Correctly validate URLs in XFA documents (bug 1731240)

With this patch we'll ensure that only valid absolute URLs can be used in XFA documents, similar to the existing validation done for "regular" PDF documents. Furthermore, we'll also attempt to add a default protocol (i.e. `http`) to URLs beginning with "www." in XFA documents as well; this on its own is enough to fix https://bugzilla.mozilla.org/show_bug.cgi?id=1731240
2025-04-20 15:18:08 +02:00 · 2021-09-20 14:36:43 +02:00 · 2021-09-20 14:36:43 +02:00 · 81a1c1cef7
commit 81a1c1cef7
parent 580bfad628
4 changed files with 106 additions and 21 deletions
--- a/test/unit/xfa_tohtml_spec.js
+++ b/test/unit/xfa_tohtml_spec.js
@ -522,4 +522,70 @@ describe("XFAFactory", function () {
    expect(field1).not.toEqual(null);
    expect(field1.attributes.value).toEqual("123");
  });
+
+  it("should parse URLs correctly", function () {
+    function getXml(href) {
+      return `
+<?xml version="1.0"?>
+<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
+  <template xmlns="http://www.xfa.org/schema/xfa-template/3.3">
+    <subform name="root" mergeMode="matchTemplate">
+      <pageSet>
+        <pageArea>
+          <contentArea x="0pt" w="456pt" h="789pt"/>
+          <medium stock="default" short="456pt" long="789pt"/>
+          <draw name="url" y="5.928mm" x="128.388mm" w="71.237mm" h="9.528mm">
+            <value>
+              <exData contentType="text/html">
+                <body xmlns="http://www.w3.org/1999/xhtml">
+                  <a href="${href}">${href}</a>
+                </body>
+              </exData>
+            </value>
+          </draw>
+        </pageArea>
+      </pageSet>
+    </subform>
+  </template>
+  <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
+    <xfa:data>
+    </xfa:data>
+  </xfa:datasets>
+</xdp:xdp>
+      `;
+    }
+    let factory, pages, a;
+
+    // A valid, and complete, URL.
+    factory = new XFAFactory({ "xdp:xdp": getXml("https://www.example.com/") });
+    expect(factory.numberPages).toEqual(1);
+    pages = factory.getPages();
+    a = searchHtmlNode(pages, "name", "a");
+    expect(a.value).toEqual("https://www.example.com/");
+    expect(a.attributes.href).toEqual("https://www.example.com/");
+
+    // A valid, but incomplete, URL.
+    factory = new XFAFactory({ "xdp:xdp": getXml("www.example.com/") });
+    expect(factory.numberPages).toEqual(1);
+    pages = factory.getPages();
+    a = searchHtmlNode(pages, "name", "a");
+    expect(a.value).toEqual("www.example.com/");
+    expect(a.attributes.href).toEqual("http://www.example.com/");
+
+    // A valid email-address.
+    factory = new XFAFactory({ "xdp:xdp": getXml("mailto:test@example.com") });
+    expect(factory.numberPages).toEqual(1);
+    pages = factory.getPages();
+    a = searchHtmlNode(pages, "name", "a");
+    expect(a.value).toEqual("mailto:test@example.com");
+    expect(a.attributes.href).toEqual("mailto:test@example.com");
+
+    // Not a valid URL.
+    factory = new XFAFactory({ "xdp:xdp": getXml("qwerty/") });
+    expect(factory.numberPages).toEqual(1);
+    pages = factory.getPages();
+    a = searchHtmlNode(pages, "name", "a");
+    expect(a.value).toEqual("qwerty/");
+    expect(a.attributes.href).toEqual("");
+  });
 });