Index: chrome/browser/ui/cocoa/toolbar/toolbar_controller.mm |
diff --git a/chrome/browser/ui/cocoa/toolbar/toolbar_controller.mm b/chrome/browser/ui/cocoa/toolbar/toolbar_controller.mm |
index f52d2b9526d9caf3ff25cfc48aa8a7c2b647416c..e50e8b6ce9d73fd946ac385b75348dc96260f8e0 100644 |
--- a/chrome/browser/ui/cocoa/toolbar/toolbar_controller.mm |
+++ b/chrome/browser/ui/cocoa/toolbar/toolbar_controller.mm |
@@ -1150,10 +1150,13 @@ class NotificationBridge : public AppMenuIconController::Delegate { |
GURL url(url_formatter::FixupURL( |
base::SysNSStringToUTF8([urls objectAtIndex:0]), std::string())); |
+ // Security: Sanitize text to prevent self-XSS |
Avi (use Gerrit)
2016/09/16 18:31:09
Comments are full sentences; end them with a full-
elawrence
2016/09/16 19:02:16
Done.
|
if (url.SchemeIs(url::kJavaScriptScheme)) { |
browser_->window()->GetLocationBar()->GetOmniboxView()->SetUserText( |
OmniboxView::StripJavascriptSchemas(base::UTF8ToUTF16(url.spec()))); |
+ return; |
} |
+ |
OpenURLParams params(url, Referrer(), WindowOpenDisposition::CURRENT_TAB, |
ui::PAGE_TRANSITION_TYPED, false); |
browser_->tab_strip_model()->GetActiveWebContents()->OpenURL(params); |
@@ -1172,6 +1175,11 @@ class NotificationBridge : public AppMenuIconController::Delegate { |
metrics::OmniboxEventProto::BLANK, &match, NULL); |
GURL url(match.destination_url); |
+ // Security: Block JavaScript to prevent self-XSS |
Avi (use Gerrit)
2016/09/16 18:31:09
ditto.
elawrence
2016/09/16 19:02:16
Done.
|
+ if (url.SchemeIs(url::kJavaScriptScheme)) { |
+ return; |
+ } |
+ |
OpenURLParams params(url, Referrer(), WindowOpenDisposition::CURRENT_TAB, |
ui::PAGE_TRANSITION_TYPED, false); |
browser_->tab_strip_model()->GetActiveWebContents()->OpenURL(params); |