Skip to content

prevent pasting large input on secure compose #4914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rrrooommmaaa merged 12 commits into from
Feb 20, 2023
Merged

prevent pasting large input on secure compose #4914

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
db62744
prevent pasting large input on secure compose
martgil Jan 30, 2023
9646d45
Added type definition for SquireEditor.getRoot()
rrrooommmaaa Jan 31, 2023
3349f70
apply requested change
martgil Feb 3, 2023
b90f9a5
update
martgil Feb 3, 2023
f61d1e5
cleanup
martgil Feb 3, 2023
fae387d
Merge remote-tracking branch 'origin/master' into issue-4818-check-in…
martgil Feb 16, 2023
0d21743
update
martgil Feb 16, 2023
82782ac
consider selection
Feb 17, 2023
8b394b3
add warning modal
martgil Feb 18, 2023
7188655
update
martgil Feb 18, 2023
d1f23e7
update
martgil Feb 18, 2023
691c5df
update
martgil Feb 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion extension/chrome/elements/compose-modules/compose-input-module.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@ import { ParsedRecipients } from '../../../js/common/api/email-provider/email-pr
import { Str } from '../../../js/common/core/common.js';
import { Xss } from '../../../js/common/platform/xss.js';
import { ViewModule } from '../../../js/common/view-module.js';
import { Ui } from '../../../js/common/browser/ui.js';
import { ComposeView } from '../compose.js';
import { Lang } from '../../../js/common/lang.js';

export class ComposeInputModule extends ViewModule<ComposeView> {
public squire = new window.Squire(this.view.S.cached('input_text').get(0));
Expand Down Expand Up @@ -78,12 +80,25 @@ export class ComposeInputModule extends ViewModule<ComposeView> {
return this.view.sendBtnModule.popover.choices.richtext;
};

public willInputLimitBeExceeded = (textToPaste: string, targetInputField: HTMLElement, selectionLengthGetter: () => number | undefined) => {
const limit = 50000;
const toBeRemoved = selectionLengthGetter() || 0;
const currentLength = targetInputField.innerText.trim().length;
const isInputLimitExceeded = currentLength - toBeRemoved + textToPaste.length > limit;
return isInputLimitExceeded;
};

private handlePaste = () => {
this.squire.addEventListener('willPaste', (e: WillPasteEvent) => {
this.squire.addEventListener('willPaste', async (e: WillPasteEvent) => {
const div = document.createElement('div');
div.appendChild(e.fragment);
const html = div.innerHTML;
const sanitized = this.isRichText() ? Xss.htmlSanitizeKeepBasicTags(html, 'IMG-KEEP') : Xss.htmlSanitizeAndStripAllTags(html, '<br>', false);
if (this.willInputLimitBeExceeded(sanitized, this.squire.getRoot(), () => this.squire.getSelectedText().length)) {
e.preventDefault();
await Ui.modal.warning(Lang.compose.inputLimitExceededOnPaste);
return;
}
Copy link
Contributor

@rrrooommmaaa rrrooommmaaa Feb 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Xss.setElementContentDANGEROUSLY(div, sanitized); // xss-sanitized
can also be moved after if {...}, right?

Copy link
Collaborator Author

@martgil martgil Feb 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right - you are correct. So that Xss.set... will execute only when needed.

Xss.setElementContentDANGEROUSLY(div, sanitized); // xss-sanitized
e.fragment.appendChild(div);
});
Expand Down
20 changes: 20 additions & 0 deletions extension/chrome/elements/compose.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import { PubLookup } from '../../js/common/api/pub-lookup.js';
import { AcctStore } from '../../js/common/platform/store/acct-store.js';
import { AccountServer } from '../../js/common/api/account-server.js';
import { ComposeReplyBtnPopoverModule } from './compose-modules/compose-reply-btn-popover-module.js';
import { Lang } from '../../js/common/lang.js';

export class ComposeView extends View {
public readonly acctEmail: string;
Expand Down Expand Up @@ -222,6 +223,25 @@ export class ComposeView extends View {
'click',
this.setHandler(async () => await this.renderModule.openSettingsWithDialog('help'), this.errModule.handle(`help dialog`))
);
this.S.cached('input_intro').on(
'paste',
this.setHandler(async (el, ev) => {
const clipboardEvent = ev.originalEvent as ClipboardEvent;
if (clipboardEvent.clipboardData) {
const isInputLimitExceeded = this.inputModule.willInputLimitBeExceeded(clipboardEvent.clipboardData.getData('text/plain'), el, () => {
const selection = window.getSelection();
if (selection && selection.anchorNode === selection.focusNode && selection.anchorNode?.parentElement === el) {
return Math.abs(selection.anchorOffset - selection.focusOffset);
}
return 0;
});
if (isInputLimitExceeded) {
ev.preventDefault();
await Ui.modal.warning(Lang.compose.inputLimitExceededOnPaste);
}
}
})
);
this.attachmentsModule.setHandlers();
this.inputModule.setHandlers();
this.myPubkeyModule.setHandlers();
Expand Down
1 change: 1 addition & 0 deletions extension/js/common/lang.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ export const Lang = {
enterprisePasswordPolicy:
'Please use password with the following properties:\n - one uppercase\n - one lowercase\n - one number\n - one special character eg &"#-\'_%-@,;:!*()\n - 8 characters length',
consumerPasswordPolicy: 'Please use a password at least 8 characters long',
inputLimitExceededOnPaste: "The paste operation can't be completed because the resulting text size would exceed the allowed limit of 50K.",
},
general: {
contactMinimalSubsentence,
Expand Down
1 change: 1 addition & 0 deletions extension/types/squire.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ export declare class SquireEditor {
removeAllFormatting(): void;
changeFormat(formattingToAdd: any, formattingToRemove: any, range: Range): void;
setConfig(config: any): SquireEditor;
getRoot(): HTMLElement;
}

export declare class WillPasteEvent extends ClipboardEvent {
Expand Down