Skip to content

Commit 56c6503

Browse files
committed
fix: refactor DOM injection to use createElement for security
1 parent 1d15946 commit 56c6503

File tree

1 file changed

+43
-24
lines changed

1 file changed

+43
-24
lines changed

content.js

Lines changed: 43 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,34 +1,53 @@
1-
const overlayHTML = `
2-
<div id="nozo-overlay-container">
3-
<div id="nozo-wrapper">
4-
<div id="nozo-controls">
5-
<button class="nozo-btn nozo-maximize-btn" title="Open in New Tab">
6-
<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><path d="M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6"></path><polyline points="15 3 21 3 21 9"></polyline><line x1="10" y1="14" x2="21" y2="3"></line></svg>
7-
</button>
8-
<button class="nozo-btn nozo-close-btn" title="Close">
9-
<svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"></line><line x1="6" y1="6" x2="18" y2="18"></line></svg>
10-
</button>
11-
</div>
12-
<div id="nozo-modal">
13-
<iframe id="nozo-iframe" src="about:blank"></iframe>
14-
</div>
15-
</div>
16-
</div>
17-
<div id="nozo-drop-zone">Drop here to Nozo</div>
18-
`;
1+
// Nozo Content Script
192

203
function initNozo() {
214
if (document.getElementById('nozo-overlay-container')) {
225
return;
236
}
247

25-
document.body.insertAdjacentHTML('beforeend', overlayHTML);
8+
// Build overlay container
9+
const overlayContainer = document.createElement('div');
10+
overlayContainer.id = 'nozo-overlay-container';
2611

27-
const overlay = document.getElementById('nozo-overlay-container');
28-
const iframe = document.getElementById('nozo-iframe');
29-
const closeBtn = document.querySelector('.nozo-close-btn');
30-
const maxBtn = document.querySelector('.nozo-maximize-btn');
31-
const dropZone = document.getElementById('nozo-drop-zone');
12+
const wrapper = document.createElement('div');
13+
wrapper.id = 'nozo-wrapper';
14+
15+
const controls = document.createElement('div');
16+
controls.id = 'nozo-controls';
17+
18+
const maxBtn = document.createElement('button');
19+
maxBtn.className = 'nozo-btn nozo-maximize-btn';
20+
maxBtn.title = 'Open in New Tab';
21+
maxBtn.innerHTML = '<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><path d="M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6"></path><polyline points="15 3 21 3 21 9"></polyline><line x1="10" y1="14" x2="21" y2="3"></line></svg>';
22+
23+
const closeBtn = document.createElement('button');
24+
closeBtn.className = 'nozo-btn nozo-close-btn';
25+
closeBtn.title = 'Close';
26+
closeBtn.innerHTML = '<svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"></line><line x1="6" y1="6" x2="18" y2="18"></line></svg>';
27+
28+
controls.appendChild(maxBtn);
29+
controls.appendChild(closeBtn);
30+
31+
const modal = document.createElement('div');
32+
modal.id = 'nozo-modal';
33+
34+
const iframe = document.createElement('iframe');
35+
iframe.id = 'nozo-iframe';
36+
iframe.src = 'about:blank';
37+
38+
modal.appendChild(iframe);
39+
wrapper.appendChild(controls);
40+
wrapper.appendChild(modal);
41+
overlayContainer.appendChild(wrapper);
42+
43+
const dropZone = document.createElement('div');
44+
dropZone.id = 'nozo-drop-zone';
45+
dropZone.textContent = 'Drop here to Nozo';
46+
47+
document.body.appendChild(overlayContainer);
48+
document.body.appendChild(dropZone);
49+
50+
const overlay = overlayContainer;
3251

3352
function closeNozo() {
3453
overlay.classList.remove('visible');

0 commit comments

Comments
 (0)