search

joelpurra / talkie

Text-to-speech browser extension button. Select text on any web page, and have the computer read it out loud for you by simply clicking the Talkie button.
https://joelpurra.com/projects/talkie/
GNU General Public License v3.0
70 stars 17 forks source link

Make logging to content page console safer #6

Closed joelpurra closed 7 years ago

joelpurra commented 7 years ago

Reported by @rob--w:

3) Execute.logToPage and Execute.logToPageWithColor generate and run JavaScript code in an unsafe way: Your sanitization logic, .map((arg) => arg.replace(/\/g, "\\")) .map((arg) => arg.replace(/"/g, "\\"")) .map((arg) => arg.replace(/\n/g, "\\n")) .map((arg) => "${arg}") .join(", "); can be bypassed by strings containing carriage returns (\r) or line/paragraph separators (\u2028 and \u2029). In your specific case, the impact is limited to a JavaScript error being thrown in the console. To safely generate JavaScript code for use with browser.tabs.executeScript, use JSON.stringify: .map((arg) => JSON.stringify(arg)) .join(", ");

joelpurra commented 7 years ago

Sure. Implemented it in the preexisting _variableToSafeString(). Thanks!

joelpurra commented 7 years ago

See at least a658cd214b42e3e44bdd6c85443e008af648fa4c, ac03536b0c2edde2dbf80a426d0392d1b0966e56, 9743e30a0848ae4ca5cc422755eb73588e670db3.

joelpurra commented 7 years ago

See also #7.