[Greasemonkey] addEventListener security (was Removing anonymous
event handlers)
Nikolas Coukouma
lists at atrus.org
Wed Dec 7 16:07:42 EST 2005
Taral wrote:
> On 12/6/05, Nikolas Coukouma <lists at atrus.org> wrote:
>
>> nsIDOMEventTarget
>> http://www.xulplanet.com/references/xpcomref/ifaces/nsIDOMEventTarget.html
>>
>
> O.o
>
> http://lxr.mozilla.org/seamonkey/source/dom/public/idl/events/nsIDOMNSEventTarget.idl
>
> I just realized that most scripts should set that fourth argument to
> "false" for security...
Interesting. I'll quote the description for the lazy and note that the
"fourth argument" above is the "additional argument" below:
This method is the same as the addEventListener() method defined in
nsIDOMEventTarget, but it takes one additional argument which lets
callers control whether or not they want to receive untrusted events
(synthetic events generated by untrusted code)
Looking at the source for the element implementations, this apparently
defaults to true if the element is in a chrome document and false otherwise.
It's definitely best practice to pass false. Any script that modifies
data based on a UI event should be prodded about it. Dive into
Greasemonkey should probably be updated (4.21 in particular, Google also
finds 4.16, 4.22, and 5.8).
Note 1:
Firefox 1.5 is being built from the mozilla1.8 branch, so it's better to
look at that. I tend to link to XULPlanet just because it looks nicer.
Note 2:
This did exist in Firefox 1.0.x (mozilla1.7 and aviary101branch)
Source in question:
http://lxr.mozilla.org/mozilla1.8/source/content/base/src/nsGenericElement.cpp#664
http://lxr.mozilla.org/mozilla1.8/source/content/base/src/nsDocument.cpp#4068
More information about the Greasemonkey
mailing list