From: Pseudochu <pseudochu@gmail.com>
Date: Fri, 13 Jun 2014 17:08:20 +0000 (+0300)
Subject: Patching XSS vulnerability
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=c67de46d6cee08f10d65984746fe5a153f02bd27;p=KiwiIRC.git

Patching XSS vulnerability

The following message produces a clickable link that triggers JavaScript when clicked (pre-patch):
javascript://www.google.com/?%0Aalert(0);

Patch was designed to prevent this while maintaining support for arbitrary link protocols.
---

diff --git a/client/src/views/channel.js b/client/src/views/channel.js
index 3819ddf..5c83320 100644
--- a/client/src/views/channel.js
+++ b/client/src/views/channel.js
@@ -88,6 +88,10 @@ _kiwi.view.Channel = _kiwi.view.Panel.extend({
             var nice = url,
                 extra_html = '';
 
+            if (url.match(/^javascript:/)) {
+                return url;
+            }
+
             // Add the http if no protoocol was found
             if (url.match(/^www\./)) {
                 url = 'http://' + url;