From 79e10323adf3816410915a2583bf3a712a966720 Mon Sep 17 00:00:00 2001 From: Raymond Hill Date: Mon, 19 Aug 2024 14:56:15 -0400 Subject: [PATCH] Use helper function to lookup safe cookie values This helper function is now used by `set-cookie` and `set-local-storage-item` scriptlets, so changes in the helper function will benefit both scriptlets. --- assets/resources/scriptlets.js | 56 +++++++++++++++++++--------------- 1 file changed, 31 insertions(+), 25 deletions(-) diff --git a/assets/resources/scriptlets.js b/assets/resources/scriptlets.js index f59eb8ed3..8acbb9894 100644 --- a/assets/resources/scriptlets.js +++ b/assets/resources/scriptlets.js @@ -954,6 +954,33 @@ function objectFindOwnerFn( /******************************************************************************/ +builtinScriptlets.push({ + name: 'get-safe-cookie-values.fn', + fn: getSafeCookieValuesFn, +}); +function getSafeCookieValuesFn() { + return [ + 'accept', 'reject', + 'accepted', 'rejected', 'notaccepted', + 'allow', 'disallow', 'deny', + 'allowed', 'denied', + 'approved', 'disapproved', + 'checked', 'unchecked', + 'dismiss', 'dismissed', + 'enable', 'disable', + 'enabled', 'disabled', + 'essential', 'nonessential', + 'hide', 'hidden', + 'necessary', 'required', + 'ok', + 'on', 'off', + 'true', 't', 'false', 'f', + 'yes', 'y', 'no', 'n', + ]; +} + +/******************************************************************************/ + builtinScriptlets.push({ name: 'get-all-cookies.fn', fn: getAllCookiesFn, @@ -1076,6 +1103,7 @@ builtinScriptlets.push({ name: 'set-local-storage-item.fn', fn: setLocalStorageItemFn, dependencies: [ + 'get-safe-cookie-values.fn', 'safe-self.fn', ], }); @@ -1097,14 +1125,9 @@ function setLocalStorageItemFn( const trustedValues = [ '', 'undefined', 'null', - 'false', 'true', - 'on', 'off', - 'yes', 'no', - 'accept', 'reject', - 'accepted', 'rejected', - 'allowed', 'denied', '{}', '[]', '""', '$remove$', + ...getSafeCookieValuesFn(), ]; if ( trusted ) { @@ -3819,6 +3842,7 @@ builtinScriptlets.push({ fn: setCookie, world: 'ISOLATED', dependencies: [ + 'get-safe-cookie-values.fn', 'safe-self.fn', 'set-cookie.fn', ], @@ -3831,28 +3855,10 @@ function setCookie( if ( name === '' ) { return; } const safe = safeSelf(); const logPrefix = safe.makeLogPrefix('set-cookie', name, value, path); - - const validValues = [ - 'accept', 'reject', - 'accepted', 'rejected', 'notaccepted', - 'allow', 'deny', - 'allowed', 'disallow', - 'enable', 'disable', - 'enabled', 'disabled', - 'ok', - 'on', 'off', - 'true', 't', 'false', 'f', - 'yes', 'y', 'no', 'n', - 'necessary', 'required', - 'approved', 'disapproved', - 'hide', 'hidden', - 'essential', 'nonessential', - 'dismiss', 'dismissed', - 'checked', 'unchecked', - ]; const normalized = value.toLowerCase(); const match = /^("?)(.+)\1$/.exec(normalized); const unquoted = match && match[2] || normalized; + const validValues = getSafeCookieValuesFn(); if ( validValues.includes(unquoted) === false ) { if ( /^\d+$/.test(unquoted) === false ) { return; } const n = parseInt(value, 10);