Skip to content

Sanitize before inserting variables to innerHTML#83

Open
SabreCat wants to merge 1 commit intomasterfrom
sabrecat/purify-title
Open

Sanitize before inserting variables to innerHTML#83
SabreCat wants to merge 1 commit intomasterfrom
sabrecat/purify-title

Conversation

@SabreCat
Copy link
Member

@SabreCat SabreCat commented May 20, 2022
edited
Loading

We received this notice from Mozilla Add-ons:

image

To comply with the request, this PR adds calls to DOMPurify.sanitize() to strip any potentially problematic data from the variables being included in the innerHTML element on line 652 of chat_inPage.js.

@cTheDragons
Copy link
Contributor

cTheDragons commented Oct 4, 2022
edited
Loading

From my testing on Firefox 105.0.1 (64-bit) appears to be have been working.

The three issues are:

  • Issue is the version is not updated in the extensions or Readme file. (Had to do a lot of double checking to make sure we have the right one)
  • The Snowman transformation does not show correctly however I believe this is an existing bug.
  • The Spooky transformation is not align correctly. However I believe this an existing bug.

Tested:

  • Auto connect via the option at the top
  • Retrieving messages from a guild/tavern
  • Updated while chat is open
  • add a message in a guild
  • liking a message
  • removing a like
  • reporting a message
  • checking info of a player
  • Quick reply on name and avatar
  • Keyboard shortcut of ctrl-Enter works
  • Images displayed in chat
  • Timeout of the chat messages show correctly.
  • Transformations show in the chat for flower, star, spooky. As noted above Snowman does not show. Spooky is also shown off centre.

All tested on default options but did open up on large text no avatar to confirm these options work too.

@cTheDragons
Copy link
Contributor

cTheDragons commented Oct 4, 2022

From my testing on 105.0.5151.0 (Developer Build) (64-bit) appears to be have been working.
Four Bugs:

  • Error reported by the plugin Manifest version 2 is deprecated, and support will be removed in 2023. See https://developer.chrome.com/blog/mv2-transition/ for more details.
  • Issue is the version is not updated in the extensions or Readme file. (Had to do a lot of double checking to make sure we have the right one)
  • The Snowman transformation does not show correctly however I believe this is an existing bug.
  • The Spooky transformation is not align correctly. However I believe this an existing bug.

Tested:

  • Auto connect via the option at the top
  • Retrieving messages from a guild/tavern
  • Updated while chat is open
  • add a message in a guild
  • liking a message
  • removing a like
  • reporting a message
  • checking info of a player
  • Quick reply on name and avatar
  • Keyboard shortcut of ctrl-Enter works
  • Images displayed in chat
  • Transformations show in the chat for flower, star, spooky. As noted above Snowman does not show. Spooky is also shown off centre.

All tested on default options but did open up on large text no avatar to confirm these options work too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SabreCat @cTheDragons