gregsadetsky / chrome-dont-add-custom-search-engines

Google Chrome extension that stops sites from adding custom search engines
https://chrome.google.com/webstore/detail/dont-add-custom-search-en/dnodlcololidkjgbpeoleabmkocdhacc
Other
118 stars 12 forks source link

The name of the added textarea element #15

Closed Procyon-b closed 6 years ago

Procyon-b commented 6 years ago

In: spoilFormGet() I have noticed that we can name the new element "" (empty string). The trick still works but nothing appears in the generated url. Could be useful if we don't want to be noticed... For now, having it named "chrome_dont_add_custom_search_engines_srsly" as a way to notice that the fix worked, is a good idea. But It's something to think about for future versions.

As a side note, I have encountered a site were "if (location.pathname == '/')" (my test version) is not respected by chrome. (cf https://www.chromium.org/tab-to-search # 2 ). Since every form that fits the rules will see a new element added, name="" can be a way to fly under the radar. Nothing will show in servers' logs.

Procyon-b commented 6 years ago

If you want to check if any form in a page has been "fixed", here is a javascript snippet to paste in the javascript console of that page:

console.info(document.forms); for (var i=0; i<document.forms.length; i++) for (var j=0; j<document.forms[i].length; j++) if (document.forms[i][j].nodeName == "TEXTAREA") { console.info(document.forms[i]); console.info(document.forms[i][j]); }

It first displays an (expandable) copy of the forms DOM element. And then, it displays 2 lines (in their html form) for every < textarea > it finds in any < form >. The form it belongs to, and the textarea element.

cxw42 commented 6 years ago

Nice finds! Would you please add the site you found to the wiki? https://github.com/gregsadetsky/chrome-dont-add-custom-search-engines/wiki/Sites-known-to-be-added-as-custom-search-engines

Re. name="", is that the default for elements that don't expressly list name? The current name (my fault ;) ) is intended to be something that would never occur on a production site, to reduce the risk of overwriting an element that is actually part of a site.

Procyon-b commented 6 years ago

re: site that breaks "if (location.pathname == '/')" Our current version is fine with it. This part of my code didn't end in the final version. I was still testing with it to see what happens. Maybe I misunderstood how it's supposed to work. Anyway... The page that breaks this is part of your list.

I have tested all test pages, and it works with the current version with the minor name=" modification. As for why it works. You have to take 2 point of views, I think. As far as I know, any element of a form that is submitted must have a name. Or else the server-side script wouldn't know how to handle data send like this. Values can be empty, Thats what we do currently with our text area. So no name, no "=" and no value (at least in our case).

From the point of view of html and its DOM javascript hierarchy, elements can have any attributes (even none), with or without value. I haven't tried giving it no "name" attribute at all, but since an empty one works...

So name="" sets a name attribute with a value of an empty string. While adding no name to the element doesn't even create a "name" attribute.