 @@ AdBlockManager *Application::adblockManager()
}
return s_adblockManager;
}
+
+
+KUrl Application::xssSanitization(const KUrl &url)
+{
+ QString urlString = url.url();
+
+ QList<QChar> l; // TODO: learn regular expression
+ l << '\'' << '\"' << '<' << '>';
+ foreach(const QChar &c, l)
+ {
+ QStringList list = urlString.split(c);
+ urlString = list.at(0);
+ }
+ return KUrl(urlString);
+}
+ \ No newline at end of file