Force a whitelist for URL schemes

Codeux-Software · Jan 26, 2016 · 422a6c8f7e750df506adaebb2db4bfa23f6aaa37 · 422a6c8
1 parent 4748e87
commit 422a6c8f7e750df506adaebb2db4bfa23f6aaa37
Unified Split

Showing with 41 additions and 3 deletions.

+20 −1 Classes/Views/Channel View/TVCLogPolicy.m

+1 −1 Frameworks/Auto Hyperlinks

+6 −1 Resources/Language Files/BasicLanguage.strings

+14 −0 Resources/Property Lists/RegisteredUserDefaults.plist
diff --git a/Classes/Views/Channel View/TVCLogPolicy.m b/Classes/Views/Channel View/TVCLogPolicy.m
@@ -201,7 +201,26 @@ - (void)webView:(WebView *)webView decidePolicyForNavigationAction:(NSDictionary
 	if (action == WebNavigationTypeLinkClicked) {
 		[listener ignore];
 
-		[TLOpenLink open:actionInformation[WebActionOriginalURLKey]];
+		NSURL *actionURL = actionInformation[WebActionOriginalURLKey];
+
+		if (NSObjectsAreEqual([actionURL scheme], @"http") == NO &&
+			NSObjectsAreEqual([actionURL scheme], @"https") == NO &&
+			NSObjectsAreEqual([actionURL scheme], @"textual") == NO)
+		{
+			BOOL openLink =
+			[TLOPopupPrompts dialogWindowWithMessage:TXTLS(@"BasicLanguage[1290][2]")
+											   title:TXTLS(@"BasicLanguage[1290][1]", [actionURL absoluteString])
+									   defaultButton:TXTLS(@"BasicLanguage[1290][3]")
+									 alternateButton:TXTLS(@"BasicLanguage[1009]")
+									  suppressionKey:@"open_non_http_url_warning"
+									 suppressionText:nil];
+
+			if (openLink == NO) {
+				return;
+			}
+		}
+
+		[TLOpenLink open:actionURL];
 	} else {
 		[listener use];
 	}

diff --git a/Frameworks/Auto Hyperlinks b/Frameworks/Auto Hyperlinks
diff --git a/Resources/Language Files/BasicLanguage.strings b/Resources/Language Files/BasicLanguage.strings
@@ -784,9 +784,14 @@
 "BasicLanguage[1287][2]" = "Would you like to launch the “Textual Extras” installer to perform update?";
 "BasicLanguage[1287][3]" = "Launch Installer";
 
+/* Non-HTTP link warning */
+"BasicLanguage[1290][1]" = "Please verify that you would like to open the following URL: %@";
+"BasicLanguage[1290][2]" = "The linked you clicked will launch an application other than your web browser which could possibly lead to the leak of your personal information.";
+"BasicLanguage[1290][3]" = "I Understand, Continue";
 
 
 
-/* Next unusued key: 1290 */
+
+/* Next unusued key: 1291 */
 
 
diff --git a/Resources/Property Lists/RegisteredUserDefaults.plist b/Resources/Property Lists/RegisteredUserDefaults.plist
@@ -2,6 +2,20 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>com.adiumX.AutoHyperlinks.permittedSchemes</key>
+	<array>
+		<string>feed</string>
+		<string>ftp</string>
+		<string>irc</string>
+		<string>ircs</string>
+		<string>itms</string>
+		<string>sftp</string>
+		<string>ssh</string>
+		<string>telnet</string>
+		<string>textual</string>
+		<string>webcal</string>
+		<string>x-man-page</string>
+	</array>
 	<key>-[NSString isValidInternetAddress] Performs Extended Validation</key>
 	<true/>
 	<key>AutojoinMaximumChannelJoinCount</key>
+41 −7		Classes/AHHyperlinkScanner.m
+3 −4		Classes/AHLinkLexer.h
+4 −4		Classes/AHLinkLexer.l