diff -uNr sage.orig/content/createhtml.js sage/content/createhtml.js
--- sage.orig/content/createhtml.js 2009-12-10 14:01:59.000000000 +0000
+++ sage/content/createhtml.js 2009-12-10 14:41:04.000000000 +0000
@@ -136,7 +136,8 @@
return this.entityEncode(feed.getTitle());
case "**LINK**":
- return feed.getLink();
+ // Partial fix for CVE-2009-4102
+ return this.cleanHref(feed.getLink());
break;
case "**AUTHOR**":
@@ -147,7 +148,8 @@
case "**DESCRIPTION**":
if (feed.hasDescription()) {
- return feed.getDescription();
+ // Entity encode call is Partial fix for CVE-2009-4102
+ return this.entityEncode(SageUtils.htmlToText(feed.getDescription()));
}
return "";
@@ -216,7 +218,8 @@
return i +1;
case "**LINK**":
- return item.getLink();
+ // Partial fix for CVE-2009-4102
+ return this.cleanHref(item.getLink());
case "**TITLE**":
if (item.hasTitle()) {
@@ -242,7 +245,8 @@
this.simpleHtmlParser.parse(item.getContent());
ds = this.filterHtmlHandler.toString();
} else {
- ds = SageUtils.htmlToText(item.getContent());
+ // Entity encode call is fix for regression from CVE-2006-4712
+ ds = this.entityEncode(SageUtils.htmlToText(item.getContent()));
}
return "<div class=\"item-desc\">" + ds + "</div>";
}
@@ -291,6 +295,31 @@
return dirService.get(aProp, Components.interfaces.nsILocalFile);
},
+ // Partial fix for CVE-2009-4102
+ cleanHref: function(aUrl)
+ {
+ // We only want to allow http, ftp, news and mailto before :
+ var ltype = aUrl.split(":")[0];
+ aUrl = aUrl.replace(/^[^:]*:/, "");
+ switch(ltype.toLowerCase())
+ {
+ case "http":
+ aUrl = ltype + ":" + aUrl;
+ break;
+ case "nntp":
+ aUrl = ltype + ":" + aUrl;
+ break;
+ case "mailto":
+ aUrl = ltype + ":" + aUrl;
+ break;
+ case "ftp":
+ aUrl = ltype + ":" + aUrl;
+ break;
+ }
+ // Did I miss some safe ones?
+ return aUrl
+ },
+
entityEncode: function(aStr)
{
function replacechar(match) {
signature.asc
Description: OpenPGP digital signature
