Mirrors/uBlock
1
0
Fork 0
mirror of https://github.com/gorhill/uBlock.git synced 2024-07-03 02:37:21 +02:00
Code Issues Releases Wiki Activity

Ignore event handler-related attributes in set-attr scriptlet

Browse Source 
As suggested by https://github.com/distinctmondaylilac in internal
email to ubo-security:

> As a sidenote, it may be worth considering if `set-attr` should
> be able to set event handler attributes. It could potentially
> be used to copy the contents of e.g. onclick to other event handlers,
> resulting in self-clicking buttons.
This commit is contained in:
Raymond Hill 2024-02-13 14:59:00 -05:00
parent db5656f607
commit 3037ae5f04
No known key found for this signature in database
GPG Key ID: 25E1490B761470C2
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
assets/resources/scriptlets.js
View File

@ -3796,6 +3796,7 @@ function setAttr(
const extractValue = elem => {
if ( copyFrom !== '' ) {
if ( copyFrom.startsWith('on') && copyFrom in elem ) { return; }
return elem.getAttribute(copyFrom) || '';
}
return value;
@ -3812,6 +3813,7 @@ function setAttr(
for ( const elem of elems ) {
const before = elem.getAttribute(attr);
const after = extractValue(elem);
if ( after === undefined ) { continue; }
if ( after === before ) { continue; }
elem.setAttribute(attr, after);
}