Limit recursion when handling parameters

Signed-off-by: Jesús <heckyel@hyperbola.info>
author: Alessio Vanni <vannilla@firemail.cc> 2021-07-06 19:47:23 +0200
committer: Jesús <heckyel@hyperbola.info> 2022-04-06 09:48:00 +0800
commit: 5aa99a2ea2b683ba35eb36dfc54efd79f3cfcb85 (patch)
tree: 75ba29e485acdc7752ec2ac26ed017029e1e6124
parent: 9147038defa859e42b999573b1279f90c5822c2f (diff)
download: ematrix-5aa99a2ea2b683ba35eb36dfc54efd79f3cfcb85.tar.lz
ematrix-5aa99a2ea2b683ba35eb36dfc54efd79f3cfcb85.tar.xz
ematrix-5aa99a2ea2b683ba35eb36dfc54efd79f3cfcb85.zip
1 files changed, 105 insertions, 106 deletions
diff --git a/js/main-blocked.js b/js/main-blocked.js
index c77dcec..cea79ce 100644
--- a/js/main-blocked.js
+++ b/js/main-blocked.js
@@ -2,7 +2,7 @@
 
     ηMatrix - a browser extension to black/white list requests.
     Copyright (C) 2015-2019 Raymond Hill
-    Copyright (C) 2019-2020 Alessio Vanni
+    Copyright (C) 2019-2020-2021 Alessio Vanni
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -17,7 +17,7 @@
     You should have received a copy of the GNU General Public License
     along with this program.  If not, see {http://www.gnu.org/licenses/}.
 
-    Home: https://libregit.spks.xyz/heckyel/ematrix
+    Home: https://gitlab.com/vannilla/ematrix
     uMatrix Home: https://github.com/gorhill/uBlock
 */
 
@@ -25,153 +25,152 @@
 
 'use strict';
 
-/******************************************************************************/
+(function () {
+    let details = {};
 
-(function() {
-
-    /******************************************************************************/
-
-    var details = {};
-
-    (function() {
-        var matches = /details=([^&]+)/.exec(window.location.search);
-        if ( matches === null ) { return; }
-        try {
+    (function () {
+	let matches = /details=([^&]+)/.exec(window.location.search);
+	if (matches === null) {
+	    return;
+	}
+	try {
             details = JSON.parse(atob(matches[1]));
-        } catch(ex) {
-        }
+	} catch(ex) {
+	}
     })();
 
-    /******************************************************************************/
-
     uDom('.what').text(details.url);
     // uDom('#why').text(details.why.slice(3));
 
-    /******************************************************************************/
-
     // https://github.com/gorhill/uMatrix/issues/502
     //   Code below originally imported from:
     //   https://github.com/gorhill/uBlock/blob/master/src/js/document-blocked.js
+    (function () {
+	if (typeof URL !== 'function') {
+	    return;
+	}
 
-    (function() {
-        if ( typeof URL !== 'function' ) { return; }
+	const reURL = /^https?:\/\//;
 
-        var reURL = /^https?:\/\//;
-
-        var liFromParam = function(name, value) {
-            if ( value === '' ) {
-                value = name;
-                name = '';
+	const liFromParam = function (name, value) {
+            if (value === '') {
+		value = name;
+		name = '';
             }
-            var li = document.createElement('li');
-            var span = document.createElement('span');
+
+            let li = document.createElement('li');
+            let span = document.createElement('span');
             span.textContent = name;
             li.appendChild(span);
-            if ( name !== '' && value !== '' ) {
-                li.appendChild(document.createTextNode(' = '));
+            if (name !== '' && value !== '') {
+		li.appendChild(document.createTextNode(' = '));
             }
             span = document.createElement('span');
-            if ( reURL.test(value) ) {
-                var a = document.createElement('a');
-                a.href = a.textContent = value;
-                span.appendChild(a);
+            if (reURL.test(value)) {
+		let a = document.createElement('a');
+		a.href = a.textContent = value;
+		span.appendChild(a);
             } else {
-                span.textContent = value;
+		span.textContent = value;
             }
             li.appendChild(span);
             return li;
-        };
+	};
 
-        var safeDecodeURIComponent = function(s) {
+	const safeDecodeURIComponent = function (s) {
             try {
-                s = decodeURIComponent(s);
+		s = decodeURIComponent(s);
             } catch (ex) {
             }
             return s;
-        };
+	};
+
+	const renderParams = function (parentNode, rawURL, step) {
+	    if (0 === step) {
+		// The URL is too nested, bail out (successfully) to
+		// avoid denial of service attacks.
+		return true;
+	    }
 
-        var renderParams = function(parentNode, rawURL) {
-            var a = document.createElement('a');
+            let a = document.createElement('a');
             a.href = rawURL;
-            if ( a.search.length === 0 ) { return false; }
+            if (a.search.length === 0) {
+		return false;
+	    }
 
-            var pos = rawURL.indexOf('?');
-            var li = liFromParam(
-                vAPI.i18n('docblockedNoParamsPrompt'),
-                rawURL.slice(0, pos)
-            );
+            let pos = rawURL.indexOf('?');
+            let li = liFromParam(vAPI.i18n('docblockedNoParamsPrompt'),
+				 rawURL.slice(0, pos));
             parentNode.appendChild(li);
 
-            var params = a.search.slice(1).split('&');
-            var param, name, value, ul;
-            for ( var i = 0; i < params.length; i++ ) {
-                param = params[i];
-                pos = param.indexOf('=');
-                if ( pos === -1 ) {
+            let params = a.search.slice(1).split('&');
+            for (let i=0; i<params.length; ++i) {
+		let param = params[i];
+		pos = param.indexOf('=');
+		if (pos === -1) {
                     pos = param.length;
-                }
-                name = safeDecodeURIComponent(param.slice(0, pos));
-                value = safeDecodeURIComponent(param.slice(pos + 1));
-                li = liFromParam(name, value);
-                if ( reURL.test(value) ) {
-                    ul = document.createElement('ul');
-                    renderParams(ul, value);
+		}
+		let name = safeDecodeURIComponent(param.slice(0, pos));
+		let value = safeDecodeURIComponent(param.slice(pos + 1));
+		li = liFromParam(name, value);
+
+		if (reURL.test(value)) {
+                    let ul = document.createElement('ul');
+                    renderParams(ul, value, step - 1);
                     li.appendChild(ul);
-                }
-                parentNode.appendChild(li);
+		}
+		parentNode.appendChild(li);
             }
+
             return true;
-        };
+	};
 
-        if ( renderParams(uDom.nodeFromId('parsed'), details.url) === false ) {
+	// The number of steps is arbitrary, but there's no point in
+	// making it to large.
+	if (renderParams(uDom.nodeFromId('parsed'), details.url, 3) === false) {
             return;
-        }
-
-        var toggler = document.createElement('span');
-        toggler.className = 'fa';
-        uDom('#theURL > p').append(toggler);
-
-        uDom(toggler).on('click', function() {
-            var collapsed = uDom.nodeFromId('theURL').classList.toggle('collapsed');
-            vAPI.localStorage.setItem(
-                'document-blocked-collapse-url',
-                collapsed.toString()
-            );
-        });
-
-        uDom.nodeFromId('theURL').classList.toggle(
-            'collapsed',
-            vAPI.localStorage.getItem('document-blocked-collapse-url') === 'true'
-        );
-    })();
+	}
 
-    /******************************************************************************/
+	let toggler = document.createElement('span');
+	toggler.className = 'fa';
+	uDom('#theURL > p').append(toggler);
 
-    if ( window.history.length > 1 ) {
-        uDom('#back').on('click', function() { window.history.back(); });
-        uDom('#bye').css('display', 'none');
-    } else {
-        uDom('#bye').on('click', function() { window.close(); });
-        uDom('#back').css('display', 'none');
-    }
+	uDom(toggler).on('click', function () {
+            let collapsed = uDom
+		.nodeFromId('theURL')
+		.classList
+		.toggle('collapsed');
 
-    /******************************************************************************/
+            vAPI.localStorage.setItem('document-blocked-collapse-url',
+				      collapsed.toString());
+	});
 
-    // See if the target hostname is still blacklisted, and if not, navigate to it.
+	let p = vAPI.localStorage.getItem('document-blocked-collapse-url');
+	uDom.nodeFromId('theURL').classList.toggle('collapsed', p === 'true');
+    })();
 
+    if (window.history.length > 1) {
+	uDom('#back').on('click', function () {
+	    window.history.back();
+	});
+	uDom('#bye').css('display', 'none');
+    } else {
+	uDom('#bye').on('click', function () {
+	    window.close();
+	});
+	uDom('#back').css('display', 'none');
+    }
+
+    // See if the target hostname is still blacklisted, and if not,
+    // navigate to it.
     vAPI.messaging.send('main-blocked.js', {
-        what: 'mustBlock',
-        scope: details.hn,
-        hostname: details.hn,
-        type: 'doc'
-    }, function(response) {
-        if ( response === false ) {
+	what: 'mustBlock',
+	scope: details.hn,
+	hostname: details.hn,
+	type: 'doc'
+    }, function (response) {
+	if (response === false) {
             window.location.replace(details.url);
-        }
+	}
     });
-
-    /******************************************************************************/
-
 })();
-
-/******************************************************************************/
author	Alessio Vanni <vannilla@firemail.cc>	2021-07-06 19:47:23 +0200
committer	Jesús <heckyel@hyperbola.info>	2022-04-06 09:48:00 +0800
commit	5aa99a2ea2b683ba35eb36dfc54efd79f3cfcb85 (patch)
tree	75ba29e485acdc7752ec2ac26ed017029e1e6124
parent	9147038defa859e42b999573b1279f90c5822c2f (diff)
download	ematrix-5aa99a2ea2b683ba35eb36dfc54efd79f3cfcb85.tar.lz ematrix-5aa99a2ea2b683ba35eb36dfc54efd79f3cfcb85.tar.xz ematrix-5aa99a2ea2b683ba35eb36dfc54efd79f3cfcb85.zip