Prevent 'view-source' from being abused by disabling anything

other than http, https, ftp or file protocols in it.

BUG=26129
TEST=view-source:javascript:alert('foo') should no longer work in chrome's address bar.

Review URL: http://codereview.chromium.org/348004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@30418 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 21 insertions, 0 deletions

diff --git a/chrome/browser/browser_url_handler.cc b/chrome/browser/browser_url_handler.cc
index 506ccfd..17f6fda 100644
--- a/chrome/browser/browser_url_handler.cc
+++ b/chrome/browser/browser_url_handler.cc
@@ -17,6 +17,27 @@ static bool HandleViewSource(GURL* url, Profile* profile) {
   if (url->SchemeIs(chrome::kViewSourceScheme)) {
     // Load the inner URL instead.
     *url = GURL(url->path());
+
+    // Bug 26129: limit view-source to view the content and not any
+    // other kind of 'active' url scheme like 'javascript' or 'data'.
+    static const char* const allowed_sub_schemes[] = {
+      chrome::kHttpScheme, chrome::kHttpsScheme, chrome::kFtpScheme,
+      chrome::kChromeUIScheme
+    };
+
+    bool is_sub_scheme_allowed = false;
+    for (size_t i = 0; i < arraysize(allowed_sub_schemes); i++) {
+      if (url->SchemeIs(allowed_sub_schemes[i])) {
+        is_sub_scheme_allowed = true;
+        break;
+      }
+    }
+
+    if (!is_sub_scheme_allowed) {
+      *url = GURL(chrome::kAboutBlankURL);
+      return false;
+    }
+
     return true;
   }
   return false;