Split out makeInjector() and dependencies into a separate file
Outdated
This issue is not relative anymore as snippets are being refactored a part and not part of core.
Background
As of changeset 8c3243d71db0 (next
branch), the makeInjector()
function is part of lib/content/snippets.js
. While it must be part of the generated code, this function and its dependencies are critical to both the behavior of so-called "Type 2" snippets (those that use a <script>
element) and their security (hence why we use JSON.stringify()
).
If someone is to naively make a change to the way this function behaves without being aware of the full context, it could lead to incompatibilities between how such snippets behave on different versions of Adblock Plus (with no plan to address such incompatibilities (e.g. see Trac#7451)) and in a worse case introduce an XSS or similar vulnerability that may be possible to exploit even for end users.
While this should be of no urgency, it would be a good idea to split out makeInjector()
and its dependencies anyway into a separate file also in the lib/content
directory.
What to change
To be determined, but most likely will require changes to the compileScript()
function in lib/snippets.js
and possibly also in lib/contentFiltering.js
in adblockpluschrome
. Alternatively, this could be done by merging the two files into a single file using the build configuration in adblockpluschrome
(i.e. metadata.chrome
).