Bug 1229426 - avoid dnd of js URIs, r=mak
MozReview-Commit-ID: 70ApmoEYn5Z
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -5639,17 +5639,17 @@ function middleMousePaste(event) {
});
event.stopPropagation();
}
function stripUnsafeProtocolOnPaste(pasteData) {
// Don't allow pasting javascript URIs since we don't support
// LOAD_FLAGS_DISALLOW_INHERIT_PRINCIPAL for those.
- return pasteData.replace(/^(?:\s*javascript:)+/i, "");
+ return pasteData.replace(/\r?\n/g, "").replace(/^(?:\s*javascript:)+/i, "");
}
// handleDroppedLink has the following 2 overloads:
// handleDroppedLink(event, url, name)
// handleDroppedLink(event, links)
function handleDroppedLink(event, urlOrLinks, name)
{
let links;
--- a/browser/base/content/urlbarBindings.xml
+++ b/browser/base/content/urlbarBindings.xml
@@ -696,48 +696,61 @@ file, You can obtain one at http://mozil
</method>
<method name="_hideURLTooltip">
<body><![CDATA[
this.inputField.removeAttribute("tooltiptext");
]]></body>
</method>
+ <method name="_getDroppableLink">
+ <parameter name="aEvent"/>
+ <body><![CDATA[
+ let links = browserDragAndDrop.dropLinks(aEvent);
+ // The URL bar automatically handles inputs with newline characters,
+ // so we can get away with treating text/x-moz-url flavours as text/plain.
+ if (links.length > 0 && links[0].url) {
+ aEvent.preventDefault();
+ let url = links[0].url;
+ let strippedURL = stripUnsafeProtocolOnPaste(url);
+ if (strippedURL != url) {
+ aEvent.stopImmediatePropagation();
+ return null;
+ }
+ try {
+ urlSecurityCheck(url,
+ gBrowser.contentPrincipal,
+ Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL);
+ } catch (ex) {
+ return null;
+ }
+ return url;
+ }
+ return null;
+ ]]></body>
+ </method>
+
<method name="onDragOver">
<parameter name="aEvent"/>
- <body>
- var types = aEvent.dataTransfer.types;
- if (types.includes("application/x-moz-file") ||
- types.includes("text/x-moz-url") ||
- types.includes("text/uri-list") ||
- types.includes("text/unicode"))
- aEvent.preventDefault();
- </body>
+ <body><![CDATA[
+ // We don't need the link here, so we ignore the return value.
+ if (!this._getDroppableLink(aEvent)) {
+ aEvent.dataTransfer.dropEffect = "none";
+ }
+ ]]></body>
</method>
<method name="onDrop">
<parameter name="aEvent"/>
<body><![CDATA[
- let links = browserDragAndDrop.dropLinks(aEvent);
-
- // The URL bar automatically handles inputs with newline characters,
- // so we can get away with treating text/x-moz-url flavours as text/plain.
- if (links.length > 0 && links[0].url) {
- let url = links[0].url;
- aEvent.preventDefault();
+ let url = this._getDroppableLink(aEvent);
+ if (url) {
this.value = url;
SetPageProxyState("invalid");
this.focus();
- try {
- urlSecurityCheck(url,
- gBrowser.contentPrincipal,
- Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL);
- } catch (ex) {
- return;
- }
this.handleCommand();
}
]]></body>
</method>
<method name="_getSelectedValueForClipboard">
<body><