diff options
| -rw-r--r-- | README | 21 | ||||
| -rw-r--r-- | tests/test-command.c | 5 | ||||
| -rw-r--r-- | uzbl-core.c | 10 |
3 files changed, 1 insertions, 35 deletions
@@ -397,7 +397,7 @@ The script specific arguments are this: Custom, userdefined scripts (`spawn foo bar`) get first the arguments as specified in the config and then the above 7 are added at the end. -### JAVASCRIPT HELPER OBJECT +### JAVASCRIPT HELPER OBJECT DISABLED BECAUSE OF SECURITY LEAK Javascript code run from uzbl is given a special object in the global namespace which gives special privileges to these scripts. This object is called `Uzbl`, and it is added and removed before and after the script execution so that it is hidden to web javascripts (There is no race condition, since all the javascript code runs in a single thread) @@ -410,25 +410,6 @@ Currently, the `Uzbl` object provides only one function: * `Uzbl.run("spawn insert_bookmark.sh")` * `uri = Uzbl.run("print @uri")` (see variable expansion below) -### JAVASCRIPT SECURITY - -Since defined variables and functions are set in the global namespace (`window` object) as default, it is recommended to wrap your scripts like this: - - (function(Uzbl) { - ... - })(Uzbl); - -This way, everything is kept private. It also turns Uzbl into a local variable, which can be accessed from callback functions defined inside. However for some situations, isolating everything isn't an option, for example, with binds. You can define them directly in the script body, and use `var Uzbl = window.Uzbl;` to make the Uzbl variable local, as in the following example: - - function f() { - var Uzbl = window.Uzbl; - Uzbl.run(...); - setTimeout(function() { - Uzbl.run(...); - }, 500); - } - -Copying the Uzbl object and creating public functions should be taken with care to avoid creating security holes. Keep in mind that the "f" function above would be defined in the `window` object, and as such any javascript in the current page can call it. ### EVENTS ### diff --git a/tests/test-command.c b/tests/test-command.c index 49f3bb8..fc3b092 100644 --- a/tests/test-command.c +++ b/tests/test-command.c @@ -305,11 +305,6 @@ test_js (void) { parse_cmd_line("js ('x' + 345).toUpperCase()", result); g_assert_cmpstr("X345", ==, result->str); - /* uzbl commands can be run from javascript */ - uzbl.net.useragent = "Test useragent"; - parse_cmd_line("js Uzbl.run('print @useragent').toUpperCase();", result); - g_assert_cmpstr("TEST USERAGENT", ==, result->str); - g_string_free(result, TRUE); } diff --git a/uzbl-core.c b/uzbl-core.c index fd8ee41..fca293c 100644 --- a/uzbl-core.c +++ b/uzbl-core.c @@ -1046,7 +1046,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) { WebKitWebFrame *frame; JSGlobalContextRef context; JSObjectRef globalobject; - JSStringRef var_name; JSStringRef js_script; JSValueRef js_result; @@ -1059,12 +1058,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) { context = webkit_web_frame_get_global_context(frame); globalobject = JSContextGetGlobalObject(context); - /* uzbl javascript namespace */ - var_name = JSStringCreateWithUTF8CString("Uzbl"); - JSObjectSetProperty(context, globalobject, var_name, - JSObjectMake(context, uzbl.js.classref, NULL), - kJSClassAttributeNone, NULL); - /* evaluate the script and get return value*/ js_script = JSStringCreateWithUTF8CString(script); js_result = JSEvaluateScript(context, js_script, globalobject, NULL, 0, NULL); @@ -1082,9 +1075,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) { } /* cleanup */ - JSObjectDeleteProperty(context, globalobject, var_name, NULL); - - JSStringRelease(var_name); JSStringRelease(js_script); } |