fix #2084

2024-11-11 09:31:01 +01:00 · 2016-10-18 12:33:50 -04:00 · 2016-10-18 12:33:50 -04:00 · 46fb194904
commit 46fb194904
parent 1be1c415d6
3 changed files with 84 additions and 20 deletions
--- a/src/css/dashboard-common.css
+++ b/src/css/dashboard-common.css
@ -68,6 +68,7 @@ input[type="checkbox"][disabled] + label {
    border: 1px dotted black;
    background-color: #F8F8F8;
    font-size: 13px;
+    white-space: pre-line;
    }
 .whatisthis-expandable > p {
    margin-top: 1em;
--- a/src/js/i18n.js
+++ b/src/js/i18n.js
@ -1,7 +1,7 @@
 /*******************************************************************************

-    µBlock - a browser extension to block requests.
-    Copyright (C) 2014 Raymond Hill
+    uBlock Origin - a browser extension to block requests.
+    Copyright (C) 2014-2016 Raymond Hill

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -19,7 +19,7 @@
    Home: https://github.com/gorhill/uBlock
 */

-/* global vAPI, uDom */
+'use strict';

 /******************************************************************************/

@ -28,7 +28,82 @@

 (function() {

-'use strict';
+/******************************************************************************/
+
+// https://github.com/gorhill/uBlock/issues/2084
+//   Anything else than <a>, <b>, <code>, <em>, <i>, <input>, and <span> will
+//   be rendered as plain text.
+//   For <input>, only the type attribute is allowed.
+//   For <a>, only href attribute must be present, and it MUST starts with
+//   `https://`, and includes no single- or double-quotes.
+//   No HTML entities are allowed, there is code to handle existing HTML
+//   entities already present in translation files until they are all gone.
+
+var reSafeTags = /^([\s\S]*?)<(b|code|em|i|span)>(.+?)<\/\2>([\s\S]*)$/,
+    reSafeInput = /^([\s\S]*?)<(input type="[^"]+")>(.*?)([\s\S]*)$/,
+    reInput = /^input type=(['"])([a-z]+)\1$/,
+    reSafeLink = /^([\s\S]*?)<(a href=['"]https:\/\/[^'" <>]+['"])>(.+?)<\/a>([\s\S]*)$/,
+    reLink = /^a href=(['"])(https:\/\/[^'"]+)\1$/;
+
+var safeTextToTagNode = function(text) {
+    var matches, node;
+    if ( text.lastIndexOf('a ', 0) === 0 ) {
+        matches = reLink.exec(text);
+        if ( matches === null ) { return null; }
+        node = document.createElement('a');
+        node.setAttribute('href', matches[2]);
+        return node;
+    }
+    if ( text.lastIndexOf('input ', 0) === 0 ) {
+        matches = reInput.exec(text);
+        if ( matches === null ) { return null; }
+        node = document.createElement('input');
+        node.setAttribute('type', matches[2]);
+        return node;
+    }
+    return document.createElement(text);
+};
+
+var safeTextToTextNode = function(text) {
+    // TODO: remove once no more HTML entities in translation files.
+    if ( text.indexOf('&') !== -1 ) {
+        text = text.replace(/&ldquo;/g, '“')
+                   .replace(/&rdquo;/g, '”')
+                   .replace(/&lsquo;/g, '‘')
+                   .replace(/&rsquo;/g, '’');
+    }
+    return document.createTextNode(text);
+};
+
+var safeTextToDOM = function(text, parent) {
+    if ( text === '' ) { return; }
+    // Fast path (most common).
+    if ( text.indexOf('<') === -1 ) {
+        return parent.appendChild(safeTextToTextNode(text));
+    }
+    // Slow path.
+    // `<p>` no longer allowed. Code below can be remove once all <p>'s are
+    // gone from translation files.
+    text = text.replace(/^<p>|<\/p>/g, '')
+               .replace(/<p>/g, '\n\n');
+    // Parse allowed HTML tags.
+    var matches = reSafeTags.exec(text);
+    if ( matches === null ) {
+        matches = reSafeLink.exec(text);
+        if ( matches === null ) {
+            matches = reSafeInput.exec(text);
+            if ( matches === null ) {
+                parent.appendChild(safeTextToTextNode(text));
+                return;
+            }
+        }
+    }
+    safeTextToDOM(matches[1], parent);
+    var node = safeTextToTagNode(matches[2]) || parent;
+    safeTextToDOM(matches[3], node);
+    parent.appendChild(node);
+    safeTextToDOM(matches[4], parent);
+};

 /******************************************************************************/

@ -46,10 +121,11 @@ vAPI.i18n.render = function(context) {
        if ( !text ) {
            continue;
        }
+        // TODO: remove once it's all replaced with <input type="...">
        if ( text.indexOf('{') !== -1 ) {
            text = text.replace(/\{\{input:([^}]+)\}\}/g, '<input type="$1">');
        }
-        uDom(elem).html(text);
+        safeTextToDOM(text, elem);
    }

    elems = root.querySelectorAll('[title]');
--- a/src/js/udom.js
+++ b/src/js/udom.js
@ -1,7 +1,7 @@
 /*******************************************************************************

-    µBlock - a browser extension to block requests.
-    Copyright (C) 2014 Raymond Hill
+    uBlock Origin - a browser extension to block requests.
+    Copyright (C) 2014-2016 Raymond Hill

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -537,19 +537,6 @@ DOMList.prototype.val = function(value) {

 /******************************************************************************/

-DOMList.prototype.html = function(html) {
-    var i = this.nodes.length;
-    if ( html === undefined ) {
-        return i ? this.nodes[0].innerHTML : '';
-    }
-    while ( i-- ) {
-        vAPI.insertHTML(this.nodes[i], html);
-    }
-    return this;
-};
-
-/******************************************************************************/
-
 DOMList.prototype.text = function(text) {
    var i = this.nodes.length;
    if ( text === undefined ) {