Stop editing HTML as text.

An addons.thunderbird.net reviewer pointed out that innerHTML.replace() is risky, and textContent.replace() would be better. Instead of one big replace on the body contents, we now recursively do replacements on each text node and node attribute.

Stop editing HTML as text.
An addons.thunderbird.net reviewer pointed out that innerHTML.replace() is risky, and textContent.replace() would be better. Instead of one big replace on the body contents, we now recursively do replacements on each text node and node attribute.
e2619b35 · Anton Sarukhanov · 326269ea · e2619b35 · e2619b35
Commit e2619b35 authored 5 years ago by Anton Sarukhanov
--- a/chrome/content/unsafelinks.js
+++ b/chrome/content/unsafelinks.js
@@ -16,7 +16,30 @@ var unsafelinks = {
    onMessageLoad: function(event) {
        // Replace each safelinks URL in the message body with the original URL.
        var body = event.originalTarget.body;
-        body.innerHTML = body.innerHTML.replace(unsafelinks.urlRegex, unsafelinks.replacer);
+        unsafelinks.replaceInNode(event.originalTarget.body);
+    },
+
+    replaceInNode: function(node) {
+        // Recursively replace URLs in this node and child nodes.
+        if (node.childNodes.length > 0) {
+            for (let i = 0; i < node.childNodes.length; i++) {
+                replaceInNode(node.childNodes[i]);
+            }
+        }
+
+        // If this is a text node, replace URLs in the text.
+        if (node.nodeType == Node.TEXT_NODE && node.nodeValue != '') {
+            node.nodeValue = node.nodeValue.replace(unsafelinks.urlRegex, unsafelinks.replacer);
+        }
+
+        // Replace URLs in this node's attribute values.
+        // We're expecting <a href> <img src> and similar, but can't
+        // predict what other attrs may contain URLs. So check all of them.
+        for (let i = 0; i < node.attributes.length; i++) {
+            if (node.attributes[i].specified) {
+                node.nodeValue = node.nodeValue.replace(unsafelinks.urlRegex, unsafelinks.replacer);
+            }
+        }
    },

    // Regular expression matching a safelinks-encoded URL.

--- a/manifest.json
+++ b/manifest.json
@@ -2,7 +2,7 @@
    "manifest_version": 2,
    "name": "Un-Safelinks",
    "description": "Replace URLs which have been rewritten by Office 365 Advanced Threat Protection with the original URL.",
-    "version": "1.3.1",
+    "version": "1.3.2",
    "author": "Anton Sarukhanov",
    "homepage_url": "https://github.com/antsar/unsafelinks",
    "applications": {