[epiphany/gnome-3-38] web-view: encode data in error pages
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [epiphany/gnome-3-38] web-view: encode data in error pages
- Date: Thu, 16 Dec 2021 15:05:33 +0000 (UTC)
commit 77755d107e4d1cbe92bdefc6c394491e66a708e1
Author: Michael Catanzaro <mcatanzaro redhat com>
Date: Tue Dec 14 17:37:05 2021 -0600
web-view: encode data in error pages
Page titles and URLs are untrusted and could be nasty, so we need to
encode them appropriately when injecting them into HTML.
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>
embed/ephy-web-view.c | 37 +++++++++++++++++++++++++++----------
1 file changed, 27 insertions(+), 10 deletions(-)
---
diff --git a/embed/ephy-web-view.c b/embed/ephy-web-view.c
index bba27ae45..e5206aec3 100644
--- a/embed/ephy-web-view.c
+++ b/embed/ephy-web-view.c
@@ -38,6 +38,7 @@
#include "ephy-gsb-utils.h"
#include "ephy-history-service.h"
#include "ephy-lib-type-builtins.h"
+#include "ephy-output-encoding.h"
#include "ephy-permissions-manager.h"
#include "ephy-prefs.h"
#include "ephy-reader-handler.h"
@@ -1772,6 +1773,8 @@ format_network_error_page (const char *uri,
const char **icon_name,
const char **style)
{
+ g_autofree char *encoded_uri = NULL;
+ g_autofree char *encoded_origin = NULL;
g_autofree char *formatted_origin = NULL;
g_autofree char *formatted_reason = NULL;
g_autofree char *first_paragraph = NULL;
@@ -1783,7 +1786,8 @@ format_network_error_page (const char *uri,
/* Message title when a site cannot be loaded due to a network error. */
*message_title = g_strdup (_("Unable to display this website"));
- formatted_origin = g_strdup_printf ("<strong>%s</strong>", origin);
+ encoded_origin = ephy_encode_for_html_entity (origin);
+ formatted_origin = g_strdup_printf ("<strong>%s</strong>", encoded_origin);
/* Error details when a site cannot be loaded due to a network error. */
first_paragraph = g_strdup_printf (_("The site at %s seems to be "
"unavailable."),
@@ -1805,7 +1809,8 @@ format_network_error_page (const char *uri,
/* The button on the network error page. DO NOT ADD MNEMONICS HERE. */
*button_label = g_strdup (_("Reload"));
- *button_action = g_strdup_printf ("window.location = '%s';", uri);
+ encoded_uri = ephy_encode_for_javascript (uri);
+ *button_action = g_strdup_printf ("window.location = '%s';", encoded_uri);
/* Mnemonic for the Reload button on browser error pages. */
*button_accesskey = C_("reload-access-key", "R");
@@ -1824,6 +1829,8 @@ format_crash_error_page (const char *uri,
const char **icon_name,
const char **style)
{
+ g_autofree char *html_encoded_uri = NULL;
+ g_autofree char *js_encoded_uri = NULL;
g_autofree char *formatted_uri = NULL;
g_autofree char *formatted_distributor = NULL;
g_autofree char *first_paragraph = NULL;
@@ -1835,7 +1842,8 @@ format_crash_error_page (const char *uri,
/* Message title when a site cannot be loaded due to a page crash error. */
*message_title = g_strdup (_("Oops! There may be a problem"));
- formatted_uri = g_strdup_printf ("<strong>%s</strong>", uri);
+ html_encoded_uri = ephy_encode_for_html_entity (uri);
+ formatted_uri = g_strdup_printf ("<strong>%s</strong>", html_encoded_uri);
/* Error details when a site cannot be loaded due to a page crash error. */
first_paragraph = g_strdup_printf (_("The page %s may have caused Web to "
"close unexpectedly."),
@@ -1854,7 +1862,8 @@ format_crash_error_page (const char *uri,
/* The button on the page crash error page. DO NOT ADD MNEMONICS HERE. */
*button_label = g_strdup (_("Reload"));
- *button_action = g_strdup_printf ("window.location = '%s';", uri);
+ js_encoded_uri = ephy_encode_for_javascript (uri);
+ *button_action = g_strdup_printf ("window.location = '%s';", js_encoded_uri);
/* Mnemonic for the Reload button on browser error pages. */
*button_accesskey = C_("reload-access-key", "R");
@@ -1873,6 +1882,7 @@ format_process_crash_error_page (const char *uri,
const char **icon_name,
const char **style)
{
+ g_autofree char *encoded_uri = NULL;
const char *first_paragraph;
/* Page title when a site cannot be loaded due to a process crash error. */
@@ -1888,7 +1898,8 @@ format_process_crash_error_page (const char *uri,
/* The button on the process crash error page. DO NOT ADD MNEMONICS HERE. */
*button_label = g_strdup (_("Reload"));
- *button_action = g_strdup_printf ("window.location = '%s';", uri);
+ encoded_uri = ephy_encode_for_javascript (uri);
+ *button_action = g_strdup_printf ("window.location = '%s';", encoded_uri);
/* Mnemonic for the Reload button on browser error pages. */
*button_accesskey = C_("reload-access-key", "R");
@@ -1912,6 +1923,7 @@ format_tls_error_page (EphyWebView *view,
const char **icon_name,
const char **style)
{
+ g_autofree char *encoded_origin = NULL;
g_autofree char *formatted_origin = NULL;
g_autofree char *first_paragraph = NULL;
@@ -1921,7 +1933,8 @@ format_tls_error_page (EphyWebView *view,
/* Message title when a site is not loaded due to an invalid TLS certificate. */
*message_title = g_strdup (_("This Connection is Not Secure"));
- formatted_origin = g_strdup_printf ("<strong>%s</strong>", origin);
+ encoded_origin = ephy_encode_for_html_entity (origin);
+ formatted_origin = g_strdup_printf ("<strong>%s</strong>", encoded_origin);
/* Error details when a site is not loaded due to an invalid TLS certificate. */
first_paragraph = g_strdup_printf (_("This does not look like the real %s. "
"Attackers might be trying to steal or "
@@ -1966,6 +1979,7 @@ format_unsafe_browsing_error_page (EphyWebView *view,
const char **icon_name,
const char **style)
{
+ g_autofree char *encoded_origin = NULL;
g_autofree char *formatted_origin = NULL;
g_autofree char *first_paragraph = NULL;
@@ -1975,7 +1989,8 @@ format_unsafe_browsing_error_page (EphyWebView *view,
/* Message title on the unsafe browsing error page. */
*message_title = g_strdup (_("Unsafe website detected!"));
- formatted_origin = g_strdup_printf ("<strong>%s</strong>", origin);
+ encoded_origin = ephy_encode_for_html_entity (origin);
+ formatted_origin = g_strdup_printf ("<strong>%s</strong>", encoded_origin);
/* Error details on the unsafe browsing error page.
* https://developers.google.com/safe-browsing/v4/usage-limits#UserWarnings
*/
@@ -2046,7 +2061,8 @@ format_no_such_file_error_page (EphyWebView *view,
const char **icon_name,
const char **style)
{
- g_autofree gchar *formatted_origin = NULL;
+ g_autofree gchar *encoded_address = NULL;
+ g_autofree gchar *formatted_address = NULL;
g_autofree gchar *first_paragraph = NULL;
g_autofree gchar *second_paragraph = NULL;
@@ -2056,10 +2072,11 @@ format_no_such_file_error_page (EphyWebView *view,
/* Message title on the no such file error page. */
*message_title = g_strdup (_("File not found"));
- formatted_origin = g_strdup_printf ("<strong>%s</strong>", view->address);
+ encoded_address = ephy_encode_for_html_entity (view->address);
+ formatted_address = g_strdup_printf ("<strong>%s</strong>", encoded_address);
first_paragraph = g_strdup_printf (_("%s could not be found."),
- formatted_origin);
+ formatted_address);
second_paragraph = g_strdup_printf (_("Please check the file name for "
"capitalization or other typing errors. Also check if "
"it has been moved, renamed, or deleted."));
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
