core security update
This commit is contained in:
Bachir Soussi Chiadmi
@@ -350,7 +350,7 @@ Drupal.overlay.setFocusBefore = function ($element, document) {
|
||||
* TRUE if the URL represents an administrative link, FALSE otherwise.
|
||||
*/
|
||||
Drupal.overlay.isAdminLink = function (url) {
|
||||
if (Drupal.overlay.isExternalLink(url)) {
|
||||
if (!Drupal.urlIsLocal(url)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -378,6 +378,8 @@ Drupal.overlay.isAdminLink = function (url) {
|
||||
/**
|
||||
* Determine whether a link is external to the site.
|
||||
*
|
||||
* Deprecated. Use Drupal.urlIsLocal() instead.
|
||||
*
|
||||
* @param url
|
||||
* The URL to be tested.
|
||||
*
|
||||
@@ -385,8 +387,28 @@ Drupal.overlay.isAdminLink = function (url) {
|
||||
* TRUE if the URL is external to the site, FALSE otherwise.
|
||||
*/
|
||||
Drupal.overlay.isExternalLink = function (url) {
|
||||
var re = RegExp('^((f|ht)tps?:)?//(?!' + window.location.host + ')');
|
||||
return re.test(url);
|
||||
return !Drupal.urlIsLocal(url);
|
||||
};
|
||||
|
||||
/**
|
||||
* Constructs an internal URL (relative to this site) from the provided path.
|
||||
*
|
||||
* For example, if the provided path is 'admin' and the site is installed at
|
||||
* http://example.com/drupal, this function will return '/drupal/admin'.
|
||||
*
|
||||
* @param path
|
||||
* The internal path, without any leading slash.
|
||||
*
|
||||
* @return
|
||||
* The internal URL derived from the provided path, or null if a valid
|
||||
* internal path cannot be constructed (for example, if an attempt to create
|
||||
* an external link is detected).
|
||||
*/
|
||||
Drupal.overlay.getInternalUrl = function (path) {
|
||||
var url = Drupal.settings.basePath + path;
|
||||
if (Drupal.urlIsLocal(url)) {
|
||||
return url;
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -577,7 +599,7 @@ Drupal.overlay.eventhandlerOverrideLink = function (event) {
|
||||
// If the link contains the overlay-restore class and the overlay-context
|
||||
// state is set, also update the parent window's location.
|
||||
var parentLocation = ($target.hasClass('overlay-restore') && typeof $.bbq.getState('overlay-context') == 'string')
|
||||
? Drupal.settings.basePath + $.bbq.getState('overlay-context')
|
||||
? this.getInternalUrl($.bbq.getState('overlay-context'))
|
||||
: null;
|
||||
href = this.fragmentizeLink($target.get(0), parentLocation);
|
||||
// Only override default behavior when left-clicking and user is not
|
||||
@@ -657,11 +679,15 @@ Drupal.overlay.eventhandlerOperateByURLFragment = function (event) {
|
||||
}
|
||||
|
||||
// Get the overlay URL from the current URL fragment.
|
||||
var internalUrl = null;
|
||||
var state = $.bbq.getState('overlay');
|
||||
if (state) {
|
||||
internalUrl = this.getInternalUrl(state);
|
||||
}
|
||||
if (internalUrl) {
|
||||
// Append render variable, so the server side can choose the right
|
||||
// rendering and add child frame code to the page if needed.
|
||||
var url = $.param.querystring(Drupal.settings.basePath + state, { render: 'overlay' });
|
||||
var url = $.param.querystring(internalUrl, { render: 'overlay' });
|
||||
|
||||
this.open(url);
|
||||
this.resetActiveClass(this.getPath(Drupal.settings.basePath + state));
|
||||
|
||||
Reference in New Issue
Block a user