From e2619b357bf4ea786ce6b67ce5dc9716e6ea0022 Mon Sep 17 00:00:00 2001
From: Anton Sarukhanov <code@ant.sr>
Date: Thu, 21 Nov 2019 10:03:23 -0500
Subject: [PATCH] Stop editing HTML as text. An addons.thunderbird.net reviewer
 pointed out that innerHTML.replace() is risky, and textContent.replace()
 would be better. Instead of one big replace on the body contents, we now
 recursively do replacements on each text node and node attribute.

---
 chrome/content/unsafelinks.js | 25 ++++++++++++++++++++++++-
 manifest.json                 |  2 +-
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/chrome/content/unsafelinks.js b/chrome/content/unsafelinks.js
index b0fd8dc..a9a1f77 100644
--- a/chrome/content/unsafelinks.js
+++ b/chrome/content/unsafelinks.js
@@ -16,7 +16,30 @@ var unsafelinks = {
     onMessageLoad: function(event) {
         // Replace each safelinks URL in the message body with the original URL.
         var body = event.originalTarget.body;
-        body.innerHTML = body.innerHTML.replace(unsafelinks.urlRegex, unsafelinks.replacer);
+        unsafelinks.replaceInNode(event.originalTarget.body);
+    },
+
+    replaceInNode: function(node) {
+        // Recursively replace URLs in this node and child nodes.
+        if (node.childNodes.length > 0) {
+            for (let i = 0; i < node.childNodes.length; i++) {
+                replaceInNode(node.childNodes[i]);
+            }
+        }
+
+        // If this is a text node, replace URLs in the text.
+        if (node.nodeType == Node.TEXT_NODE && node.nodeValue != '') {
+            node.nodeValue = node.nodeValue.replace(unsafelinks.urlRegex, unsafelinks.replacer);
+        }
+
+        // Replace URLs in this node's attribute values.
+        // We're expecting <a href> <img src> and similar, but can't
+        // predict what other attrs may contain URLs. So check all of them.
+        for (let i = 0; i < node.attributes.length; i++) {
+            if (node.attributes[i].specified) {
+                node.nodeValue = node.nodeValue.replace(unsafelinks.urlRegex, unsafelinks.replacer);
+            }
+        }
     },
 
     // Regular expression matching a safelinks-encoded URL.
diff --git a/manifest.json b/manifest.json
index 78b53c1..61a9f7a 100644
--- a/manifest.json
+++ b/manifest.json
@@ -2,7 +2,7 @@
     "manifest_version": 2,
     "name": "Un-Safelinks",
     "description": "Replace URLs which have been rewritten by Office 365 Advanced Threat Protection with the original URL.",
-    "version": "1.3.1",
+    "version": "1.3.2",
     "author": "Anton Sarukhanov",
     "homepage_url": "https://github.com/antsar/unsafelinks",
     "applications": {
-- 
GitLab