Merge branch 'main' into release/v1.3

Author: CodFrm

package.json

@@ -1,6 +1,6 @@
 {
   "name": "scriptcat",
-  "version": "1.3.0-beta.4",
+  "version": "1.3.0",
   "description": "脚本猫,一个可以执行用户脚本的浏览器扩展,万物皆可脚本化,让你的浏览器可以做更多的事情!",
   "author": "CodFrm",
   "license": "GPLv3",
@@ -36,6 +36,7 @@
     "crypto-js": "^4.2.0",
     "dayjs": "^1.11.13",
     "dexie": "^4.0.10",
+    "dompurify": "^3.3.1",
     "eslint-linter-browserify": "9.26.0",
     "eventemitter3": "^5.0.1",
     "fast-xml-parser": "^5.3.6",

pnpm-lock.yaml

@@ -64,7 +64,7 @@ export class ResourceDAO extends Repo<Resource> {
 }
 
 // CompiledResource结构变更时，建议修改 CompiledResourceNamespace 以删除旧Cache
-export const CompiledResourceNamespace = "a51b9167-fdde-467a-a86f-75e5636adda2";
+export const CompiledResourceNamespace = "57d79c56-231a-42d3-b6e3-d2004ba0866f";
 
 export class CompiledResourceDAO extends Repo<CompiledResource> {
   constructor() {

src/app/repo/resource.ts

@@ -106,9 +106,13 @@ export class ScriptExecutor {
           //   "@exclude /REGEX/" 的情况下，MV3 UserScripts API 基础匹配范围不会扩大，然后在 earlyScript 把符合 REGEX 的匹配除去
           //   (Any @exclude = true -> 除去)
           // 注：如果一早已被除排，根本不会被 MV3 UserScripts API 注入。所以只考虑排除「多余的匹配」。（略过注入）
-          if (isUrlExcluded(window.location.href, detail.scriptInfo.scriptUrlPatterns)) {
-            // 「多余的匹配」-> 略过注入
-            return;
+          try {
+            if (isUrlExcluded(window.location.href, detail.scriptInfo.scriptUrlPatterns)) {
+              // 「多余的匹配」-> 略过注入
+              return;
+            }
+          } catch (e) {
+            console.warn("Unexpected match error", e);
           }
         }
         this.execEarlyScript(scriptFlag, detail.scriptInfo, envInfo);

src/app/service/content/script_executor.ts

@@ -1,4 +1,5 @@
 import { Discord, DocumentationSite, ExtVersion, ExtServer } from "@App/app/const";
+import { sanitizeHTML } from "@App/pkg/utils/sanitize";
 import { Alert, Badge, Button, Card, Collapse, Dropdown, Menu, Switch, Tooltip } from "@arco-design/web-react";
 import {
   IconBook,
@@ -273,6 +274,9 @@ function App() {
         systemConfig.getCheckUpdate(),
       ]);
       if (!hookMgr.isMounted) return;
+      if (typeof checkUpdate.notice === "string") {
+        checkUpdate.notice = sanitizeHTML(checkUpdate.notice);
+      }
       setIsEnableScript(isEnableScript);
       setCheckUpdate(checkUpdate);
     };
@@ -374,13 +378,16 @@ function App() {
       ]).then(([resp]: [{ data: { notice: string; version: string } } | null | undefined, any]) => {
         let newCheckUpdateState = 0;
         if (resp?.data) {
+          let notice = "";
+          if (typeof resp.data.notice === "string") notice = sanitizeHTML(resp.data.notice);
+          const version = resp.data.version;
           setCheckUpdate((items) => {
-            if (resp.data.version === items.version) {
+            if (version === items.version) {
               newCheckUpdateState = 2;
               return items;
             }
-            const isRead = items.notice !== resp.data.notice ? false : items.isRead;
-            const newCheckUpdate = { ...resp.data, isRead };
+            const isRead = items.notice !== notice ? false : items.isRead;
+            const newCheckUpdate = { version, notice, isRead };
             systemConfig.setCheckUpdate(newCheckUpdate);
             return newCheckUpdate;
           });
@@ -482,7 +489,11 @@ function App() {
         <Alert
           style={{ display: showAlert ? "flex" : "none" }}
           type="info"
-          content={<div dangerouslySetInnerHTML={{ __html: checkUpdate.notice || "" }} />}
+          content={
+            <div
+              dangerouslySetInnerHTML={{ __html: checkUpdate.notice /* notice is already sanitized by dompurify */ }}
+            />
+          }
         />
         <Collapse
           bordered={false}

src/pages/popup/App.tsx

@@ -393,12 +393,14 @@ export class SystemConfig {
     });
   }
 
-  getCheckUpdate() {
-    return this._get<Parameters<typeof this.setCheckUpdate>[0]>("check_update", {
+  async getCheckUpdate(opts?: { sanitizeHTML?: (html: string) => string }) {
+    const result = await this._get<Parameters<typeof this.setCheckUpdate>[0]>("check_update", {
       notice: "",
       isRead: false,
       version: ExtVersion,
     });
+    if (typeof opts?.sanitizeHTML === "function") result.notice = opts.sanitizeHTML(result.notice);
+    return result;
   }
 
   setEnableScript(enable: boolean) {

src/pkg/config/config.ts

@@ -889,3 +889,13 @@ describe.concurrent("@include /REGEX/", () => {
     expect(isUrlIncluded("http://www.hlample.com/", url.rulesMap.get("ok1")!)).toEqual(false);
   });
 });
+
+describe.concurrent("invalid or unsupported glob #1271", () => {
+  const url = new UrlMatch<string>();
+  url.addInclude("*://*?*", "ok1");
+  url.addInclude("*://*?page*", "ok2");
+  it.concurrent("include *://*?*", () => {
+    expect(url.urlMatch("http://www.example.com/?a=1")).toEqual(["ok1"]);
+    expect(url.urlMatch("http://www.example.com/?page=1")).toEqual(["ok1", "ok2"]);
+  });
+});

src/pkg/utils/match.test.ts

@@ -18,8 +18,12 @@ export class UrlMatch<T> {
     if (cacheMap.has(url)) return cacheMap.get(url) as T[];
     const res: T[] = [];
     for (const [uuid, rules] of this.rulesMap) {
-      if (isUrlIncluded(url, rules)) {
-        res.push(uuid);
+      try {
+        if (isUrlIncluded(url, rules)) {
+          res.push(uuid);
+        }
+      } catch (e) {
+        console.warn("Unexpected match error", e);
       }
     }
     const sorter = this.sorter;

src/pkg/utils/match.ts

@@ -0,0 +1,24 @@
+import DOMPurify from "dompurify";
+
+// 允许的安全 CSS 属性白名单
+const ALLOWED_CSS_PROPERTIES = new Set(["color", "font-size", "font-weight", "font-style"]);
+
+// 过滤不安全的 CSS 属性，只保留白名单中的属性
+DOMPurify.addHook("afterSanitizeAttributes", (node) => {
+  if (node instanceof HTMLElement && node.hasAttribute("style")) {
+    const { style } = node;
+    for (let i = style.length - 1; i >= 0; i--) {
+      if (!ALLOWED_CSS_PROPERTIES.has(style[i])) {
+        style.removeProperty(style[i]);
+      }
+    }
+  }
+});
+
+// 对 HTML 进行清理，只保留安全的标签和属性
+export function sanitizeHTML(html: string): string {
+  return DOMPurify.sanitize(html, {
+    ALLOWED_TAGS: ["b", "i", "a", "br", "p", "strong", "em", "span"],
+    ALLOWED_ATTR: ["href", "target", "style"],
+  });
+}

src/pkg/utils/sanitize.ts

@@ -57,9 +57,15 @@ export function checkUrlMatch(s: string) {
 }
 
 const globSplit = (text: string) => {
-  text = text.replace(/\*{2,}/g, "*"); // api定义的 glob * 是等价于 glob **
-  text = text.replace(/\*(\?+)/g, "$1*"); // "*????" 改成 "????*"，避免 backward 处理
-  return text.split(/([*?])/g);
+  const split = text.split(/([*?]{2,})/g);
+  for (let i = 1; i < split.length; i += 2) {
+    // "*????" 改成 "????*"，避免 backward 处理
+    // api定义的 glob * 是等价于 glob **
+    const p = split[i]; // **??**??**
+    const q = p.replace(/\*/g, ""); // ????
+    if (p !== q) split[i] = `${q}*`; // ????*
+  }
+  return split.join("").split(/([*?])/g);
 };
 
 export const extractUrlPatterns = (lines: string[]): URLRuleEntry[] => {