ETH-02-cure-fixes #2 (#1477)

* updated package elemeents

* fixed max callstack error

* remove URL from error page

* remove URL from error page

* improved url updating

* fix ETH-02-003

* added Blaze._escape to the url.protocol

* use shorthand for `url: url`

* remove function connotation with string.

* updated signatures

* reverted url shorthand

Author: frozeman

errorPages/400.html

@@ -14,8 +14,6 @@
     padding-top: 100px;
     ">
         <span style="font-size: 80px;">✘</span><br>
-        This URL is not allowed<br>
-        <br>
-        <span style="font-family: courier;"><script>document.write(location.search.replace("?",""))</script></span>
+        This URL is not allowed.
     </body>
 </html>

interface/client/lib/helpers/helperFunctions.js

@@ -106,6 +106,7 @@ Helpers.generateBreadcrumb = function (url) {
     var pathname;
 
     filteredUrl = {
+        protocol: Blaze._escape(url.protocol),
         host: Blaze._escape(url.host),
         pathname: Blaze._escape(url.pathname)
     };
@@ -114,7 +115,7 @@ Helpers.generateBreadcrumb = function (url) {
         return el === '';
     });
 
-    return new Spacebars.SafeString(_.flatten(['<span>' + filteredUrl.host + ' </span>', pathname]).join(' ▸ '));
+    return new Spacebars.SafeString(filteredUrl.protocol +'//'+ _.flatten(['<span>' + filteredUrl.host + ' </span>', pathname]).join(' ▸ '));
 };
 
 /**

interface/client/templates/views/webview.js

@@ -15,7 +15,8 @@ The tab template
 Template['views_webview'].onRendered(function(){
     var template = this,
         tabId = template.data._id,
-        webview = this.find('webview');
+        webview = template.find('webview');
+
 
     // Send updated TEST DATA
     if(tabId === 'tests') {
@@ -29,6 +30,7 @@ Template['views_webview'].onRendered(function(){
         });
     }
 
+
     ipc.on('uiAction_reloadSelectedTab', function(e) {
         console.log('uiAction_reloadSelectedTab', LocalStore.get('selectedTab'));
         if(LocalStore.get('selectedTab') === this._id){
@@ -53,7 +55,7 @@ Template['views_webview'].onRendered(function(){
     // set page history
     webview.addEventListener('dom-ready', function(e){
 
-        var titleFull = this.getTitle(),
+        var titleFull = webview.getTitle(),
             title = titleFull;
 
         if(titleFull && titleFull.length > 40) {
@@ -64,7 +66,8 @@ Template['views_webview'].onRendered(function(){
         // update the title
         Tabs.update(tabId, {$set: {
             name: title,
-            nameFull: titleFull
+            nameFull: titleFull,
+            // url: webview.getURL(),
         }});
 
         webviewLoadStop.call(this, tabId, e);
@@ -83,6 +86,7 @@ Template['views_webview'].onRendered(function(){
     }));
 });
 
+
 Template['views_webview'].helpers({
     /**
     Determines if the current tab is visible
@@ -100,28 +104,44 @@ Template['views_webview'].helpers({
     'checkedUrl': function(){
         var template = Template.instance();
         var tab = Tabs.findOne(this._id, {fields: {redirect: 1}});
+        var url;
 
         if(tab) {
 
             // set url only once
             if(tab.redirect) {
-                template.url = tab.redirect;
+                url = tab.redirect;
+
+                // remove redirect
+                Tabs.update(this._id, {$unset: {
+                    redirect: ''
+                }});
             }
 
-            // remove redirect
-            Tabs.update(this._id, {$unset: {
-                redirect: ''
-            }, $set: {
-                url: template.url
-            }});
 
             // CHECK URL and throw error if not allowed
-            if(!Helpers.sanitizeUrl(template.url, true)) {
-                console.log('Not allowed URL: '+ template.url);
-                return 'file://'+ dirname + '/errorPages/400.html?'+ template.url;
+            if(!Helpers.sanitizeUrl(url, true)) {
+
+                // Prevent websites usingt the history back attacks
+                if(template.view.isRendered) {
+                    // get the current webview
+                    var webview = template.find('webview');
+                    webview.clearHistory();
+                }
+
+                console.warn('Not allowed URL: '+ template.url);
+                return 'file://'+ dirname + '/errorPages/400.html';
             }
 
-            return Helpers.formatUrl(template.url);
+            // remove redirect
+            if(url) {
+                template.url = url;
+                Tabs.update(this._id, {$set: {
+                    url: url
+                }});
+            }
+
+            return Helpers.formatUrl(url);
         }
     }
-});
+});

interface/client/templates/webviewEvents.js

@@ -68,13 +68,14 @@ webviewLoadStart = function(currentTabId, e){
 
     if(e.type === 'did-get-redirect-request' && !e.isMainFrame)
         return;
+
+    console.log(e.type, currentTabId, e);
 
     // stop this action, as the redirect happens reactive through setting the URL attribute
     e.preventDefault(); // doesnt work
     webview.stop();
     ipc.send('backendAction_stopFocusedWebviewNavigation'); // race condition? cant cancel fast enough sometimes?
-
-    console.log(e.type, currentTabId, e);
+    
 
     var url = Helpers.sanitizeUrl(e.newURL || e.url);
     var tabId = Helpers.getTabIdByUrl(url);