ZenBrowserMirrors/components
1
0
Fork 0
mirror of https://github.com/zen-browser/components.git synced 2025-07-08 17:19:58 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: Update ZenWorkspaces to use textContent instead of innerHTML for XSS prevention

Browse source
This commit is contained in:
Mauro Balades 2024-08-23 19:57:16 +02:00
parent dde5f80b8b
commit e12618009e
1 changed files with 10 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/ZenWorkspaces.mjs
View file

@ -180,15 +180,18 @@ var ZenWorkspaces = {
//element.setAttribute("context", "zenWorkspaceActionsMenu"); //element.setAttribute("context", "zenWorkspaceActionsMenu");
let childs = window.MozXULElement.parseXULToFragment(` let childs = window.MozXULElement.parseXULToFragment(`
<div class="zen-workspace-icon"> <div class="zen-workspace-icon">
${gZenUIManager.createValidXULText(this.getWorkspaceIcon(workspace))}
</div> </div>
<div class="zen-workspace-name"> <div class="zen-workspace-name">
${gZenUIManager.createValidXULText(workspace.name)}
</div> </div>
<toolbarbutton closemenu="none" class="toolbarbutton-1 zen-workspace-actions"> <toolbarbutton closemenu="none" class="toolbarbutton-1 zen-workspace-actions">
<image class="toolbarbutton-icon" id="zen-workspace-actions-menu-icon"></image> <image class="toolbarbutton-icon" id="zen-workspace-actions-menu-icon"></image>
</toolbarbutton> </toolbarbutton>
`); `);
// use text content instead of innerHTML to avoid XSS
childs.querySelector(".zen-workspace-icon").textContent = this.getWorkspaceIcon(workspace);
childs.querySelector(".zen-workspace-name").textContent = workspace.name;
childs.querySelector(".zen-workspace-actions").addEventListener("command", (event) => { childs.querySelector(".zen-workspace-actions").addEventListener("command", (event) => {
let button = event.target; let button = event.target;
this._contextMenuId = button.closest("toolbarbutton[zen-workspace-id]").getAttribute("zen-workspace-id"); this._contextMenuId = button.closest("toolbarbutton[zen-workspace-id]").getAttribute("zen-workspace-id");
@ -273,12 +276,15 @@ var ZenWorkspaces = {
if (activeWorkspace) { if (activeWorkspace) {
button.innerHTML = ` button.innerHTML = `
<div class="zen-workspace-sidebar-icon"> <div class="zen-workspace-sidebar-icon">
${gZenUIManager.createValidXULText(this.getWorkspaceIcon(activeWorkspace))}
</div> </div>
<div class="zen-workspace-sidebar-name"> <div class="zen-workspace-sidebar-name">
${gZenUIManager.createValidXULText(activeWorkspace.name)}
</div> </div>
`; `;
// use text content instead of innerHTML to avoid XSS
button.querySelector(".zen-workspace-sidebar-name").textContent = activeWorkspace.name;
button.querySelector(".zen-workspace-sidebar-icon").textContent = this.getWorkspaceIcon(activeWorkspace);
if (!this.workspaceHasIcon(activeWorkspace)) { if (!this.workspaceHasIcon(activeWorkspace)) {
button.querySelector(".zen-workspace-sidebar-icon").setAttribute("no-icon", "true"); button.querySelector(".zen-workspace-sidebar-icon").setAttribute("no-icon", "true");
} }