View Source Linkification should only linkify "safe" URLs. p=cbartley, r=mrbkap, sr=bzbarsky, b=467852

dom/src/jsurl/nsJSProtocolHandler.cpp

@@ -1171,7 +1171,7 @@ NS_IMETHODIMP
 nsJSProtocolHandler::GetProtocolFlags(PRUint32 *result)
 {
     *result = URI_NORELATIVE | URI_NOAUTH | URI_INHERITS_SECURITY_CONTEXT |
-        URI_LOADABLE_BY_ANYONE | URI_NON_PERSISTABLE;
+        URI_LOADABLE_BY_ANYONE | URI_NON_PERSISTABLE | URI_OPENING_EXECUTES_SCRIPT;
     return NS_OK;
 }
 

netwerk/base/public/nsIProtocolHandler.idl

@@ -229,6 +229,11 @@ interface nsIProtocolHandler : nsISupports
      */
     const unsigned long URI_IS_LOCAL_RESOURCE = (1<<12);
 
+    /**
+     * URIs for this protocol execute script when they are opened.
+     */
+    const unsigned long URI_OPENING_EXECUTES_SCRIPT = (1<<13);
+
     /**
      * This protocol handler can be proxied via a proxy (socks or http)
      * (e.g., irc, smtp, http, etc.).  If the protocol supports transparent

parser/htmlparser/src/nsViewSourceHTML.cpp

@@ -1046,13 +1046,19 @@ void CViewSourceHTML::WriteHrefAttribute(nsTokenAllocator* allocator,
   CreateViewSourceURL(hrefProper, viewSourceUrl);
 
   // Construct the HTML that will represent the HREF.
-  NS_NAMED_LITERAL_STRING(HREF, "href");
-  if (fullPrecedingText.Length() > 0) {
-    WriteTextInSpan(fullPrecedingText, allocator, EmptyString(), EmptyString());
-  }
-  WriteTextInAnchor(hrefProper, allocator, HREF, viewSourceUrl);
-  if (succeedingText.Length() > 0) {
-    WriteTextInSpan(succeedingText, allocator, EmptyString(), EmptyString());
+  if (viewSourceUrl.IsEmpty()) {
+    nsAutoString equalsHref(kEqual);
+    equalsHref.Append(href);
+    WriteTextInSpan(equalsHref, allocator, EmptyString(), EmptyString());
+  } else {
+    NS_NAMED_LITERAL_STRING(HREF, "href");
+    if (fullPrecedingText.Length() > 0) {
+      WriteTextInSpan(fullPrecedingText, allocator, EmptyString(), EmptyString());
+    }
+    WriteTextInAnchor(hrefProper, allocator, HREF, viewSourceUrl);
+    if (succeedingText.Length() > 0) {
+      WriteTextInSpan(succeedingText, allocator, EmptyString(), EmptyString());
+    }
   }
 }
 
@@ -1062,9 +1068,7 @@ nsresult CViewSourceHTML::CreateViewSourceURL(const nsAString& linkUrl,
   nsCOMPtr<nsIURI> hrefURI;
   nsresult rv;
 
-  // Default the view source URL to the empty string in case we fail.  Links
-  // with empty HREFs are essentially non-functional, at least as of Firefox
-  // 3.03.  This is preferrable behavior to links that look good but then 404.
+  // Default the view source URL to the empty string in case we fail.
   viewSourceUrl.Truncate();
   
   // Get the character set.
@@ -1084,8 +1088,29 @@ nsresult CViewSourceHTML::CreateViewSourceURL(const nsAString& linkUrl,
   nsCString absoluteLinkUrl;
   hrefURI->GetSpec(absoluteLinkUrl);
 
-  // Prepend "view-source:" onto the absolute URL and store it in the out param.
-  viewSourceUrl.AssignLiteral("view-source:");
+  // URLs that execute script (e.g. "javascript:" URLs) should just be
+  // ignored.  There's nothing reasonable we can do with them, and allowing
+  // them to execute in the context of the view-source window presents a
+  // security risk.  Just return the empty string in this case.
+  PRBool openingExecutesScript = PR_FALSE;
+  rv = NS_URIChainHasFlags(hrefURI, nsIProtocolHandler::URI_OPENING_EXECUTES_SCRIPT,
+                           &openingExecutesScript);
+  NS_ENSURE_SUCCESS(rv, NS_OK); // if there's an error, return the empty string
+  if (openingExecutesScript) {
+    return NS_OK;
+  }
+
+  // URLs that return data (e.g. "http:" URLs) should be prefixed with
+  // "view-source:".  URLs that don't return data should just be returned
+  // undecorated.
+  PRBool doesNotReturnData = PR_FALSE;
+  rv = NS_URIChainHasFlags(hrefURI, nsIProtocolHandler::URI_DOES_NOT_RETURN_DATA,
+                           &doesNotReturnData);
+  NS_ENSURE_SUCCESS(rv, NS_OK);  // if there's an error, return the empty string
+  if (!doesNotReturnData) {
+    viewSourceUrl.AssignLiteral("view-source:");    
+  }
+
   viewSourceUrl.AppendWithConversion(absoluteLinkUrl);
 
   return NS_OK;