diff -uNr sage.orig/content/createhtml.js sage/content/createhtml.js
--- sage.orig/content/createhtml.js	2009-12-10 14:01:59.000000000 +0000
+++ sage/content/createhtml.js	2009-12-10 14:41:04.000000000 +0000
@@ -136,7 +136,8 @@
 				return this.entityEncode(feed.getTitle());
 
 			case "**LINK**":
-				return feed.getLink();
+            // Partial fix for CVE-2009-4102
+				return this.cleanHref(feed.getLink());
 				break;
 
 			case "**AUTHOR**":
@@ -147,7 +148,8 @@
 
 			case "**DESCRIPTION**":
 				if (feed.hasDescription()) {
-					return feed.getDescription();
+				 	 // Entity encode call is Partial fix for CVE-2009-4102
+					 return this.entityEncode(SageUtils.htmlToText(feed.getDescription()));
 				}
 				return "";
 
@@ -216,7 +218,8 @@
 				return i  +1;
 
 			case "**LINK**":
-				return item.getLink();
+			   // Partial fix for CVE-2009-4102
+			   return this.cleanHref(item.getLink());
 
 			case "**TITLE**":
 				if (item.hasTitle()) {
@@ -242,7 +245,8 @@
 						this.simpleHtmlParser.parse(item.getContent());
 						ds = this.filterHtmlHandler.toString();
 					} else {
-						ds = SageUtils.htmlToText(item.getContent());
+						 // Entity encode call is fix for regression from CVE-2006-4712
+						 ds = this.entityEncode(SageUtils.htmlToText(item.getContent()));
 					}
 					return "<div class=\"item-desc\">" + ds + "</div>";
 				}
@@ -291,6 +295,31 @@
 		return dirService.get(aProp, Components.interfaces.nsILocalFile);
 	},
 	
+	// Partial fix for CVE-2009-4102
+	cleanHref: function(aUrl) 
+	{
+		 // We only want to allow http, ftp, news and mailto before :
+		 var ltype = aUrl.split(":")[0];
+		 aUrl = aUrl.replace(/^[^:]*:/, "");
+	 	 switch(ltype.toLowerCase()) 
+       {
+		 case "http":
+		    aUrl = ltype + ":" + aUrl;
+   		 break;
+		 case "nntp":
+		    aUrl = ltype + ":" + aUrl;
+   		 break;
+		 case "mailto":
+		    aUrl = ltype + ":" + aUrl;
+   		 break;
+		 case "ftp":
+		    aUrl = ltype + ":" + aUrl;
+   		 break;
+       }
+		 // Did I miss some safe ones?
+		 return aUrl
+	},
+
 	entityEncode: function(aStr)
 	{
 		function replacechar(match) {

Attachment: signature.asc
Description: OpenPGP digital signature



Reply via email to