feat(adguard): santinize innerHTMLs

Author: vincentha766

manifest.json

@@ -69,7 +69,10 @@
         },
         {
             "all_frames": true,
-            "js": ["adguard/adguard-content.js"],
+            "js": [
+                "lib/purify.min.js",
+                "adguard/adguard-content.js"
+            ],
             "matches": [
                 "http://*/*",
                 "https://*/*"
@@ -82,7 +85,10 @@
             "css": [
                 "adguard/assistant/css/selector.css"
             ],
-            "js": ["adguard/adguard-assistant.js"],
+            "js": [
+                "lib/purify.min.js",
+                "adguard/adguard-assistant.js"
+            ],
             "matches": [
                 "http://*/*",
                 "https://*/*"

src/adguard/adguard-assistant.js

@@ -2715,7 +2715,7 @@
 
         $.i = function(s, context) {
             fn.push.apply(this, !s ? fn : s.nodeType || s == window ? [s] : "" + s === s ? /</.test(s) ?
-                ((i = document.createElement(context || 'q')).innerHTML = s, i.children) : (context && $(context)[0] || document).querySelectorAll(s) : /f/.test(typeof s) ? /c/.test(document.readyState) ? s() : $(document).on('DOMContentLoaded', s) : s);
+                ((i = document.createElement(context || 'q')).innerHTML = DOMPurify.sanitize(s), i.children) : (context && $(context)[0] || document).querySelectorAll(s) : /f/.test(typeof s) ? /c/.test(document.readyState) ? s() : $(document).on('DOMContentLoaded', s) : s);
         };
 
         $.i[l = 'prototype'] = ($.extend = function(obj) {

src/adguard/adguard-content.js

@@ -1556,9 +1556,9 @@ setDocument = Sizzle.setDocument = function( node ) {
 			// setting a boolean content attribute,
 			// since its presence should be enough
 			// https://bugs.jquery.com/ticket/12359
-			docElem.appendChild( el ).innerHTML = "<a id='" + expando + "'></a>" +
+			docElem.appendChild( el ).innerHTML = DOMPurify.sanitize("<a id='" + expando + "'></a>" +
 				"<select id='" + expando + "-\r\\' msallowcapture=''>" +
-				"<option selected=''></option></select>";
+				"<option selected=''></option></select>");
 
 			// Support: IE8, Opera 11-12.16
 			// Nothing should be selected when empty strings follow ^= or $= or *=
@@ -1595,8 +1595,8 @@ setDocument = Sizzle.setDocument = function( node ) {
 		});
 
 		assert(function( el ) {
-			el.innerHTML = "<a href='' disabled='disabled'></a>" +
-				"<select disabled='disabled'><option/></select>";
+			el.innerHTML = DOMPurify.sanitize("<a href='' disabled='disabled'></a>" +
+				"<select disabled='disabled'><option/></select>");
 
 			// Support: Windows 8 Native Apps
 			// The type and name attributes are restricted during .innerHTML assignment
@@ -3021,7 +3021,7 @@ support.sortDetached = assert(function( el ) {
 // Prevent attribute/property "interpolation"
 // https://msdn.microsoft.com/en-us/library/ms536429%28VS.85%29.aspx
 if ( !assert(function( el ) {
-	el.innerHTML = "<a href='#'></a>";
+	el.innerHTML = DOMPurify.sanitize("<a href='#'></a>");
 	return el.firstChild.getAttribute("href") === "#" ;
 }) ) {
 	addHandle( "type|href|height|width", function( elem, name, isXML ) {
@@ -3034,7 +3034,7 @@ if ( !assert(function( el ) {
 // Support: IE<9
 // Use defaultValue in place of getAttribute("value")
 if ( !support.attributes || !assert(function( el ) {
-	el.innerHTML = "<input/>";
+	el.innerHTML = DOMPurify.sanitize("<input/>");
 	el.firstChild.setAttribute( "value", "" );
 	return el.firstChild.getAttribute( "value" ) === "";
 }) ) {
@@ -5273,4 +5273,4 @@ var initPageMessageListener = function () { // jshint ignore:line
     init();
 })();
 
-})(window);
+})(window);

webpack.config.js

@@ -76,6 +76,7 @@ module.exports = {
             { from: "node_modules/popper.js/dist/umd/popper.min.js", to: "lib/" },
             { from: "node_modules/@antv/g2/dist/g2.min.js", to: "lib/g2/" },
             { from: "node_modules/@antv/data-set/dist/data-set.min.js", to: "lib/g2/" },
+            { from: "node_modules/dompurify/dist/purify.min.js", to: "lib/purify.min.js" },
             { from: "src/libs/icon", to: "lib/icon" },
             { from: "css", to: "css" },
             { from: "_locales", to: "_locales" },