LibWebView: Do not use AK::format to format search engine URLs

This is to prepare for custom search engines. If we use AK::format, it would be trivial for a user (or bad actor) to come up with a template search engine URL that ultimately crashes the browser due to internal assertions in AK::format. For example: https://example.com/crash={1} Rather than coming up with a complicated pre-format validator, let's just not use AK::format. Custom URLs will signify their template query parameters with "%s". So we can do the same with our built-in engines. When it comes time to format the URL, we will do a simple string replacement.
Author: https://github.com/trflynn89 Commit: dbf4b189a4 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/4237
2025-08-07 08:39:22 +00:00 · 2025-04-04 17:32:04 -04:00 · 2025-04-04 17:32:04 -04:00 · dbf4b189a4 · 2025-04-06 11:46:09 +00:00
commit dbf4b189a4
parent cbee476dac
9 changed files with 44 additions and 56 deletions
--- a/UI/Qt/LocationEdit.cpp
+++ b/UI/Qt/LocationEdit.cpp
@ -36,16 +36,12 @@ LocationEdit::LocationEdit(QWidget* parent)

        clearFocus();

-        Optional<StringView> search_engine_url;
-        if (auto const& search_engine = WebView::Application::settings().search_engine(); search_engine.has_value())
-            search_engine_url = search_engine->query_url;
-
        auto query = ak_string_from_qstring(text());

        auto ctrl_held = QApplication::keyboardModifiers() & Qt::ControlModifier;
        auto append_tld = ctrl_held ? WebView::AppendTLD::Yes : WebView::AppendTLD::No;

-        if (auto url = WebView::sanitize_url(query, search_engine_url, append_tld); url.has_value())
+        if (auto url = WebView::sanitize_url(query, WebView::Application::settings().search_engine(), append_tld); url.has_value())
            set_url(url.release_value());
    });