From 85fe4d6cd6ca8fda08fa2e9432efea8ef2de57c9 Mon Sep 17 00:00:00 2001
From: "mattwillis%gmail.com"
 <mattwillis%gmail.com@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Thu, 1 Feb 2007 01:55:41 +0000
Subject: [PATCH] bug 368858 - Only open http and https URLs (not javascript:
 ones) r1=dveditz, r2=dmose

git-svn-id: svn://10.0.0.236/trunk@219303 18797224-902f-48f8-a5cc-f745e15eee43
---
 .../calendar/resources/content/applicationUtil.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/mozilla/calendar/resources/content/applicationUtil.js b/mozilla/calendar/resources/content/applicationUtil.js
index 4c26b42e90e..b789c48868e 100644
--- a/mozilla/calendar/resources/content/applicationUtil.js
+++ b/mozilla/calendar/resources/content/applicationUtil.js
@@ -88,6 +88,21 @@ function toAddressBook()
 
 function launchBrowser(UrlToGoTo)
 {
+  if (!UrlToGoTo) {
+    return;
+  }
+
+  // 0. Prevent people from trying to launch URLs such as javascript:foo();
+  //    by only allowing URLs starting with http or https.
+  // XXX: We likely will want to do this using nsIURLs in the future to
+  //      prevent sneaky nasty escaping issues, but this is fine for now.
+  if (UrlToGoTo.indexOf("http") != 0) {
+    Components.utils.reportError ("launchBrowser: " +
+                                  "Invalid URL provided: " + UrlToGoTo +
+                                  " Only http:// and https:// URLs are valid.");
+    return;
+  }
+
   // 1. try to get (most recent) browser window, in case in browser app.
   var navWindow;
   try {