hiro/tridactyl
1
0
Fork 0
mirror of https://github.com/vale981/tridactyl synced 2025-03-05 09:31:41 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move sanitation to insider reader mode

Browse source 
This protects us against someone opening a malicious reader
URL + anchor
This commit is contained in:
Oliver Blanthorn 2023-04-05 21:34:11 +02:00
parent cbcf6f4521
commit d815ad6b88
No known key found for this signature in database
GPG key ID: 2BB8C36BB504BFF3
2 changed files with 2 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/excmds.ts
View file

@ -5991,16 +5991,12 @@ export async function extoptions(...optionNameArgs: string[]) {
} }
//#content_helper //#content_helper
// {
import { Readability } from "@mozilla/readability" import { Readability } from "@mozilla/readability"
import xss from "xss"
// }
//#content_helper //#content_helper
export async function readerurl() { export async function readerurl() {
document.querySelectorAll(".TridactylStatusIndicator").forEach(ind => ind.parentNode.removeChild(ind)) document.querySelectorAll(".TridactylStatusIndicator").forEach(ind => ind.parentNode.removeChild(ind))
const article = new Readability(document.cloneNode(true) as any as Document).parse() const article = new Readability(document.cloneNode(true) as any as Document).parse()
article.content = xss(article.content, {stripIgnoreTag: true})
article["link"] = window.location.href article["link"] = window.location.href
return browser.runtime.getURL("static/reader.html#" + btoa(encodeURIComponent(JSON.stringify(article)))) return browser.runtime.getURL("static/reader.html#" + btoa(encodeURIComponent(JSON.stringify(article))))
} }

2
src/reader.ts
View file

@ -1,7 +1,9 @@
// import * as config from "@src/lib/config" // import * as config from "@src/lib/config"
import xss from "xss"
function updatePage(){ function updatePage(){
const article = JSON.parse(decodeURIComponent(atob(window.location.hash.substr(1)))) const article = JSON.parse(decodeURIComponent(atob(window.location.hash.substr(1))))
article.content = xss(article.content, {stripIgnoreTag: true})
document.body.innerHTML = article.content document.body.innerHTML = article.content
if (article.title !== undefined) { if (article.title !== undefined) {
const header = document.createElement("header") const header = document.createElement("header")