if (Log.on) Log.log(Platform.class, "xwt.newBrowserWindow() only supports http and https urls");
return;
}
+
+ // check the URL for well-formedness, as a defense against buffer overflow attacks
+ try {
+ String u = url;
+ if (u.startsWith("https")) u = "http" + u.substring(5);
+ new URL(u);
+ } catch (MalformedURLException e) {
+ if (Log.on) Log.log(Platform.class, "URL " + url + " is not well-formed");
+ if (Log.on) Log.log(Platform.class, e);
+ }
+
if (Log.on) Log.log(Platform.class, "newBrowserWindow, url = " + url);
platform._newBrowserWindow(url);
}