Ignore event handler-related attributes in set-attr scriptlet

As suggested by https://github.com/distinctmondaylilac in internal email to ubo-security: > As a sidenote, it may be worth considering if `set-attr` should > be able to set event handler attributes. It could potentially > be used to copy the contents of e.g. onclick to other event handlers, > resulting in self-clicking buttons.
gorhill · Feb 13, 2024 · 3037ae5 · 3037ae5
1 parent db5656f
commit 3037ae5
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/assets/resources/scriptlets.js b/assets/resources/scriptlets.js
@@ -3796,6 +3796,7 @@ function setAttr(
 
  const extractValue = elem => {
  if ( copyFrom !== '' ) {
+ if ( copyFrom.startsWith('on') && copyFrom in elem ) { return; }
  return elem.getAttribute(copyFrom) || '';
  }
  return value;
@@ -3812,6 +3813,7 @@ function setAttr(
  for ( const elem of elems ) {
  const before = elem.getAttribute(attr);
  const after = extractValue(elem);
+ if ( after === undefined ) { continue; }
  if ( after === before ) { continue; }
  elem.setAttribute(attr, after);
  }