mirror of
https://github.com/gorhill/uBlock.git
synced 2024-07-05 11:37:01 +02:00
Ignore event handler-related attributes in set-attr
scriptlet
As suggested by https://github.com/distinctmondaylilac in internal email to ubo-security: > As a sidenote, it may be worth considering if `set-attr` should > be able to set event handler attributes. It could potentially > be used to copy the contents of e.g. onclick to other event handlers, > resulting in self-clicking buttons.
This commit is contained in:
parent
db5656f607
commit
3037ae5f04
|
@ -3796,6 +3796,7 @@ function setAttr(
|
|||
|
||||
const extractValue = elem => {
|
||||
if ( copyFrom !== '' ) {
|
||||
if ( copyFrom.startsWith('on') && copyFrom in elem ) { return; }
|
||||
return elem.getAttribute(copyFrom) || '';
|
||||
}
|
||||
return value;
|
||||
|
@ -3812,6 +3813,7 @@ function setAttr(
|
|||
for ( const elem of elems ) {
|
||||
const before = elem.getAttribute(attr);
|
||||
const after = extractValue(elem);
|
||||
if ( after === undefined ) { continue; }
|
||||
if ( after === before ) { continue; }
|
||||
elem.setAttribute(attr, after);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user