DevTools: better address console self-xss.

Source/devtools/front_end/ConsoleView.js

 /*
  * Copyright (C) 2007, 2008 Apple Inc.  All rights reserved.
  * Copyright (C) 2009 Joseph Pecoraro
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 68 matching lines @@
     this.messagesElement.id = "console-messages";
     this.messagesElement.className = "monospace";
     this.messagesElement.addEventListener("click", this._messagesClicked.bind(this), true);
     this._contentsElement.appendChild(this.messagesElement);
     this._scrolledToBottom = true;
 
     this.promptElement = document.createElement("div");
     this.promptElement.id = "console-prompt";
     this.promptElement.className = "source-code";
     this.promptElement.spellcheck = false;
+    this.promptElement.addEventListener("paste", this._onPasteIntoPrompt.bind(this), false);
+    this.promptElement.addEventListener("drop", this._onPasteIntoPrompt.bind(this), false);
     this.messagesElement.appendChild(this.promptElement);
     this.messagesElement.appendChild(document.createElement("br"));
 
     this.topGroup = new WebInspector.ConsoleGroup(null);
     this.messagesElement.insertBefore(this.topGroup.element, this.promptElement);
     this.currentGroup = this.topGroup;
 
     this._showAllMessagesCheckbox = new WebInspector.StatusBarCheckbox(WebInspector.UIString("Show all messages"));
     this._showAllMessagesCheckbox._checkbox.checked = true;
     this._showAllMessagesCheckbox._checkbox.addEventListener("change", this._updateMessageList.bind(this), false);
@@ skipping 13 matching lines @@
     /** @type {!Map.<!WebInspector.ConsoleMessage, !WebInspector.ConsoleViewMessage>} */
     this._messageToViewMessage = new Map();
     /** @type {!Array.<!WebInspector.ConsoleMessage>} */
     this._consoleMessages = [];
 
     this.prompt = new WebInspector.TextPromptWithHistory(this._completionsForTextPrompt.bind(this));
     this.prompt.setSuggestBoxEnabled("generic-suggest");
     this.prompt.renderAsBlock();
     this.prompt.attach(this.promptElement);
     this.prompt.proxyElement.addEventListener("keydown", this._promptKeyDown.bind(this), false);
-    this.prompt.setHistoryData(WebInspector.settings.consoleHistory.get());
+    var historyData = WebInspector.settings.consoleHistory.get();
+    this.prompt.setHistoryData(historyData);
+    if (!WebInspector.settings.allowPastingJavaScript.get() && historyData && historyData.length > 10)
+        WebInspector.settings.allowPastingJavaScript.set(true);
 
     WebInspector.targetManager.observeTargets(this);
 
     this._filterStatusMessageElement = document.createElement("div");
     this._filterStatusMessageElement.classList.add("console-message");
     this._filterStatusTextElement = this._filterStatusMessageElement.createChild("span", "console-info");
     this._filterStatusMessageElement.createTextChild(" ");
     var resetFiltersLink = this._filterStatusMessageElement.createChild("span", "console-info node-link");
     resetFiltersLink.textContent = WebInspector.UIString("Show all messages.");
     resetFiltersLink.addEventListener("click", this._filter.reset.bind(this._filter), true);
@@ skipping 139 matching lines @@
     {
         var option = this._executionContextSelector.selectedOption();
         return option ? option._executionContext : null;
     },
 
     /**
      * @return {?WebInspector.Target}
      */
     _currentTarget: function()
     {
-//         var executionContext = this._currentExecutionContext();
-//         return executionContext ? executionContext.target() : null;
         return WebInspector.targetManager.activeTarget();
     },
 
     /**
      * @param {!Element} proxyElement
      * @param {!Range} wordRange
      * @param {boolean} force
      * @param {function(!Array.<string>, number=)} completionsReadyCallback
      */
     _completionsForTextPrompt: function(proxyElement, wordRange, force, completionsReadyCallback)
@@ skipping 620 matching lines @@
 
     _jumpToSearchResult: function(index)
     {
         index %= this._searchResults.length;
         this._clearCurrentSearchResultHighlight();
         this._currentSearchResultIndex = index;
         this._searchableView.updateCurrentMatchIndex(this._currentSearchResultIndex);
         this._searchResults[index].highlightSearchResults(this._searchRegex);
     },
 
+    /**
+     * @param {?Event} e
+     */
+    _onPasteIntoPrompt: function(e)
+    {
+        if (WebInspector.settings.allowPastingJavaScript.get())
+            return;
+        var result = prompt(WebInspector.UIString("You may be a victim of a scam. Executing this code is probably bad for you. \n\nType 'always allow' in the input field below to allow this action"));
+        if (result === "always allow") {
+            WebInspector.settings.allowPastingJavaScript.set(true);
+            return;
+        }
+        e.consume(true);
+    },
+
     __proto__: WebInspector.VBox.prototype
 }
 
 /**
  * @constructor
  * @extends {WebInspector.Object}
  * @param {!WebInspector.ConsoleView} view
  */
 WebInspector.ConsoleViewFilter = function(view)
 {
@@ skipping 322 matching lines @@
 WebInspector.ConsoleView.ShowConsoleActionDelegate.prototype = {
     /**
      * @return {boolean}
      */
     handleAction: function()
     {
         WebInspector.console.show();
         return true;
     }
 }