diff options
author | Samuel Mehrbrodt <samuel.mehrbrodt@allotropia.de> | 2023-02-27 15:27:24 +0100 |
---|---|---|
committer | Thorsten Behrens <thorsten.behrens@allotropia.de> | 2023-03-16 01:52:20 +0000 |
commit | 6ce7620a163e9f03c3b4f43162a84e0347ae5b10 (patch) | |
tree | ff58b05d3028e1bbed3533c129b9cb6e1c24c72e | |
parent | 1d9c9ebd552b9394a025fbb9e692451ba9d3460c (diff) |
Check iframe target for allowed document URLs
Change-Id: I00e4192becbc160282a43ab89dcd269f3d1012d8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147919
Tested-by: Jenkins
Reviewed-by: Samuel Mehrbrodt <samuel.mehrbrodt@allotropia.de>
(cherry picked from commit 288c0920a8475f9f2c537212e04aa7649192ad8c)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/148230
Tested-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
-rw-r--r-- | sfx2/source/doc/iframe.cxx | 4 | ||||
-rw-r--r-- | sfx2/source/inc/eventsupplier.hxx | 1 |
2 files changed, 4 insertions, 1 deletions
diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx index aea851894286..c8c0c76357e7 100644 --- a/sfx2/source/doc/iframe.cxx +++ b/sfx2/source/doc/iframe.cxx @@ -46,6 +46,7 @@ #include <vcl/window.hxx> #include <tools/debug.hxx> #include <macroloader.hxx> +#include <eventsupplier.hxx> using namespace ::com::sun::star; @@ -174,6 +175,9 @@ sal_Bool SAL_CALL IFrameObject::load( return false; } + if (!SfxEvents_Impl::isScriptURLAllowed(aTargetURL.Complete)) + return false; + DBG_ASSERT( !mxFrame.is(), "Frame already existing!" ); VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() ); VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() ); diff --git a/sfx2/source/inc/eventsupplier.hxx b/sfx2/source/inc/eventsupplier.hxx index 4624ed8b4907..d24345dba1c5 100644 --- a/sfx2/source/inc/eventsupplier.hxx +++ b/sfx2/source/inc/eventsupplier.hxx @@ -87,7 +87,6 @@ public: SfxObjectShell* i_document ); static void Execute( css::uno::Any const & aEventData, const css::document::DocumentEvent& aTrigger, SfxObjectShell* pDoc ); -private: /// Check if script URL whitelist exists, and if so, if current script url is part of it static bool isScriptURLAllowed(const OUString& aScriptURL); }; |