diff options
author | Andrea Diamantini <adjam7@gmail.com> | 2009-12-08 12:25:54 +0100 |
---|---|---|
committer | Andrea Diamantini <adjam7@gmail.com> | 2009-12-08 12:25:54 +0100 |
commit | ecbe1d942e41a29a8d0bffdb328643e4c2a278b1 (patch) | |
tree | 4763b4e632dc81081fb1066f4f3bd66818101187 /src/application.cpp | |
parent | rekonq 0.3.19 (diff) | |
download | rekonq-ecbe1d942e41a29a8d0bffdb328643e4c2a278b1.tar.xz |
xss attach prevention.
I have to say, BRUTE prevention :)
Hope this works.
Also some fixes in Urlbar class to ensure that a KUrl is a KUrl
and a QString is a QString.
Removed the annoying "restore url on focus out" feature. No other browsers
have it and I really cannot understand gain
Diffstat (limited to 'src/application.cpp')
-rw-r--r-- | src/application.cpp | 80 |
1 files changed, 25 insertions, 55 deletions
diff --git a/src/application.cpp b/src/application.cpp index 3a0ce638..246d6aa5 100644 --- a/src/application.cpp +++ b/src/application.cpp @@ -52,6 +52,7 @@ #include <KUriFilter> #include <KMessageBox> #include <KWindowInfo> +#include <KUrl> // Qt Includes #include <QRegExp> @@ -265,71 +266,26 @@ KIcon Application::icon(const KUrl &url) } -KUrl Application::guessUrlFromString(const QString &string) -{ - QString urlStr = string.trimmed(); - QRegExp test(QLatin1String("^[a-zA-Z]+\\:.*")); - - // Might be a file. - if (QFile::exists(urlStr)) - { - QFileInfo info(urlStr); - return KUrl::fromPath(info.absoluteFilePath()); - } - - // Check if it looks like a qualified URL. Try parsing it and see. - if (test.exactMatch(urlStr)) - { - KUrl url(urlStr); - - if (url.isValid()) - { - return url; - } - } - else // Might be a shorturl - try to detect the schema. - { - int dotIndex = urlStr.indexOf(QLatin1Char(':')); - - if (dotIndex != -1) - { - QString prefix = urlStr.left(dotIndex).toLower(); - QString schema = (prefix == QLatin1String("ftp")) ? prefix : QLatin1String("http"); - QUrl qurl(schema + QLatin1String("://") + urlStr, QUrl::TolerantMode); - KUrl url(qurl); - - if (url.isValid()) - { - return url; - } - } - } - - // Fall back to QUrl's own tolerant parser. - KUrl url = KUrl(urlStr); - - return url; -} - - void Application::loadUrl(const KUrl& url, const Rekonq::OpenType& type) { if (url.isEmpty()) return; - if ( !url.isValid() ) + KUrl loadingUrl = xssSanitization(url); + + if ( !loadingUrl.isValid() ) { - KMessageBox::error(0, i18n("Malformed URL:\n%1", url.url())); + KMessageBox::error(0, i18n("Malformed URL:\n%1", loadingUrl.url(KUrl::RemoveTrailingSlash))); return; } // loading home pages - if (mainWindow()->newTabPage(url)) + if (mainWindow()->newTabPage(loadingUrl)) return; - if (url.scheme() == QLatin1String("mailto")) + if (loadingUrl.scheme() == QLatin1String("mailto")) { - KToolInvocation::invokeMailer(url); + KToolInvocation::invokeMailer(loadingUrl); return; } @@ -365,8 +321,6 @@ void Application::loadUrl(const KUrl& url, const Rekonq::OpenType& type) // - web shortcuts with space separator // - relative urls // - ... - KUrl loadingUrl(url); - if (loadingUrl.isRelative()) { QString fn = loadingUrl.url(KUrl::RemoveTrailingSlash); @@ -408,7 +362,7 @@ void Application::loadUrl(const KUrl& url, const Rekonq::OpenType& type) void Application::loadUrl(const QString& urlString, const Rekonq::OpenType& type) { - return loadUrl( guessUrlFromString(urlString), type ); + return loadUrl( QUrl::fromUserInput(urlString), type ); } @@ -445,3 +399,19 @@ AdBlockManager *Application::adblockManager() } return s_adblockManager; } + + +KUrl Application::xssSanitization(const KUrl &url) +{ + QString urlString = url.url(); + + QList<QChar> l; // TODO: learn regular expression + l << '\'' << '\"' << '<' << '>'; + foreach(const QChar &c, l) + { + QStringList list = urlString.split(c); + urlString = list.at(0); + } + return KUrl(urlString); +} +
\ No newline at end of file |