I'm using a API from Windows gadgets to launch URLs, but I know the destructive power about things like eval()
and worst and more dangerous, the System.Shell.execute();
But after some research, I think theres no better way to launch URL on the default browser without execute(). Since URLs come from user input, how to prevent users to execute evil-code? My code is SAFE or it can be exploitable? prevent things like this cmd.exe /c REG QUERY HKCU etc
launching cmd.exe with administrator privileges.
function openURL(url){
var protocol=new Array();
//Allowed protocols to execute
protocol[0]='http://';
protocol[1]='https://';
protocol[2]='ftp://';
protocol[3]='search-ms:query=';
for(var i=0;i<protocol.length;i++){
if(url.indexOf(protocol[i])==0){
System.Shell.execute(url);
break;
}
}
}
window.open(); //doesn't work (only open IE);
edit:
allowing this 2 protocols is unsafe file:///
and javascript:
exemples that can be done:
file:///c:/windows/system32/ping.exe
javascript:void( window.open('http://file:///c:/windows/system32/ping.exe','','_blank') );