如何使用nsIParserUtils里面的firefox addon sdk 1.10 main.js？ [英] How to use nsIParserUtils inside firefox addon sdk 1.10 main.js?

问题描述

我最近提交的Firefox附加组件站点（基于Firefox Add-on SDK 1.10）被拒绝，因为我没有对我使用的输入进行消毒，建议使用使用 nsIParserUtils 。

My recent submission for Firefox add-on site (based on Firefox Add-on SDK 1.10) was rejected because I have not sanitized the input I use and was suggested to use nsIParserUtils.

我在该页面中找到了 parseHTML（doc，html，allowStyle，baseURI，isXML）的功能。我更改为：

I found the function parseHTML(doc, html, allowStyle, baseURI, isXML) in that page. I changed it to:

function parseHTML(doc, html, allowStyle, baseURI, isXML) {
    var parser = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils);
    var f =  parser.parseFragment(html, allowStyle ? parser.SanitizerAllowStyle : 0,
                                        !!isXML, baseURI, doc);
    return f;
}

其中第一个参数被认为是一个文档元素。我不知道应该是什么？我试过 document.createDocumentFragment（）但是我得到ReferenceError：document not defined错误。有人可以帮助我如何调用这个函数？

And the first parameter in that is said to be a document element. I have no idea what that is supposed to be? I tried document.createDocumentFragment() but I get "ReferenceError: document is not defined" error. Can some one help me on how to call this function?

该函数返回一个 nsIDOMDocumentFragment 。如何转换为字符串？

And the function returns an nsIDOMDocumentFragment. How to convert that back to a string?

更新：

根据@ zer0的建议，我使用：

As suggested by @zer0 I used:

var parser = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils);
var sanitizedHTML = parser.sanitize(html, flags);

但是它打破了我想要做的目的。例如：

But it defeats the purpose of what I wanted to do. For example:

<html><head><BASE href='http://localhost/t/h.html' />
<link rel="stylesheet" type="text/css" href="h.css">
<style type="text/css">
.b{
    color:green;
}
</style>
<base href="http://foo.example.com/">
</head><body>Sample Text. No Style
<script>Hello malicious code</script>
<p class="a">External Style</p>
<p class="b">Internal Style</p>
<p style="color:blue">Inline Style</p>

<a href="sample.html">Link</a><br><br><div style='color: #666666; font-size: 12px'>Clipped on 6-October-2012, 07:37:39 PM from <a href='http://localhost/t/h.html'>http://localhost/t/h.html</a> </div></body></html>

转换为：

<html><head>  


<style type="text/css">
.b{

    color:green;
}
</style>



</head><body>Sample Text. No Style

<p class="a">External Style</p>
<p class="b">Internal Style</p>
<p style="color:blue">Inline Style</p>

<a>Link</a><br><br><div style="color: #666666; font-size: 12px">Clipped on 6-October-2012, 07:37:39 PM from <a href="http://localhost/t/h.html">http://localhost/t/h.html</a> </div></body></html>

由于这剥夺了外部超链接和CSS，它违反了加载项本身的目的。我想要的只是要删除脚本：

As this strips the external hyperlinks and CSS, it defeats the purpose of the add-on itself. What I want is for just the scripts to be removed:

<html><head><BASE href='http://localhost/t/h.html' /> <BASE href='http://localhost/t/h.html' /> 
<link rel="stylesheet" type="text/css" href="h.css">

<style type="text/css">
.b{

    color:green;
}
</style>
<base href="http://foo.example.com/">


</head><body>Sample Text. No Style
<p class="a">External Style</p>
<p class="b">Internal Style</p>
<p style="color:blue">Inline Style</p>

<a href="sample.html">Link</a><br><br><div style='color: #666666; font-size: 12px'>Clipped on 6-October-2012, 07:37:39 PM from <a href='http://localhost/t/h.html'>http://localhost/t/h.html</a> </div></body></html>

有人可以点亮这个吗？

推荐答案

外部样式的链接因为某些原因被删除：外部样式无法验证，并且可能是危险的（特别是 -moz-binding 可以用来运行代码）。此外，假设您可以将HTML代码放入以下相对链接不安全的位置（例如Thunderbird中的邮件消息）。绝对链接总是很好，但是。

Links to external styles are removed for a reason: external styles cannot be validated and they might be dangerous (in particular, -moz-binding can be used to run code). Also, the assumption is that you could put the HTML code into a location where following relative links isn't safe (such as mail messages in Thunderbird). Absolute links are always fine however.

您可能想要做的是预处理HTML代码以消除这些问题 - 解决相对链接和内联对外部样式的引用。这样的东西：

What you might want to do is preprocessing the HTML code to remove these issues - resolve relative links and inline references to external styles. Something like this:

// Parse the HTML code into a temporary document
var doc = Cc["@mozilla.org/xmlextras/domparser;1"]
               .createInstance(Ci.nsIDOMParser)
               .parseFromString(html, "text/html");

// Make sure all links are absolute
for (var i = 0; i < doc.links.length; i++)
    doc.links[i].setAttribute("href", doc.links[i].href);

// Make sure all stylesheets are inlined
var stylesheets = doc.getElementsByTagName("link");
for (i = 0; i < stylesheets.length; i++)
{
    try
    {
        var request = new XMLHttpRequest();
        request.open("GET", stylesheets[i].href, false);
        request.send(null);
        var style = doc.createElement("style");
        style.setAttribute("type", "text/css");
        style.textContent = request.responseText;
        stylesheets[i].parentNode.replaceChild(style, stylesheets[i]);
        i--;
    }
    catch (e)
    {
        // Ignore download errors
    }
}

// Serialize the document into a string again
html = Cc["@mozilla.org/xmlextras/xmlserializer;1"]
         .createInstance(Ci.nsIDOMSerializer)
         .serializeToString(doc.documentElement);

// Now sanizite the HTML code
var parser = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils);
var sanitizedHTML = parser.sanitize(html, parser.SanitizerAllowStyle);

请注意，我使用同步XMLHttpRequest下载样式表内容 - 为了简单起见，您的最终代码应该使用异步下载（很可能通过请求模块），不会挂起用户界面。

Note that I used a synchronous XMLHttpRequest to download stylesheet contents - this has been done for simplicity, your final code should use asynchronous downloads (most likely via request module) that will not hang the user interface.

这篇关于如何使用nsIParserUtils里面的firefox addon sdk 1.10 main.js？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！