"javascript:" slash commands on popped out pages (not in gsft_main iframe) are being mangled by DOMPurify.sanitize()

[codaroma]

Can you try this custom slash command? (it is a simplified example) in a popped out page (not in gsft_main iframe).

Command: test URL: javascript:alert("<test")

When saved it appears in the slash command list as test javascript:alert("

And when you execute it nothing happens and you get errors in the developer tools console. Seems to be the same in both chrome and firefox.

[codaroma]

Looks like it is the call to DOMPurify.sanitize(targeturl) that is mangling the code. I don't think DOMPurify.sanitize() is designed to be used on javascript code.

[codaroma]

For example URL: javascript:alert("<>&") is converted to javascript:alert("<>&")

[codaroma]

I am trying to create a javascript: slash command that contains a regular expression and DOMPurify.sanitize() is completely mangling it.

[codaroma]

The code path for executing custom "javascript:" slash commands for pages inside the gsft_main iframe and pages that are outside the gsft_main iframe are different. The code that executes "javascript:" slash commands when the page is inside the gsft_main iframe is as follows... but when the page is not inside the gsft_main iframe the code that executes "javascript:" slash commands is this... One does a DOMPurify.sanitize() on the targeturl variable and the other does not, which leads to different behaviours. The code path that uses DOMPurify.sanitize() breaks the code in the custom command.

[arnoudkooi]

As there is no external way to manipulate this value, I'll remove the sanitize

[codaroma]

Thanks for fixing the execution is of javascript: URLs in popped out pages. Just in case you missed it the display in the slash command list is still not showing correctly.

[arnoudkooi]

Is it ok now?

[codaroma]

Yes, many thanks