From e7c1761f7ca2710a398997c5d2efae32ad701ffd Mon Sep 17 00:00:00 2001
From: hackademix
Date: Sun, 21 Jul 2019 23:29:19 +0200
Subject: Restore "classic" pasted HTML sanitization feature (patch by barbaz
with slight modifications).
---
src/content/sanitizePaste.js | 58 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)
create mode 100644 src/content/sanitizePaste.js
(limited to 'src/content')
diff --git a/src/content/sanitizePaste.js b/src/content/sanitizePaste.js
new file mode 100644
index 0000000..703f5b3
--- /dev/null
+++ b/src/content/sanitizePaste.js
@@ -0,0 +1,58 @@
+'use strict';
+
+window.addEventListener("paste", e => {
+ let data = e.clipboardData;
+ let html = data.getData("text/html");
+ let t = e.target;
+ if (t.nodeType !== 1) t = t.parentElement;
+
+ try {
+ let node = t.cloneNode();
+
+ node.innerHTML = html;
+
+ if (sanitizeExtras(node)) {
+ let sanitized = node.innerHTML;
+ setTimeout(function() { try {
+ if (sanitizeExtras(t)) {
+ console.log(`[NoScript] Sanitized\n\n${html}\nto\n\n${t.innerHTML}\n`, t);
+ }
+ } catch(ex) {
+ console.log(ex);
+ }}, 0);
+ }
+ } catch(ex) {
+ console.log(ex);
+ }
+
+ function removeAttribute(node, name, value = node.getAttribute(name)) {
+ node.setAttribute(`data-noscript-removed-${name}`, value);
+ node.removeAttribute(name);
+ }
+
+ function sanitizeExtras(el) {
+ let ret = false;
+
+ // remove attributes from forms
+ for (let f of el.getElementsByTagName("form")) {
+ for (let a of f.attributes) {
+ f.removeAttribute(a.name);
+ ret = true;
+ }
+ }
+
+ let urlAttributes = ['href', 'to', 'from', 'by', 'values'];
+ let selector = urlAttributes.map(a => `[${a}]`).join(',');
+ for (let node of el.querySelectorAll(selector)) {
+ for (let name of urlAttributes) {
+ let value = node.getAttribute(name);
+ if (/^\W*(?:(?:javascript|data):|https?:[\s\S]+[[(<])/i.test(unescape(value))) {
+ node.setAttribute(`data-noscript-removed-${name}`, value);
+ node.removeAttribute(name);
+ ret = true;
+ }
+ }
+ }
+ return ret;
+ }
+}, true);
--
cgit v1.2.3