Cutlery/calibre
1
0
Fork 0
mirror of https://github.com/kovidgoyal/calibre.git synced 2025-07-08 02:34:06 -04:00
Code Issues Packages Projects Releases Wiki Activity

E-book viewer: Prevent javascript in the book from accessing files on the computer using XMLHttpRequest. Fixes #1651728 [Private bug](https://bugs.launchpad.net/calibre/+bug/1651728)

Browse Source
This commit is contained in:
Kovid Goyal 2016-12-21 17:59:00 +05:30
parent 320f81c7c9
commit 3a89718664
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/calibre/gui2/tweak_book/preview.py
View File

@ -145,6 +145,7 @@ class ParseWorker(Thread):
def is_alive(self): def is_alive(self):
return Thread.is_alive(self) or (hasattr(self, 'worker') and self.worker.is_alive()) return Thread.is_alive(self) or (hasattr(self, 'worker') and self.worker.is_alive())
parse_worker = ParseWorker() parse_worker = ParseWorker()
# }}} # }}}
@ -280,6 +281,7 @@ class WebPage(QWebPage):
settings.setAttribute(settings.PrivateBrowsingEnabled, True) settings.setAttribute(settings.PrivateBrowsingEnabled, True)
settings.setAttribute(settings.JavascriptCanOpenWindows, False) settings.setAttribute(settings.JavascriptCanOpenWindows, False)
settings.setAttribute(settings.JavascriptCanAccessClipboard, False) settings.setAttribute(settings.JavascriptCanAccessClipboard, False)
settings.setAttribute(settings.LocalContentCanAccessFileUrls, False) # ensure javascript cannot read from local files
settings.setAttribute(settings.LinksIncludedInFocusChain, False) settings.setAttribute(settings.LinksIncludedInFocusChain, False)
settings.setAttribute(settings.DeveloperExtrasEnabled, True) settings.setAttribute(settings.DeveloperExtrasEnabled, True)
settings.setDefaultTextEncoding('utf-8') settings.setDefaultTextEncoding('utf-8')

3
src/calibre/gui2/viewer/documentview.py
View File

@ -53,6 +53,7 @@ def apply_basic_settings(settings):
settings.setAttribute(QWebSettings.PluginsEnabled, False) settings.setAttribute(QWebSettings.PluginsEnabled, False)
settings.setAttribute(QWebSettings.JavascriptCanOpenWindows, False) settings.setAttribute(QWebSettings.JavascriptCanOpenWindows, False)
settings.setAttribute(QWebSettings.JavascriptCanAccessClipboard, False) settings.setAttribute(QWebSettings.JavascriptCanAccessClipboard, False)
settings.setAttribute(QWebSettings.LocalContentCanAccessFileUrls, False) # ensure javascript cannot read from local files
# PrivateBrowsing disables console messages # PrivateBrowsing disables console messages
# settings.setAttribute(QWebSettings.PrivateBrowsingEnabled, True) # settings.setAttribute(QWebSettings.PrivateBrowsingEnabled, True)
settings.setAttribute(QWebSettings.NotificationsEnabled, False) settings.setAttribute(QWebSettings.NotificationsEnabled, False)
@ -1435,5 +1436,3 @@ class DocumentView(QWebView): # {{{
self.link_clicked(qurl) self.link_clicked(qurl)
# }}} # }}}