Chromium Code Reviews Chromium Code Reviews
Issue 2346023002:
Ignore Javascript urls dropped on tabs (Mac version) (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #import "chrome/browser/ui/cocoa/toolbar/toolbar_controller.h" | 5 #import "chrome/browser/ui/cocoa/toolbar/toolbar_controller.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 | 8 |
| 9 #include "base/mac/bundle_locations.h" | 9 #include "base/mac/bundle_locations.h" |
| 10 #include "base/mac/foundation_util.h" | 10 #include "base/mac/foundation_util.h" |
| (...skipping 1132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1143 } | 1143 } |
| 1144 | 1144 |
| 1145 // TODO(viettrungluu): dropping multiple URLs? | 1145 // TODO(viettrungluu): dropping multiple URLs? |
| 1146 if ([urls count] > 1) | 1146 if ([urls count] > 1) |
| 1147 NOTIMPLEMENTED(); | 1147 NOTIMPLEMENTED(); |
| 1148 | 1148 |
| 1149 // Get the first URL and fix it up. | 1149 // Get the first URL and fix it up. |
| 1150 GURL url(url_formatter::FixupURL( | 1150 GURL url(url_formatter::FixupURL( |
| 1151 base::SysNSStringToUTF8([urls objectAtIndex:0]), std::string())); | 1151 base::SysNSStringToUTF8([urls objectAtIndex:0]), std::string())); |
| 1152 | 1152 |
| 1153 // Security: Sanitize text to prevent self-XSS | |
|
Avi (use Gerrit)
2016/09/16 18:31:09
Comments are full sentences; end them with a full-
elawrence
2016/09/16 19:02:16
Done.
| |
| 1153 if (url.SchemeIs(url::kJavaScriptScheme)) { | 1154 if (url.SchemeIs(url::kJavaScriptScheme)) { |
| 1154 browser_->window()->GetLocationBar()->GetOmniboxView()->SetUserText( | 1155 browser_->window()->GetLocationBar()->GetOmniboxView()->SetUserText( |
| 1155 OmniboxView::StripJavascriptSchemas(base::UTF8ToUTF16(url.spec()))); | 1156 OmniboxView::StripJavascriptSchemas(base::UTF8ToUTF16(url.spec()))); |
| 1157 return; | |
| 1156 } | 1158 } |
| 1159 | |
| 1157 OpenURLParams params(url, Referrer(), WindowOpenDisposition::CURRENT_TAB, | 1160 OpenURLParams params(url, Referrer(), WindowOpenDisposition::CURRENT_TAB, |
| 1158 ui::PAGE_TRANSITION_TYPED, false); | 1161 ui::PAGE_TRANSITION_TYPED, false); |
| 1159 browser_->tab_strip_model()->GetActiveWebContents()->OpenURL(params); | 1162 browser_->tab_strip_model()->GetActiveWebContents()->OpenURL(params); |
| 1160 } | 1163 } |
| 1161 | 1164 |
| 1162 // (URLDropTargetController protocol) | 1165 // (URLDropTargetController protocol) |
| 1163 - (void)dropText:(NSString*)text inView:(NSView*)view at:(NSPoint)point { | 1166 - (void)dropText:(NSString*)text inView:(NSView*)view at:(NSPoint)point { |
| 1164 // TODO(viettrungluu): This code is more or less copied from the code in | 1167 // TODO(viettrungluu): This code is more or less copied from the code in |
| 1165 // |TabStripController|. I'll refactor this soon to make it common and expand | 1168 // |TabStripController|. I'll refactor this soon to make it common and expand |
| 1166 // its capabilities (e.g., allow text DnD). | 1169 // its capabilities (e.g., allow text DnD). |
| 1167 | 1170 |
| 1168 // If the input is plain text, classify the input and make the URL. | 1171 // If the input is plain text, classify the input and make the URL. |
| 1169 AutocompleteMatch match; | 1172 AutocompleteMatch match; |
| 1170 AutocompleteClassifierFactory::GetForProfile(browser_->profile())->Classify( | 1173 AutocompleteClassifierFactory::GetForProfile(browser_->profile())->Classify( |
| 1171 base::SysNSStringToUTF16(text), false, false, | 1174 base::SysNSStringToUTF16(text), false, false, |
| 1172 metrics::OmniboxEventProto::BLANK, &match, NULL); | 1175 metrics::OmniboxEventProto::BLANK, &match, NULL); |
| 1173 GURL url(match.destination_url); | 1176 GURL url(match.destination_url); |
| 1174 | 1177 |
| 1178 // Security: Block JavaScript to prevent self-XSS | |
|
Avi (use Gerrit)
2016/09/16 18:31:09
ditto.
elawrence
2016/09/16 19:02:16
Done.
| |
| 1179 if (url.SchemeIs(url::kJavaScriptScheme)) { | |
| 1180 return; | |
| 1181 } | |
| 1182 | |
| 1175 OpenURLParams params(url, Referrer(), WindowOpenDisposition::CURRENT_TAB, | 1183 OpenURLParams params(url, Referrer(), WindowOpenDisposition::CURRENT_TAB, |
| 1176 ui::PAGE_TRANSITION_TYPED, false); | 1184 ui::PAGE_TRANSITION_TYPED, false); |
| 1177 browser_->tab_strip_model()->GetActiveWebContents()->OpenURL(params); | 1185 browser_->tab_strip_model()->GetActiveWebContents()->OpenURL(params); |
| 1178 } | 1186 } |
| 1179 | 1187 |
| 1180 // (URLDropTargetController protocol) | 1188 // (URLDropTargetController protocol) |
| 1181 - (void)indicateDropURLsInView:(NSView*)view at:(NSPoint)point { | 1189 - (void)indicateDropURLsInView:(NSView*)view at:(NSPoint)point { |
| 1182 // Do nothing. | 1190 // Do nothing. |
| 1183 } | 1191 } |
| 1184 | 1192 |
| 1185 // (URLDropTargetController protocol) | 1193 // (URLDropTargetController protocol) |
| 1186 - (void)hideDropURLsIndicatorInView:(NSView*)view { | 1194 - (void)hideDropURLsIndicatorInView:(NSView*)view { |
| 1187 // Do nothing. | 1195 // Do nothing. |
| 1188 } | 1196 } |
| 1189 | 1197 |
| 1190 // (URLDropTargetController protocol) | 1198 // (URLDropTargetController protocol) |
| 1191 - (BOOL)isUnsupportedDropData:(id<NSDraggingInfo>)info { | 1199 - (BOOL)isUnsupportedDropData:(id<NSDraggingInfo>)info { |
| 1192 return drag_util::IsUnsupportedDropData(profile_, info); | 1200 return drag_util::IsUnsupportedDropData(profile_, info); |
| 1193 } | 1201 } |
| 1194 | 1202 |
| 1195 @end | 1203 @end |
| OLD | NEW |
