diff --git a/doc/changelog.asciidoc b/doc/changelog.asciidoc index 472d482bc..0fcd56eb1 100644 --- a/doc/changelog.asciidoc +++ b/doc/changelog.asciidoc @@ -97,6 +97,9 @@ Fixed ~~~~~ - Various subtle keyboard focus issues. +- The security fix in v1.3.3 caused URLs with ampersands + (`www.example.com?one=1&two=2`) to send the wrong arguments when clicked on + the `qute://history` page. Removed ~~~~~~~ diff --git a/qutebrowser/browser/qutescheme.py b/qutebrowser/browser/qutescheme.py index 7c9f9b1aa..e3483bac0 100644 --- a/qutebrowser/browser/qutescheme.py +++ b/qutebrowser/browser/qutescheme.py @@ -242,7 +242,7 @@ def history_data(start_time, offset=None): end_time = start_time - 24*60*60 entries = hist.entries_between(end_time, start_time) - return [{"url": html.escape(e.url), + return [{"url": e.url, "title": html.escape(e.title) or html.escape(e.url), "time": e.atime} for e in entries] diff --git a/qutebrowser/javascript/history.js b/qutebrowser/javascript/history.js index 417441bd9..093b95b4e 100644 --- a/qutebrowser/javascript/history.js +++ b/qutebrowser/javascript/history.js @@ -114,7 +114,7 @@ window.loadHistory = (function() { title.className = "title"; const link = document.createElement("a"); link.href = itemUrl; - link.innerHTML = itemTitle; + link.innerHTML = itemTitle; // Properly escaped in qutescheme.py const host = document.createElement("span"); host.className = "hostname"; host.innerHTML = link.hostname; diff --git a/tests/end2end/features/history.feature b/tests/end2end/features/history.feature index 13a890c10..0432c0705 100644 --- a/tests/end2end/features/history.feature +++ b/tests/end2end/features/history.feature @@ -117,3 +117,10 @@ Feature: Page history When I open data/issue4011.html And I open qute://history Then the javascript message "XSS" should not be logged + + Scenario: Escaping of URLs in :history + When I open query?one=1&two=2 + And I open qute://history + And I hint with args "links normal" and follow a + And I wait until query?one=1&two=2 is loaded + Then the query parameter two should be set to 2 diff --git a/tests/end2end/features/test_history_bdd.py b/tests/end2end/features/test_history_bdd.py index 6efa08330..4d477d832 100644 --- a/tests/end2end/features/test_history_bdd.py +++ b/tests/end2end/features/test_history_bdd.py @@ -17,6 +17,7 @@ # You should have received a copy of the GNU General Public License # along with qutebrowser. If not, see . +import json import logging import re @@ -34,6 +35,19 @@ def turn_on_sql_history(quteproc): quteproc.wait_for_load_finished_url('qute://pyeval') +@bdd.then(bdd.parsers.parse("the query parameter {name} should be set to " + "{value}")) +def check_query(quteproc, name, value): + """Check if a given query is set correctly. + + This assumes we're on the server query page. + """ + content = quteproc.get_content() + data = json.loads(content) + print(data) + assert data[name] == value + + @bdd.then(bdd.parsers.parse("the history should contain:\n{expected}")) def check_history(quteproc, server, tmpdir, expected): path = tmpdir / 'history' diff --git a/tests/end2end/fixtures/webserver_sub.py b/tests/end2end/fixtures/webserver_sub.py index 7d9af2ee3..15cd0becc 100644 --- a/tests/end2end/fixtures/webserver_sub.py +++ b/tests/end2end/fixtures/webserver_sub.py @@ -261,6 +261,11 @@ def response_headers(): return response +@app.route('/query') +def query(): + return flask.jsonify(flask.request.args) + + @app.route('/user-agent') def view_user_agent(): """Return User-Agent."""