Check iframe target for allowed document URLs
Change-Id: I00e4192becbc160282a43ab89dcd269f3d1012d8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147919
Tested-by: Jenkins
Reviewed-by: Samuel Mehrbrodt <samuel.mehrbrodt@allotropia.de>
diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
index e4ea73d..5672f3e 100644
--- a/sfx2/source/doc/iframe.cxx
+++ b/sfx2/source/doc/iframe.cxx
@@ -46,6 +46,7 @@
#include <vcl/window.hxx>
#include <tools/debug.hxx>
#include <macroloader.hxx>
#include <eventsupplier.hxx>
using namespace ::com::sun::star;
@@ -173,6 +174,9 @@ sal_Bool SAL_CALL IFrameObject::load(
return false;
}
if (!SfxEvents_Impl::isScriptURLAllowed(aTargetURL.Complete))
return false;
DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
diff --git a/sfx2/source/inc/eventsupplier.hxx b/sfx2/source/inc/eventsupplier.hxx
index 56aa8f9..316b3b18 100644
--- a/sfx2/source/inc/eventsupplier.hxx
+++ b/sfx2/source/inc/eventsupplier.hxx
@@ -81,7 +81,6 @@ public:
SfxObjectShell* i_document );
static void Execute( css::uno::Sequence < css::beans::PropertyValue > const & aEventData, const css::document::DocumentEvent& aTrigger, SfxObjectShell* pDoc );
private:
/// Check if script URL whitelist exists, and if so, if current script url is part of it
static bool isScriptURLAllowed(const OUString& aScriptURL);
};
