use textContent instead innerHTML to remediateDOM based XSS vulnerbilities

This commit is contained in:
Boik 2017-09-17 11:27:03 +08:00
parent 800ba9a325
commit 26e6f2c46c

View file

@ -5,7 +5,7 @@ const {runInThisContext} = require('vm')
// https://developer.chrome.com/extensions/match_patterns // https://developer.chrome.com/extensions/match_patterns
const matchesPattern = function (pattern) { const matchesPattern = function (pattern) {
if (pattern === '<all_urls>') return true if (pattern === '<all_urls>') return true
const regexp = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$') const regexp = new RegExp(`^${pattern.replace(/\*/g, '.*')}$`)
const url = `${location.protocol}//${location.host}${location.pathname}` const url = `${location.protocol}//${location.host}${location.pathname}`
return url.match(regexp) return url.match(regexp)
} }
@ -23,12 +23,30 @@ const runContentScript = function (extensionId, url, code) {
return compiledWrapper.call(this, context.chrome) return compiledWrapper.call(this, context.chrome)
} }
const runStylesheet = function (url, code) {
const wrapper = `(function (code) {
function init() {
var styleElement = document.createElement('style');
styleElement.setAttribute('type', 'text/css');
styleElement.textContent = code;
document.head.append(styleElement);
}
document.addEventListener('DOMContentLoaded', init);
})`;
const compiledWrapper = runInThisContext(wrapper, {
filename: url,
lineOffset: 1,
displayErrors: true,
});
return compiledWrapper.call(this, code);
}
// Run injected scripts. // Run injected scripts.
// https://developer.chrome.com/extensions/content_scripts // https://developer.chrome.com/extensions/content_scripts
const injectContentScript = function (extensionId, script) { const injectContentScript = function (extensionId, script) {
if (!script.matches.some(matchesPattern)) return if (!script.matches.some(matchesPattern)) return
if (script.js) { if (script.js.length) {
for (const {url, code} of script.js) { for (const {url, code} of script.js) {
const fire = runContentScript.bind(window, extensionId, url, code) const fire = runContentScript.bind(window, extensionId, url, code)
if (script.runAt === 'document_start') { if (script.runAt === 'document_start') {
@ -41,13 +59,16 @@ const injectContentScript = function (extensionId, script) {
} }
} }
if (script.css) { if (script.css.length) {
for (const {code} of script.css) { for (const {url, code} of script.css) {
process.once('document-end', () => { const fire = runStylesheet.bind(window, url, code)
var node = document.createElement('style') if (script.runAt === 'document_start') {
node.innerHTML = code process.once('document-start', fire)
window.document.body.appendChild(node) } else if (script.runAt === 'document_end') {
}) process.once('document-end', fire)
} else if (script.runAt === 'document_idle') {
document.addEventListener('DOMContentLoaded', fire)
}
} }
} }
} }