Index: chrome/browser/ui/cocoa/toolbar/toolbar_controller.mm |
diff --git a/chrome/browser/ui/cocoa/toolbar/toolbar_controller.mm b/chrome/browser/ui/cocoa/toolbar/toolbar_controller.mm |
index f52d2b9526d9caf3ff25cfc48aa8a7c2b647416c..a8851d3e0b815ac94ffbbf0f206f3dbafa9bb665 100644 |
--- a/chrome/browser/ui/cocoa/toolbar/toolbar_controller.mm |
+++ b/chrome/browser/ui/cocoa/toolbar/toolbar_controller.mm |
@@ -1150,10 +1150,13 @@ class NotificationBridge : public AppMenuIconController::Delegate { |
GURL url(url_formatter::FixupURL( |
base::SysNSStringToUTF8([urls objectAtIndex:0]), std::string())); |
+ // Security: Sanitize text to prevent self-XSS. |
if (url.SchemeIs(url::kJavaScriptScheme)) { |
browser_->window()->GetLocationBar()->GetOmniboxView()->SetUserText( |
OmniboxView::StripJavascriptSchemas(base::UTF8ToUTF16(url.spec()))); |
+ return; |
} |
+ |
OpenURLParams params(url, Referrer(), WindowOpenDisposition::CURRENT_TAB, |
ui::PAGE_TRANSITION_TYPED, false); |
browser_->tab_strip_model()->GetActiveWebContents()->OpenURL(params); |
@@ -1172,6 +1175,10 @@ class NotificationBridge : public AppMenuIconController::Delegate { |
metrics::OmniboxEventProto::BLANK, &match, NULL); |
GURL url(match.destination_url); |
+ // Security: Block JavaScript to prevent self-XSS. |
+ if (url.SchemeIs(url::kJavaScriptScheme)) |
+ return; |
+ |
OpenURLParams params(url, Referrer(), WindowOpenDisposition::CURRENT_TAB, |
ui::PAGE_TRANSITION_TYPED, false); |
browser_->tab_strip_model()->GetActiveWebContents()->OpenURL(params); |