This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch main in repository torbutton.
The following commit(s) were added to refs/heads/main by this push: new dee999c4 Bug 41353 (Update DnD filter) dee999c4 is described below
commit dee999c4466336928cf556291443ed05076bc382 Author: ma1 giorgio@maone.net AuthorDate: Thu Oct 27 17:18:37 2022 +0000
Bug 41353 (Update DnD filter) --- components/dragDropFilter.js | 74 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 57 insertions(+), 17 deletions(-)
diff --git a/components/dragDropFilter.js b/components/dragDropFilter.js index 4b76bd10..f763595b 100644 --- a/components/dragDropFilter.js +++ b/components/dragDropFilter.js @@ -21,6 +21,47 @@ const kMODULE_CID = Components.ID("f605ec27-d867-44b5-ad97-2a29276642c3");
const kInterfaces = [Ci.nsIObserver, Ci.nsIClassInfo];
+const URLISH_TYPES = Object.freeze([ + "text/x-moz-url", + "text/x-moz-url-data", + "text/uri-list", + "application/x-moz-file-promise-url", +]); + +/* + Returns true if the text resembles a URL or even just a hostname + in a way that may prompt the O.S. or other applications to send out a + validation DNS query, if not a full request (e.g. " torproject.org", + even with the leading whitespace). +*/ +function isURLish(text) { + // Ignore leading whitespace. + text = text.trim(); + + // Without any protocol or dot in the first chunk, this is unlikely + // to be considered URLish (exception: localhost, but we don't care). + if (!/^[a-z][a-z0-9+-]*:///i.test(text)) { + // no protocol + if (!/^[^.\s/]+.[^.\s/]/.test(text)) { + // no dot + return false; + } + // Prepare for hostname validation via relative URL building. + text = `//${text}`; + } + // Validate URL or hostname. + try { + new URL(text, "https://localhost"); + return true; + } catch (e) { + // invalid URL, bail out + } + return false; +} + +// Returns true if any chunk of text is URLish +const hasURLish = text => text.split(/[^\p{L}_.-:/%~@$-]+/u).some(isURLish); + function DragDropFilter() { this.logger = Cc["@torproject.org/torbutton-logger;1"].getService( Ci.nsISupports @@ -63,25 +104,24 @@ DragDropFilter.prototype = { },
filterDataTransferURLs(aDataTransfer) { - var types = null; - var type = ""; - var count = aDataTransfer.mozItemCount; - var len = 0; - for (var i = 0; i < count; ++i) { - this.logger.log(3, "Inspecting the data transfer: " + i); - types = aDataTransfer.mozTypesAt(i); - len = types.length; - for (var j = 0; j < len; ++j) { - type = types[j]; - this.logger.log(3, "Type is: " + type); + for (let i = 0, count = aDataTransfer.mozItemCount; i < count; ++i) { + this.logger.log(3, `Inspecting the data transfer: ${i}.`); + const types = aDataTransfer.mozTypesAt(i); + for (const type of types) { + this.logger.log(3, `Type is: ${type}.`); if ( - type == "text/x-moz-url" || - type == "text/x-moz-url-data" || - type == "text/uri-list" || - type == "application/x-moz-file-promise-url" + URLISH_TYPES.includes(type) || + ((type === "text/plain" || type === "text/html") && + hasURLish(aDataTransfer.getData(type))) ) { - aDataTransfer.clearData(type); - this.logger.log(3, "Removing " + type); + this.logger.log( + 3, + `Removing transfer data ${aDataTransfer.getData(type)}` + ); + for (const type of types) { + aDataTransfer.clearData(type); + } + break; } } }