Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make logging to content page console safer #6

Closed
joelpurra opened this issue Apr 21, 2017 · 3 comments
Closed

Make logging to content page console safer #6

joelpurra opened this issue Apr 21, 2017 · 3 comments

Comments

@joelpurra
Copy link
Owner

Reported by @Rob--W:

  1. Execute.logToPage and Execute.logToPageWithColor generate and run JavaScript code in an unsafe way:
    Your sanitization logic,
    .map((arg) => arg.replace(/\/g, "\\"))
    .map((arg) => arg.replace(/"/g, "\""))
    .map((arg) => arg.replace(/\n/g, "\\n"))
    .map((arg) => "${arg}")
    .join(", ");
    can be bypassed by strings containing carriage returns (\r) or line/paragraph separators (\u2028 and \u2029). In your specific case, the impact is limited to a JavaScript error being thrown in the console.
    To safely generate JavaScript code for use with browser.tabs.executeScript, use JSON.stringify:
    .map((arg) => JSON.stringify(arg))
    .join(", ");
@joelpurra
Copy link
Owner Author

Sure. Implemented it in the preexisting _variableToSafeString(). Thanks!

@joelpurra
Copy link
Owner Author

See at least a658cd2, ac03536, 9743e30.

This was referenced May 1, 2017
Closed
Closed
@joelpurra
Copy link
Owner Author

See also #7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joelpurra