Bug 406032: Block update info urls that are not http/https. r=robstrong, a=schrep
authordtownsend@oxymoronical.com
Mon, 03 Dec 2007 04:24:41 -0800
changeset 8584 112a5e7f7607ab9eb9fbc6bf175df32abd11febb
parent 8583 be710ed5a5e3047ec565cab66a1db4e0c8ea2e98
child 8585 2cb7ff670bdd2aba5890194f0274aee61bed4337
push idunknown
push userunknown
push dateunknown
reviewersrobstrong, schrep
bugs406032
milestone1.9b2pre
Bug 406032: Block update info urls that are not http/https. r=robstrong, a=schrep
toolkit/mozapps/extensions/content/extensions.js
--- a/toolkit/mozapps/extensions/content/extensions.js
+++ b/toolkit/mozapps/extensions/content/extensions.js
@@ -1159,22 +1159,29 @@ function onAddonSelect(aEvent)
           previewImageDeck.selectedIndex = 1;
           if (previewImage.hasAttribute("src"))
             previewImage.removeAttribute("src");
         }
       }
     }
     else if (gView == "updates") {
       UpdateInfoLoader.cancelLoad();
-      if (!gExtensionsView.selectedItem)
+      if (!gExtensionsView.selectedItem) {
         previewImageDeck.selectedIndex = 3;
-      else if (!gExtensionsView.selectedItem.hasAttribute("availableUpdateInfo"))
-        previewImageDeck.selectedIndex = 4;
-      else
-        UpdateInfoLoader.loadInfo(gExtensionsView.selectedItem.getAttribute("availableUpdateInfo"));
+      }
+      else {
+        try {
+          var uri = makeURI(gExtensionsView.selectedItem.getAttribute("availableUpdateInfo"));
+          var scheme = uri.scheme;
+        } catch (ex) {}
+        if (uri && (scheme == "http" || scheme == "https"))
+          UpdateInfoLoader.loadInfo(uri.spec);
+        else
+          previewImageDeck.selectedIndex = 4;
+      }
     }
   }
 }
 
 /**
  * Manages the retrieval of update information and the xsl stylesheet
  * used to format the inforation into chrome.
  */
@@ -1984,21 +1991,19 @@ var gExtensionsViewController = {
       openDialog(optionsURL, "", features);
     },
 
     cmd_homepage: function (aSelectedItem)
     {
       if (!aSelectedItem) return;
       var homepageURL = aSelectedItem.getAttribute("homepageURL");
       // only allow http(s) homepages
-      var scheme = "";
-      var uri = null;
       try {
-        uri = makeURI(homepageURL);
-        scheme = uri.scheme;
+        var uri = makeURI(homepageURL);
+        var scheme = uri.scheme;
       } catch (ex) {}
       if (uri && (scheme == "http" || scheme == "https"))
         openURL(uri.spec);
     },
 
     cmd_about: function (aSelectedItem)
     {
       if (!aSelectedItem) return;