From 3037ae5f04db2b3cf0ac3cab274fb756490e2a1f Mon Sep 17 00:00:00 2001
From: Raymond Hill <rhill@raymondhill.net>
Date: Tue, 13 Feb 2024 14:59:00 -0500
Subject: [PATCH] Ignore event handler-related attributes in `set-attr`
 scriptlet

As suggested by https://github.com/distinctmondaylilac in internal
email to ubo-security:

> As a sidenote, it may be worth considering if `set-attr` should
> be able to set event handler attributes. It could potentially
> be used to copy the contents of e.g. onclick to other event handlers,
> resulting in self-clicking buttons.
---
 assets/resources/scriptlets.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/assets/resources/scriptlets.js b/assets/resources/scriptlets.js
index 6ec087219..e46866836 100644
--- a/assets/resources/scriptlets.js
+++ b/assets/resources/scriptlets.js
@@ -3796,6 +3796,7 @@ function setAttr(
 
     const extractValue = elem => {
         if ( copyFrom !== '' ) {
+            if ( copyFrom.startsWith('on') && copyFrom in elem ) { return; }
             return elem.getAttribute(copyFrom) || '';
         }
         return value;
@@ -3812,6 +3813,7 @@ function setAttr(
         for ( const elem of elems ) {
             const before = elem.getAttribute(attr);
             const after = extractValue(elem);
+            if ( after === undefined ) { continue; }
             if ( after === before ) { continue; }
             elem.setAttribute(attr, after);
         }