如何使用nsIParserUtils里面的firefox addon sdk 1.10 main.js? [英] How to use nsIParserUtils inside firefox addon sdk 1.10 main.js?
问题描述
我最近提交的Firefox附加组件站点(基于Firefox Add-on SDK 1.10)被拒绝,因为我没有对我使用的输入进行消毒,建议使用使用 nsIParserUtils
。
My recent submission for Firefox add-on site (based on Firefox Add-on SDK 1.10) was rejected because I have not sanitized the input I use and was suggested to use nsIParserUtils
.
我在该页面中找到了 parseHTML(doc,html,allowStyle,baseURI,isXML)
的功能。我更改为:
I found the function parseHTML(doc, html, allowStyle, baseURI, isXML)
in that page. I changed it to:
function parseHTML(doc, html, allowStyle, baseURI, isXML) {
var parser = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils);
var f = parser.parseFragment(html, allowStyle ? parser.SanitizerAllowStyle : 0,
!!isXML, baseURI, doc);
return f;
}
其中第一个参数被认为是一个文档元素。我不知道应该是什么?我试过 document.createDocumentFragment()
但是我得到ReferenceError:document not defined错误。有人可以帮助我如何调用这个函数?
And the first parameter in that is said to be a document element. I have no idea what that is supposed to be? I tried document.createDocumentFragment()
but I get "ReferenceError: document is not defined" error. Can some one help me on how to call this function?
该函数返回一个 nsIDOMDocumentFragment
。如何转换为字符串?
And the function returns an nsIDOMDocumentFragment
. How to convert that back to a string?
更新:
根据@ zer0的建议,我使用:
As suggested by @zer0 I used:
var parser = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils);
var sanitizedHTML = parser.sanitize(html, flags);
但是它打破了我想要做的目的。例如:
But it defeats the purpose of what I wanted to do. For example:
<html><head><BASE href='http://localhost/t/h.html' />
<link rel="stylesheet" type="text/css" href="h.css">
<style type="text/css">
.b{
color:green;
}
</style>
<base href="http://foo.example.com/">
</head><body>Sample Text. No Style
<script>Hello malicious code</script>
<p class="a">External Style</p>
<p class="b">Internal Style</p>
<p style="color:blue">Inline Style</p>
<a href="sample.html">Link</a><br><br><div style='color: #666666; font-size: 12px'>Clipped on 6-October-2012, 07:37:39 PM from <a href='http://localhost/t/h.html'>http://localhost/t/h.html</a> </div></body></html>
转换为:
<html><head>
<style type="text/css">
.b{
color:green;
}
</style>
</head><body>Sample Text. No Style
<p class="a">External Style</p>
<p class="b">Internal Style</p>
<p style="color:blue">Inline Style</p>
<a>Link</a><br><br><div style="color: #666666; font-size: 12px">Clipped on 6-October-2012, 07:37:39 PM from <a href="http://localhost/t/h.html">http://localhost/t/h.html</a> </div></body></html>
由于这剥夺了外部超链接和CSS,它违反了加载项本身的目的。我想要的只是要删除脚本:
As this strips the external hyperlinks and CSS, it defeats the purpose of the add-on itself. What I want is for just the scripts to be removed:
<html><head><BASE href='http://localhost/t/h.html' /> <BASE href='http://localhost/t/h.html' />
<link rel="stylesheet" type="text/css" href="h.css">
<style type="text/css">
.b{
color:green;
}
</style>
<base href="http://foo.example.com/">
</head><body>Sample Text. No Style
<p class="a">External Style</p>
<p class="b">Internal Style</p>
<p style="color:blue">Inline Style</p>
<a href="sample.html">Link</a><br><br><div style='color: #666666; font-size: 12px'>Clipped on 6-October-2012, 07:37:39 PM from <a href='http://localhost/t/h.html'>http://localhost/t/h.html</a> </div></body></html>
有人可以点亮这个吗?
推荐答案
外部样式的链接因为某些原因被删除:外部样式无法验证,并且可能是危险的(特别是 -moz-binding
可以用来运行代码)。此外,假设您可以将HTML代码放入以下相对链接不安全的位置(例如Thunderbird中的邮件消息)。绝对链接总是很好,但是。
Links to external styles are removed for a reason: external styles cannot be validated and they might be dangerous (in particular, -moz-binding
can be used to run code). Also, the assumption is that you could put the HTML code into a location where following relative links isn't safe (such as mail messages in Thunderbird). Absolute links are always fine however.
您可能想要做的是预处理HTML代码以消除这些问题 - 解决相对链接和内联对外部样式的引用。这样的东西:
What you might want to do is preprocessing the HTML code to remove these issues - resolve relative links and inline references to external styles. Something like this:
// Parse the HTML code into a temporary document
var doc = Cc["@mozilla.org/xmlextras/domparser;1"]
.createInstance(Ci.nsIDOMParser)
.parseFromString(html, "text/html");
// Make sure all links are absolute
for (var i = 0; i < doc.links.length; i++)
doc.links[i].setAttribute("href", doc.links[i].href);
// Make sure all stylesheets are inlined
var stylesheets = doc.getElementsByTagName("link");
for (i = 0; i < stylesheets.length; i++)
{
try
{
var request = new XMLHttpRequest();
request.open("GET", stylesheets[i].href, false);
request.send(null);
var style = doc.createElement("style");
style.setAttribute("type", "text/css");
style.textContent = request.responseText;
stylesheets[i].parentNode.replaceChild(style, stylesheets[i]);
i--;
}
catch (e)
{
// Ignore download errors
}
}
// Serialize the document into a string again
html = Cc["@mozilla.org/xmlextras/xmlserializer;1"]
.createInstance(Ci.nsIDOMSerializer)
.serializeToString(doc.documentElement);
// Now sanizite the HTML code
var parser = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils);
var sanitizedHTML = parser.sanitize(html, parser.SanitizerAllowStyle);
请注意,我使用同步XMLHttpRequest下载样式表内容 - 为了简单起见,您的最终代码应该使用异步下载(很可能通过请求
模块),不会挂起用户界面。
Note that I used a synchronous XMLHttpRequest to download stylesheet contents - this has been done for simplicity, your final code should use asynchronous downloads (most likely via request
module) that will not hang the user interface.
这篇关于如何使用nsIParserUtils里面的firefox addon sdk 1.10 main.js?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!