Version: 2.14 (using KDE 4.4.2) OS: Linux Installed from: Fedora RPMs ark uses KHTML part to preview HTML files stored in archives. Previewed HTML files are treated as local files and included javascripts are executed with null document.domain. This has certain risks such as those noted in bug #235468. While proper fix to that bug can mitigate some risks, disabling javascript in ark preview should offer a protection against future similar issues. Steps to reproduce: - take reproducer from bug #235468 - add it to some archive - open it in ark, preview html file, javascript is executed
SVN commit 1119906 by rkcosta: When opening an HTML file with KHTMLPart, disable Java, JavaScript, plugins and external references. This is a saner and safer default, since the archive might come from an unknown and untrusted sender. If access to the disabled stuff is needed, the user should simply extract the file and view it in a browser. See also bug 235468. BUG: 235546 M +1 -2 CMakeLists.txt M +14 -0 arkviewer.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1119906
SVN commit 1119908 by rkcosta: Backport r1119906. When opening an HTML file with KHTMLPart, disable Java, JavaScript, plugins and external references. This is a saner and safer default, since the archive might come from an unknown and untrusted sender. If access to the disabled stuff is needed, the user should simply extract the file and view it in a browser. See also bug 235468. CCBUG: 235546 M +1 -2 CMakeLists.txt M +14 -0 arkviewer.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1119908