如何动态和安全地设置XUL密钥? [英] How to set an XUL key dynamically and securely?
问题描述
我正在尝试为我的引导加载项动态创建一个关键元素。目前,我创建了一个 keyset
元素并将其附加到 document.getElementById('mainKeyset')。parentNode
with appendChild()
然后创建键
元素( myKey
)和将它追加到键集
中。我设置了键
的 id
,修饰符
和键
属性,然后执行 myKey.addEventListener('command',function(){myFunction()});
向键
添加一个函数。在这之后,我可以通过执行 myKey.doCommand()
来成功调用 myFunction()
。然而,当我按下键
的属性中指定的修饰符和键时,没有任何反应。
我试图避免设置命令
和 oncommand
属性,因为我知道有一个安全问题,设置 oncommand
动态,但也许我需要以某种方式使用它们?我有看过说明,如果没有命令或oncommand设置,所以也许不能动态创建一个密钥而不设置它们中的一个。我的事件侦听器的作品,如果我把oncommand设置为void(0); (按照此处的示例)。然而,我不知道是否可以通过Mozilla的扩展批准程序。
关于< key>
元素的声明需要一个命令
或一个 oncommand
属性是正确的。查看触发密钥处理程序的代码,它有一个优化,将忽略被禁用或没有命令
的任何< key> >也不是
oncommand
属性 - 所以命令
事件甚至不会触发这些元素。我通过添加一个包含JavaScript注释的 oncommand
属性来解决这个问题:
key.setAttribute(oncommand,//);
但是 void(0);
很好作为属性值当然也是。
不会有任何问题得到这个审查。您所听到的潜在安全问题是动态生成 oncommand
值,例如:
key.setAttribute(oncommand,foo('+ bar +'));
取决于 bar
特别是当 bar
来自网站时),这可能是非常危险的。但是,您不会动态生成属性值,因此在您的情况下始终是 void(0);
- 所以在这里没有问题。
I am trying to create a key element dynamically for my bootstrapped add-on. Currently, I create a keyset
element and append it to document.getElementById('mainKeyset').parentNode
with appendChild()
and then create the key
element (myKey
) and append it to the keyset
. I set the key
's id
, modifiers
, and key
attributes and then do myKey.addEventListener('command', function() {myFunction()});
to add a function to the key
. After this, I can successfully call myFunction()
by doing myKey.doCommand()
. However, when I press the modifiers and key that I assigned in the key
's attributes, nothing happens.
I am trying to avoid setting the command
and oncommand
attributes because I know there is a security issue with setting oncommand
dynamically, but maybe I do need to use them somehow? I have seen it stated that a key can not work without command or oncommand set, so perhaps it is not possible to create a key dynamically without setting one of them. My event listener works if I set oncommand to "void(0);" (following the example given here). However, I don't know if something like that could get pass Mozilla's extension approval process.
The statement about <key>
elements requiring either a command
or an oncommand
attribute is correct. Looking at the code triggering key handlers, it has an optimization that will ignore any <key>
element that is either disabled or has neither a command
nor an oncommand
attribute - so the command
event won't even fire for these elements. I solve this by adding a dummy oncommand
attribute containing a JavaScript comment:
key.setAttribute("oncommand", "//");
But void(0);
is fine as attribute value as well of course.
There won't be any issues getting this reviewed. The potential security issue you heard about is generating oncommand
value dynamically, e.g.:
key.setAttribute("oncommand", "foo('" + bar + "')");
Depending on the value of bar
(and particularly when bar
comes from a website) this can be very dangerous. However, you don't generate the attribute value dynamically, it's always void(0);
in your case - so no issue there.
这篇关于如何动态和安全地设置XUL密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!