violentmonkey: potential bugs in `/src/injected/web/util-web.js`
Number.prototype.toStringandwindow.isFinitecan be replacedisArrayis broken (isArray({splice:()=>{},length:0})returnstrue, web page candelete Array.prototype.splice)escMapinherits fromObject.prototype(web page canObject.prototype['\u0000']='fake escape')- web page can
open('/').Object.prototype.__defineGetter__('defineAs',()=>alert('???'));(maybe that’s intended)
fix (doesn’t fix isArray and defineAs):
- replace
const { isFinite } = global; // eslint-disable-line no-restricted-properties const { toString: numberToString } = 0;with
const isFinite=(()=>{ 'use strict';//need to be strict mode because (function(){isFinite({toString:function(){alert(arguments.callee.caller)}})})() alerts null var inf=1/0,ninf=-inf; return x=>(x=+x)==x&&inf!=x&&ninf!=x; })(); - replace
const escMap = { '"': '\\"', '\\': '\\\\', '\b': '\\b', '\f': '\\f', '\n': '\\n', '\r': '\\r', '\t': '\\t', }; const escRE = /[\\"\u0000-\u001F\u2028\u2029]/g; // eslint-disable-line no-control-regex const escFunc = m => escMap[m] || `\\u${(m::charCodeAt(0) + 0x10000)::numberToString(16)::slice(1)}`;with
const jsStrEsc=s=>{ var c,l=s.length,i=0,hex='0123456789ABCDEF',out='"'; while(l>i)switch(c=s[i++]){ case '"':out+='\\"';continue; case '\\':out+='\\\\';continue; case '\b':out+='\\b';continue; case '\f':out+='\\f';continue; case '\n':out+='\\n';continue; case '\r':out+='\\r';continue; case '\t':out+='\\t';continue; case '\u2028':out+='\\u2028';continue; case '\u2029':out+='\\u2029';continue; default: if('\u001F'<c){ out+=c; continue; } c=c::charCodeAt(0);//String.prototype.charCodeAt can be replaced out+='\\u00'+ hex[c>>4]+ hex[15&c]; } return out+'"'; }; - replace
res = `"${value::replace(escRE, escFunc)}"`;with
res = jsStrEsc(value);
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 19 (19 by maintainers)
Commits related to this issue
- fix: imitate JSON.stringify better in jsonDump #1421 — committed to violentmonkey/violentmonkey by tophf 3 years ago
- fix: safeguard RegExp#exec, #1421 — committed to violentmonkey/violentmonkey by tophf 3 years ago
- fix: get rid of RegExp in `web`, #1421, #1431 — committed to violentmonkey/violentmonkey by tophf 3 years ago
I’ve changed my mind because there were just a few places where those symbols needed guarding: f5239b4e.
It will break all scripts in
pagemode too so even if we fix it for us, what good will that be?