rnhmjoj/qutebrowser
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't escape URLs for qute://history

Browse Source 
We only use the URL to set a 'href' attribute, which does not need escaping.

See #4011
Fixes #4012
This commit is contained in:
Florian Bruhin 2018-06-23 14:27:07 +02:00
parent d2254ca48b
commit a02c25dfb1
6 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/changelog.asciidoc
View File

@ -97,6 +97,9 @@ Fixed
~~~~~ ~~~~~
- Various subtle keyboard focus issues. - Various subtle keyboard focus issues.
- The security fix in v1.3.3 caused URLs with ampersands
(`www.example.com?one=1&two=2`) to send the wrong arguments when clicked on
the `qute://history` page.
Removed Removed
~~~~~~~ ~~~~~~~

2
qutebrowser/browser/qutescheme.py
View File

@ -242,7 +242,7 @@ def history_data(start_time, offset=None):
end_time = start_time - 24*60*60 end_time = start_time - 24*60*60
entries = hist.entries_between(end_time, start_time) entries = hist.entries_between(end_time, start_time)
return [{"url": html.escape(e.url), return [{"url": e.url,
"title": html.escape(e.title) or html.escape(e.url), "title": html.escape(e.title) or html.escape(e.url),
"time": e.atime} for e in entries] "time": e.atime} for e in entries]

2
qutebrowser/javascript/history.js
View File

@ -114,7 +114,7 @@ window.loadHistory = (function() {
title.className = "title"; title.className = "title";
const link = document.createElement("a"); const link = document.createElement("a");
link.href = itemUrl; link.href = itemUrl;
link.innerHTML = itemTitle; link.innerHTML = itemTitle; // Properly escaped in qutescheme.py
const host = document.createElement("span"); const host = document.createElement("span");
host.className = "hostname"; host.className = "hostname";
host.innerHTML = link.hostname; host.innerHTML = link.hostname;

7
tests/end2end/features/history.feature
View File

@ -117,3 +117,10 @@ Feature: Page history
When I open data/issue4011.html When I open data/issue4011.html
And I open qute://history And I open qute://history
Then the javascript message "XSS" should not be logged Then the javascript message "XSS" should not be logged
Scenario: Escaping of URLs in :history
When I open query?one=1&two=2
And I open qute://history
And I hint with args "links normal" and follow a
And I wait until query?one=1&two=2 is loaded
Then the query parameter two should be set to 2

14
tests/end2end/features/test_history_bdd.py
View File

@ -17,6 +17,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with qutebrowser. If not, see <http://www.gnu.org/licenses/>. # along with qutebrowser. If not, see <http://www.gnu.org/licenses/>.
import json
import logging import logging
import re import re
@ -34,6 +35,19 @@ def turn_on_sql_history(quteproc):
quteproc.wait_for_load_finished_url('qute://pyeval') quteproc.wait_for_load_finished_url('qute://pyeval')
@bdd.then(bdd.parsers.parse("the query parameter {name} should be set to "
"{value}"))
def check_query(quteproc, name, value):
"""Check if a given query is set correctly.
This assumes we're on the server query page.
"""
content = quteproc.get_content()
data = json.loads(content)
print(data)
assert data[name] == value
@bdd.then(bdd.parsers.parse("the history should contain:\n{expected}")) @bdd.then(bdd.parsers.parse("the history should contain:\n{expected}"))
def check_history(quteproc, server, tmpdir, expected): def check_history(quteproc, server, tmpdir, expected):
path = tmpdir / 'history' path = tmpdir / 'history'

5
tests/end2end/fixtures/webserver_sub.py
View File

@ -261,6 +261,11 @@ def response_headers():
return response return response
@app.route('/query')
def query():
return flask.jsonify(flask.request.args)
@app.route('/user-agent') @app.route('/user-agent')
def view_user_agent(): def view_user_agent():
"""Return User-Agent.""" """Return User-Agent."""