| author | Manish Goregaokar <manishearth@gmail.com> |
| Thu, 14 Aug 2014 07:03:00 -0400 | |
| changeset 199836 | 17485987eef9fb31570ea1868da4bb9686a6c60b |
| parent 199835 | efe3c7a0091cc92474e8381fb7aa25f861d4bd31 |
| child 199837 | 683b45b75b40a803f01de9d78e55b8b0ea1cb40b |
| push id | 47750 |
| push user | ryanvm@gmail.com |
| push date | Fri, 15 Aug 2014 21:04:12 +0000 |
| treeherder | mozilla-inbound@baea646f5a80 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | jwalker |
| bugs | 1028903 |
| milestone | 34.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/browser/devtools/scratchpad/scratchpad.js +++ b/browser/devtools/scratchpad/scratchpad.js @@ -1609,18 +1609,21 @@ var Scratchpad = { }; this.editor = new Editor(config); let editorElement = document.querySelector("#scratchpad-editor"); this.editor.appendTo(editorElement).then(() => { var lines = initialText.split("\n"); this.editor.on("change", this._onChanged); + let okstring = this.strings.GetStringFromName("selfxss.okstring"); + let msg = this.strings.formatStringFromName("selfxss.msg", [okstring], 1); this._onPaste = WebConsoleUtils.pasteHandlerGen(this.editor.container.contentDocument.body, - document.querySelector('#scratchpad-notificationbox')); + document.querySelector('#scratchpad-notificationbox'), + msg, okstring); editorElement.addEventListener("paste", this._onPaste); editorElement.addEventListener("drop", this._onPaste); this.editor.on("save", () => this.saveFile()); this.editor.focus(); this.editor.setCursor({ line: lines.length, ch: lines.pop().length }); if (state) this.dirty = !state.saved;
--- a/browser/devtools/webconsole/webconsole.js +++ b/browser/devtools/webconsole/webconsole.js @@ -3132,17 +3132,21 @@ JSTerm.prototype = { this.completeNode = doc.querySelector(".jsterm-complete-node"); this.inputNode = doc.querySelector(".jsterm-input-node"); if (this.hud.owner._browserConsole && !Services.prefs.getBoolPref("devtools.chrome.enabled")) { inputContainer.style.display = "none"; } else { - this._onPaste = WebConsoleUtils.pasteHandlerGen(this.inputNode, doc.getElementById("webconsole-notificationbox")); + let okstring = l10n.getStr("selfxss.okstring"); + let msg = l10n.getFormatStr("selfxss.msg", [okstring]); + this._onPaste = WebConsoleUtils.pasteHandlerGen(this.inputNode, + doc.getElementById("webconsole-notificationbox"), + msg, okstring); this.inputNode.addEventListener("keypress", this._keyPress, false); this.inputNode.addEventListener("paste", this._onPaste); this.inputNode.addEventListener("drop", this._onPaste); this.inputNode.addEventListener("input", this._inputEventHandler, false); this.inputNode.addEventListener("keyup", this._inputEventHandler, false); this.inputNode.addEventListener("focus", this._focusEventHandler, false); }
--- a/browser/locales/en-US/chrome/browser/devtools/scratchpad.properties +++ b/browser/locales/en-US/chrome/browser/devtools/scratchpad.properties @@ -98,8 +98,18 @@ scratchpad.label=Scratchpad # LOCALIZATION NOTE (scratchpad.panelLabel): this is used as the # label for the toolbox panel. scratchpad.panelLabel=Scratchpad Panel # LOCALIZATION NOTE (scratchpad.tooltip): This string is displayed in the # tooltip of the tab when the Scratchpad is displayed inside the developer tools # window. scratchpad.tooltip=Scratchpad + +# LOCALIZATION NOTE (selfxss.msg): the text that is displayed when +# a new user of the developer tools pastes code into the console +# %1 is the text of selfxss.okstring +selfxss.msg=Scam Warning: Take care when pasting things you don't understand. This could allow attackers to steal your identity or take control of your computer. Please type '%S' in the scratchpad below to allow pasting. + +# LOCALIZATION NOTE (selfxss.msg): the string to be typed +# in by a new user of the developer tools when they receive the sefxss.msg prompt. +# Please avoid using non-keyboard characters here +selfxss.okstring=allow pasting
--- a/toolkit/devtools/webconsole/utils.js +++ b/toolkit/devtools/webconsole/utils.js @@ -565,31 +565,29 @@ let WebConsoleUtils = { }, /** * The inputNode "paste" event handler generator. Helps prevent self-xss attacks * * @param nsIDOMElement inputField * @param nsIDOMElement notificationBox * @returns A function to be added as a handler to 'paste' and 'drop' events on the input field */ - pasteHandlerGen: function WCU_pasteHandlerGen(inputField, notificationBox){ + pasteHandlerGen: function WCU_pasteHandlerGen(inputField, notificationBox, msg, okstring) { let handler = function WCU_pasteHandler(aEvent) { if (WebConsoleUtils.usageCount >= CONSOLE_ENTRY_THRESHOLD) { inputField.removeEventListener("paste", handler); inputField.removeEventListener("drop", handler); return true; } if (notificationBox.getNotificationWithValue("selfxss-notification")) { aEvent.preventDefault(); aEvent.stopPropagation(); return false; } - let l10n = new WebConsoleUtils.l10n("chrome://browser/locale/devtools/webconsole.properties"); - let okstring = l10n.getStr("selfxss.okstring"); - let msg = l10n.getFormatStr("selfxss.msg", [okstring]); + let notification = notificationBox.appendNotification(msg, "selfxss-notification", null, notificationBox.PRIORITY_WARNING_HIGH, null, function(eventType) { // Cleanup function if notification is dismissed if (eventType == "removed") { inputField.removeEventListener("keyup", pasteKeyUpHandler); }