From e7c1761f7ca2710a398997c5d2efae32ad701ffd Mon Sep 17 00:00:00 2001 From: hackademix Date: Sun, 21 Jul 2019 23:29:19 +0200 Subject: Restore "classic" pasted HTML sanitization feature (patch by barbaz with slight modifications). --- src/content/sanitizePaste.js | 58 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 src/content/sanitizePaste.js (limited to 'src/content') diff --git a/src/content/sanitizePaste.js b/src/content/sanitizePaste.js new file mode 100644 index 0000000..703f5b3 --- /dev/null +++ b/src/content/sanitizePaste.js @@ -0,0 +1,58 @@ +'use strict'; + +window.addEventListener("paste", e => { + let data = e.clipboardData; + let html = data.getData("text/html"); + let t = e.target; + if (t.nodeType !== 1) t = t.parentElement; + + try { + let node = t.cloneNode(); + + node.innerHTML = html; + + if (sanitizeExtras(node)) { + let sanitized = node.innerHTML; + setTimeout(function() { try { + if (sanitizeExtras(t)) { + console.log(`[NoScript] Sanitized\n\n${html}\nto\n\n${t.innerHTML}\n`, t); + } + } catch(ex) { + console.log(ex); + }}, 0); + } + } catch(ex) { + console.log(ex); + } + + function removeAttribute(node, name, value = node.getAttribute(name)) { + node.setAttribute(`data-noscript-removed-${name}`, value); + node.removeAttribute(name); + } + + function sanitizeExtras(el) { + let ret = false; + + // remove attributes from forms + for (let f of el.getElementsByTagName("form")) { + for (let a of f.attributes) { + f.removeAttribute(a.name); + ret = true; + } + } + + let urlAttributes = ['href', 'to', 'from', 'by', 'values']; + let selector = urlAttributes.map(a => `[${a}]`).join(','); + for (let node of el.querySelectorAll(selector)) { + for (let name of urlAttributes) { + let value = node.getAttribute(name); + if (/^\W*(?:(?:javascript|data):|https?:[\s\S]+[[(<])/i.test(unescape(value))) { + node.setAttribute(`data-noscript-removed-${name}`, value); + node.removeAttribute(name); + ret = true; + } + } + } + return ret; + } +}, true); -- cgit v1.2.3