chrome/browser/resources/ntp4/apps_page.js - Issue 2527413002: Fix XSS in app launcher and remove use of unvalidated URL - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(224)

My Issues | Starred Open | Closed | All

Side by Side Diff: chrome/browser/resources/ntp4/apps_page.js

Issue 2527413002: Fix XSS in app launcher and remove use of unvalidated URL (Closed)

Patch Set: Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « no previous file | chrome/browser/ui/webui/ntp/app_launcher_handler.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 cr.define('ntp', function() {	5 cr.define('ntp', function() {

6 'use strict';	6 'use strict';

7	7

8 var APP_LAUNCH = {	8 var APP_LAUNCH = {

9 // The histogram buckets (keep in sync with extension_constants.h).	9 // The histogram buckets (keep in sync with extension_constants.h).

10 NTP_APPS_MAXIMIZED: 0,	10 NTP_APPS_MAXIMIZED: 0,

(...skipping 378 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
389 },	389 },

390	390

391 /**	391 /**

392 * Invoked when an app is clicked.	392 * Invoked when an app is clicked.

393 * @param {Event} e The click/auxclick event.	393 * @param {Event} e The click/auxclick event.

394 * @private	394 * @private

395 */	395 */

396 onClick_: function(e) {	396 onClick_: function(e) {

397 if (/** @type {MouseEvent} */(e).button > 1) return;	397 if (/** @type {MouseEvent} */(e).button > 1) return;

398	398

399 var url = !this.appData_.is_webstore ? '' :

400 appendParam(this.appData_.url,

401 'utm_source',

402 'chrome-ntp-icon');

403

404 chrome.send('launchApp',	399 chrome.send('launchApp',

405 [this.appId, APP_LAUNCH.NTP_APPS_MAXIMIZED, url,	400 [this.appId, APP_LAUNCH.NTP_APPS_MAXIMIZED, 'chrome-ntp-icon',

406 e.button, e.altKey, e.ctrlKey, e.metaKey, e.shiftKey]);	401 e.button, e.altKey, e.ctrlKey, e.metaKey, e.shiftKey]);

407	402

408 // Don't allow the click to trigger a link or anything	403 // Don't allow the click to trigger a link or anything

409 e.preventDefault();	404 e.preventDefault();

410 },	405 },

411	406

412 /**	407 /**

413 * Invoked when the user presses a key while the app is focused.	408 * Invoked when the user presses a key while the app is focused.

414 * @param {Event} e The key event.	409 * @param {Event} e The key event.

415 * @private	410 * @private

(...skipping 286 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
702 var url = dataTransfer.getData('url');	697 var url = dataTransfer.getData('url');

703 assert(url);	698 assert(url);

704	699

705 // If the dataTransfer has html data, use that html's text contents as the	700 // If the dataTransfer has html data, use that html's text contents as the

706 // title of the new link.	701 // title of the new link.

707 var html = dataTransfer.getData('text/html');	702 var html = dataTransfer.getData('text/html');

708 var title;	703 var title;

709 if (html) {	704 if (html) {

710 // It's important that we don't attach this node to the document	705 // It's important that we don't attach this node to the document

711 // because it might contain scripts.	706 // because it might contain scripts.

712 var node = this.ownerDocument.createElement('div');	707 var doc = document.implementation.createHTMLDocument();

713 node.innerHTML = html;	708 doc.body.innerHTML = html;

714 title = node.textContent;	709 title = doc.body.textContent;

715 }	710 }

716	711

717 // Make sure title is >=1 and <=45 characters for Chrome app limits.	712 // Make sure title is >=1 and <=45 characters for Chrome app limits.

718 if (!title)	713 if (!title)

719 title = url;	714 title = url;

720 if (title.length > 45)	715 if (title.length > 45)

721 title = title.substring(0, 45);	716 title = title.substring(0, 45);

722 var data = {url: url, title: title};	717 var data = {url: url, title: title};

723	718

724 // Synthesize an app.	719 // Synthesize an app.

(...skipping 49 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
774 chrome.send('launchApp', [appId, APP_LAUNCH.NTP_APP_RE_ENABLE]);	769 chrome.send('launchApp', [appId, APP_LAUNCH.NTP_APP_RE_ENABLE]);

775 }	770 }

776	771

777 return {	772 return {

778 APP_LAUNCH: APP_LAUNCH,	773 APP_LAUNCH: APP_LAUNCH,

779 App: App,	774 App: App,

780 AppsPage: AppsPage,	775 AppsPage: AppsPage,

781 launchAppAfterEnable: launchAppAfterEnable,	776 launchAppAfterEnable: launchAppAfterEnable,

782 };	777 };

783 });	778 });

OLD	NEW

« no previous file with comments | « no previous file | chrome/browser/ui/webui/ntp/app_launcher_handler.cc » ('j') | no next file with comments »

Powered by Google App Engine

This is Rietveld 408576698