如何动态和安全地设置XUL密钥? [英] How to set an XUL key dynamically and securely?
问题描述
我正在尝试为我的引导加载项动态创建一个关键元素。目前,我创建了一个 keyset 元素并将其附加到 document.getElementById('mainKeyset')。parentNode with appendChild()然后创建键元素( myKey )和将它追加到键集中。我设置了键的 id ,修饰符和键属性,然后执行 myKey.addEventListener('command',function(){myFunction()}); 向键添加一个函数。在这之后,我可以通过执行 myKey.doCommand()来成功调用 myFunction()。然而,当我按下键的属性中指定的修饰符和键时,没有任何反应。
我试图避免设置命令和 oncommand 属性,因为我知道有一个安全问题,设置 oncommand 动态,但也许我需要以某种方式使用它们?我有看过说明,如果没有命令或oncommand设置,所以也许不能动态创建一个密钥而不设置它们中的一个。我的事件侦听器的作品,如果我把oncommand设置为void(0); (按照此处的示例)。然而,我不知道是否可以通过Mozilla的扩展批准程序。
关于< key> 元素的声明需要一个命令或一个 oncommand 属性是正确的。查看触发密钥处理程序的代码,它有一个优化,将忽略被禁用或没有命令的任何< key> 也不是 oncommand 属性 - 所以命令事件甚至不会触发这些元素。我通过添加一个包含JavaScript注释的 oncommand 属性来解决这个问题:
key.setAttribute(oncommand,//);
但是 void(0); 很好作为属性值当然也是。
不会有任何问题得到这个审查。您所听到的潜在安全问题是动态生成 oncommand 值,例如:
key.setAttribute(oncommand,foo('+ bar +'));
取决于 bar 特别是当 bar 来自网站时),这可能是非常危险的。但是,您不会动态生成属性值,因此在您的情况下始终是 void(0); - 所以在这里没有问题。
I am trying to create a key element dynamically for my bootstrapped add-on. Currently, I create a keyset element and append it to document.getElementById('mainKeyset').parentNode with appendChild() and then create the key element (myKey) and append it to the keyset. I set the key's id, modifiers, and key attributes and then do myKey.addEventListener('command', function() {myFunction()}); to add a function to the key. After this, I can successfully call myFunction() by doing myKey.doCommand(). However, when I press the modifiers and key that I assigned in the key's attributes, nothing happens.
I am trying to avoid setting the command and oncommand attributes because I know there is a security issue with setting oncommand dynamically, but maybe I do need to use them somehow? I have seen it stated that a key can not work without command or oncommand set, so perhaps it is not possible to create a key dynamically without setting one of them. My event listener works if I set oncommand to "void(0);" (following the example given here). However, I don't know if something like that could get pass Mozilla's extension approval process.
The statement about <key> elements requiring either a command or an oncommand attribute is correct. Looking at the code triggering key handlers, it has an optimization that will ignore any <key> element that is either disabled or has neither a command nor an oncommand attribute - so the command event won't even fire for these elements. I solve this by adding a dummy oncommand attribute containing a JavaScript comment:
key.setAttribute("oncommand", "//");
But void(0); is fine as attribute value as well of course.
There won't be any issues getting this reviewed. The potential security issue you heard about is generating oncommand value dynamically, e.g.:
key.setAttribute("oncommand", "foo('" + bar + "')");
Depending on the value of bar (and particularly when bar comes from a website) this can be very dangerous. However, you don't generate the attribute value dynamically, it's always void(0); in your case - so no issue there.
这篇关于如何动态和安全地设置XUL密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
