mirrors/zotero
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Allow disabling JavaScript in basic viewer (#3089)

Browse source 
And:
- Prevent JavaScript inside notes from executing in reports
- Update calls to openInViewer() to pass an options object
This commit is contained in:
Abe Jellinek 2023-04-20 15:50:57 -04:00 committed by GitHub
parent 78a81f321a
commit c7d30ebde4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 69 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
chrome/content/zotero/preferences/preferences_cite.jsx
View file

@ -140,18 +140,20 @@ Zotero_Preferences.Cite = {
openStylesPage: function () {
Zotero.openInViewer("https://www.zotero.org/styles/", function (doc) {
// Hide header, intro paragraph, Link, and Source
//
// (The first two aren't sent to the client normally, but hide anyway in case they are.)
var style = doc.createElement('style');
style.type = 'text/css';
style.innerHTML = 'h1, #intro, .style-individual-link, .style-view-source { display: none !important; }'
// TEMP: Default UA styles that aren't being included in Firefox 60 for some reason
+ 'html { background: #fff; }'
+ 'a { color: rgb(0, 0, 238) !important; text-decoration: underline; }'
+ 'a:active { color: rgb(238, 0, 0) !important; }';
doc.getElementsByTagName('head')[0].appendChild(style);
Zotero.openInViewer("https://www.zotero.org/styles/", {
onLoad(doc) {
// Hide header, intro paragraph, Link, and Source
//
// (The first two aren't sent to the client normally, but hide anyway in case they are.)
var style = doc.createElement('style');
style.type = 'text/css';
style.innerHTML = 'h1, #intro, .style-individual-link, .style-view-source { display: none !important; }'
// TEMP: Default UA styles that aren't being included in Firefox 60 for some reason
+ 'html { background: #fff; }'
+ 'a { color: rgb(0, 0, 238) !important; text-decoration: underline; }'
+ 'a:active { color: rgb(238, 0, 0) !important; }';
doc.getElementsByTagName('head')[0].appendChild(style);
}
});
},

4
chrome/content/zotero/preferences/preferences_cite.xhtml
View file

@ -61,10 +61,10 @@
<hbox>
<button id="openCSLEdit"
label="&zotero.preferences.styleEditor;"
oncommand="Zotero.openInViewer('chrome://zotero/content/tools/csledit.xhtml', true)"/>
oncommand="Zotero.openInViewer('chrome://zotero/content/tools/csledit.xhtml')"/>
<button id="openCSLPreview"
label="&zotero.preferences.stylePreview;"
oncommand="Zotero.openInViewer('chrome://zotero/content/tools/cslpreview.xhtml', true)"/>
oncommand="Zotero.openInViewer('chrome://zotero/content/tools/cslpreview.xhtml')"/>
</hbox>
</groupbox>
</vbox>

4
chrome/content/zotero/reportInterface.js
View file

@ -54,7 +54,7 @@ var Zotero_Report_Interface = new function() {
url += '/items' + queryString;
Zotero.openInViewer(url);
Zotero.openInViewer(url, { allowJavaScript: false });
}
@ -71,6 +71,6 @@ var Zotero_Report_Interface = new function() {
var url = 'zotero://report/' + Zotero.API.getLibraryPrefix(libraryID) + '/items'
+ '?itemKey=' + items.map(item => item.key).join(',');
Zotero.openInViewer(url);
Zotero.openInViewer(url, { allowJavaScript: false });
}
}

19
chrome/content/zotero/standalone/basicViewer.js
View file

@ -27,6 +27,8 @@
"resource://gre/modules/E10SUtils.jsm"
);*/
const SANDBOXED_SCRIPTS = 0x80;
var browser;
window.addEventListener("load", /*async */function () {
@ -51,9 +53,10 @@ window.addEventListener("load", /*async */function () {
);*/
//browser.docShellIsActive = false;
// Load URI passed in as nsISupports .data via openWindow()
window.viewerOriginalURI = window.arguments[0];
loadURI(window.arguments[0]);
// Get URI and options passed in via openWindow()
let { uri, options } = window.arguments[0].wrappedJSObject;
window.viewerOriginalURI = uri;
loadURI(uri, options);
}, false);
window.addEventListener("keypress", function (event) {
@ -73,7 +76,15 @@ window.addEventListener("click", function (event) {
}
});
function loadURI(uri) {
function loadURI(uri, options = {}) {
// browser.browsingContext.allowJavascript (sic) would seem to do what we want here,
// but it has no effect. So we use sandboxFlags instead:
if (options.allowJavaScript !== false) {
browser.browsingContext.sandboxFlags &= ~SANDBOXED_SCRIPTS;
}
else {
browser.browsingContext.sandboxFlags |= SANDBOXED_SCRIPTS;
}
browser.loadURI(
uri,
{

30
chrome/content/zotero/standalone/standalone.js
View file

@ -850,21 +850,23 @@ ZoteroStandalone.DebugOutput = {
view: function () {
Zotero.openInViewer("chrome://zotero/content/debugViewer.html", function (doc) {
var submitted = false;
doc.querySelector('#submit-button').addEventListener('click', function (event) {
submitted = true;
});
doc.querySelector('#clear-button').addEventListener('click', function (event) {
Zotero.Debug.clear();
});
// If output has been submitted, disable logging when window is closed
doc.defaultView.addEventListener('unload', function (event) {
if (submitted) {
Zotero.Debug.setStore(false);
Zotero.openInViewer("chrome://zotero/content/debugViewer.html", {
onLoad(doc) {
var submitted = false;
doc.querySelector('#submit-button').addEventListener('click', function (event) {
submitted = true;
});
doc.querySelector('#clear-button').addEventListener('click', function (event) {
Zotero.Debug.clear();
}
});
});
// If output has been submitted, disable logging when window is closed
doc.defaultView.addEventListener('unload', function (event) {
if (submitted) {
Zotero.Debug.setStore(false);
Zotero.Debug.clear();
}
});
}
});
},

26
chrome/content/zotero/xpcom/zotero.js
View file

@ -1087,9 +1087,16 @@ Services.scriptloader.loadSubScript("resource://zotero/polyfill.js");
* Opens a URL in the basic viewer, and optionally run a callback on load
*
* @param {String} uri
* @param {Function} [onLoad] - Function to run once URI is loaded; passed the loaded document
* @param {Object} [options]
* @param {Function} [options.onLoad] - Function to run once URI is loaded; passed the loaded document
* @param {Boolean} [options.allowJavaScript] - Set to false to disable JavaScript
*/
this.openInViewer = function (uri, onLoad) {
this.openInViewer = function (uri, options) {
if (options && !options.onLoad && typeof options === 'function') {
Zotero.debug("Zotero.openInViewer() now takes an 'options' object for its second parameter -- update your code");
options = { onLoad: options };
}
var viewerWins = Services.wm.getEnumerator("zotero:basicViewer");
for (let existingWin of viewerWins) {
if (existingWin.viewerOriginalURI === uri) {
@ -1099,12 +1106,17 @@ Services.scriptloader.loadSubScript("resource://zotero/polyfill.js");
}
let ww = Components.classes['@mozilla.org/embedcomp/window-watcher;1']
.getService(Components.interfaces.nsIWindowWatcher);
let arg = Components.classes["@mozilla.org/supports-string;1"]
.createInstance(Components.interfaces.nsISupportsString);
arg.data = uri;
let arg = {
uri,
options: {
...options,
onLoad: undefined
}
};
arg.wrappedJSObject = arg;
let win = ww.openWindow(null, "chrome://zotero/content/standalone/basicViewer.xhtml",
null, "chrome,dialog=yes,resizable,centerscreen,menubar,scrollbars", arg);
if (onLoad) {
if (options?.onLoad) {
let browser;
let func = function () {
win.removeEventListener("load", func);
@ -1117,7 +1129,7 @@ Services.scriptloader.loadSubScript("resource://zotero/polyfill.js");
};
let innerFunc = function () {
browser.removeEventListener("pageshow", innerFunc);
onLoad(browser.contentDocument);
options.onLoad(browser.contentDocument);
};
win.addEventListener("load", func);
}

2
chrome/content/zotero/zoteroPane.xhtml
View file

@ -537,7 +537,7 @@
label="&installConnector.label;"
oncommand="ZoteroStandalone.openHelp('connectors');"/>
<menuitem id="menu_addons" label="&addons.label;"
oncommand="Zotero.openInViewer('chrome://mozapps/content/extensions/aboutaddons.html', ZoteroStandalone.updateAddonsPane)"/>
oncommand="Zotero.openInViewer('chrome://mozapps/content/extensions/aboutaddons.html', { onLoad: ZoteroStandalone.updateAddonsPane })"/>
<menu id="developer-menu"
label="&developer.label;">
<menupopup>