google / tamperchrome

Tamper Dev is an extension that allows you to intercept and edit HTTP/HTTPS requests and responses as they happen without the need of a proxy. Works across all operating systems (including Chrome OS).
https://tamper.dev
Apache License 2.0
4.18k stars 219 forks source link

DOM text reinterpreted as HTML Update inject.js #262

Open Shivam7-1 opened 6 months ago

Shivam7-1 commented 6 months ago

By using innerText, it will avoid the risk of HTML injection, as these properties automatically escape any HTML special characters in the provided text. This helps prevent cross-site scripting (XSS) vulnerabilities by treating the input as plain text rather than interpreted HTML. Always be cautious when dealing with user input or dynamic content to prevent security risks.

Shivam7-1 commented 6 months ago

Hi @sirdarckcat Could You Please Review this PR Thanks

Shivam7-1 commented 6 months ago

Hi @sirdarckcat Could You Please Review this PR Thanks

NeilFraser commented 6 months ago

In this case innerHTML is being used as a getter, not a setter, so the existing code is perfectly safe. Further, it appears that changing this to text-only would break the following match, which seems to be looking for HTML attributes.