How can I sanitize remote script in content script?

getliner · June 19, 2017, 8:35am

Hi.

I submitted my extension, but it was rejected because of potentially unsanitized data in content script.

My code is like as followings,

var actualCode +=
	'var colors = ' + colors + '; var linerItems = ' + items + '; ' +
	'var isPageSaved = ' + isPageSaved + '; ' +
	'proc.changeColor();’;
     var json = ['html:script', {}, actualCode ];	
     var node = Util.jsonToDOM(json, document, {});

(document.head||document.documentElement).appendChild(node);
node.parentNode.removeChild(node);

(jsonToDom is in https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/DOM_Building_and_HTML_Insertion)

How can I sanitize that code?

Thanks.

getliner · June 19, 2017, 8:36am

I searched and founded sanitize.js.

var actualCode +=
    'var colors = ' + colors + '; var linerItems = ' + items + '; ' +
    'var isPageSaved = ' + isPageSaved + '; ' +
  	    'proc.changeColor();’;
var json = ['html:script', {}, actualCode ];
var node = Util.jsonToDOM(json, document, {});
var s = new Sanitize();
s.clean_node(node);
(document.head||document.documentElement).appendChild(node);
node.parentNode.removeChild(node);

So using Sanitize(), my code is sanitized?

erosman · June 20, 2017, 4:13am

No …

Inserting remote SCRIPT is not allowed and there is no way to sanitize a Remote Script

Inserting remote DOM may be allowed but that has many complications. You can use DOMPurify to sanitize the remote content but that does not guarantee that it will pass.

If you need remote data (not a whole bunch of DOM) then it would make it easier and the can be sanitized based on how you insert it.

Inserting un-sanitized remote content is a security problem. For example, JavaScript can be passed as href/src/on** etc.
Addon should ensure such strings are not-executable (and not javascript:somefunction).
In case of href/src, a simple startsWith(‘http’) would be sufficient for this purpose.

getliner · June 20, 2017, 4:20am

Thanks for replying.

I have one question.
The SCRIPT are in extension not from server, then why you are saying remote SCRIPT?

Also my extension is injecting some scripts including lib, they are in extension not from server. Then is this also remote SCRIPT?

erosman · June 20, 2017, 4:36am

I said that because your topic title says: How can I sanitize remote script in content script?

getliner · June 20, 2017, 4:39am

Ok.

Then injecting scripts in extenions is fine?

erosman · June 20, 2017, 5:03am

Injecting scripts that are inside the addon is allowed but that depends on the content of the script.

A JQuery JS inside the addon is allowed. A Google Analytics JS inside the addon is not allowed.

It all depends on the content of the script.
For example, some script have remote script injection in them and they will be rejected.