E-book viewer: Prevent javascript in the book from accessing files on the computer using XMLHttpRequest. Fixes #1651728 [Private bug](https://bugs.launchpad.net/calibre/+bug/1651728)

2025-07-08 02:34:06 -04:00 · 2016-12-21 17:59:00 +05:30 · 2016-12-21 17:59:00 +05:30 · 3a89718664
commit 3a89718664
parent 320f81c7c9
2 changed files with 3 additions and 2 deletions
--- a/src/calibre/gui2/tweak_book/preview.py
+++ b/src/calibre/gui2/tweak_book/preview.py
@ -145,6 +145,7 @@ class ParseWorker(Thread):
    def is_alive(self):
        return Thread.is_alive(self) or (hasattr(self, 'worker') and self.worker.is_alive())

+
 parse_worker = ParseWorker()
 # }}}

@ -280,6 +281,7 @@ class WebPage(QWebPage):
        settings.setAttribute(settings.PrivateBrowsingEnabled, True)
        settings.setAttribute(settings.JavascriptCanOpenWindows, False)
        settings.setAttribute(settings.JavascriptCanAccessClipboard, False)
+        settings.setAttribute(settings.LocalContentCanAccessFileUrls, False)  # ensure javascript cannot read from local files
        settings.setAttribute(settings.LinksIncludedInFocusChain, False)
        settings.setAttribute(settings.DeveloperExtrasEnabled, True)
        settings.setDefaultTextEncoding('utf-8')
--- a/src/calibre/gui2/viewer/documentview.py
+++ b/src/calibre/gui2/viewer/documentview.py
@ -53,6 +53,7 @@ def apply_basic_settings(settings):
    settings.setAttribute(QWebSettings.PluginsEnabled, False)
    settings.setAttribute(QWebSettings.JavascriptCanOpenWindows, False)
    settings.setAttribute(QWebSettings.JavascriptCanAccessClipboard, False)
+    settings.setAttribute(QWebSettings.LocalContentCanAccessFileUrls, False)  # ensure javascript cannot read from local files
    # PrivateBrowsing disables console messages
    # settings.setAttribute(QWebSettings.PrivateBrowsingEnabled, True)
    settings.setAttribute(QWebSettings.NotificationsEnabled, False)
@ -1435,5 +1436,3 @@ class DocumentView(QWebView):  # {{{
            self.link_clicked(qurl)

 # }}}
-
-