Created
November 7, 2012 07:08
-
-
Save DigiTec/4029947 to your computer and use it in GitHub Desktop.
Polyfills unsafe functions in WWA so you can inject any content you want without security exceptions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "use strict"; | |
| if (window.MSApp && window.MSApp.execUnsafeLocalFunction) { | |
| (function () { | |
| var _originalWrite = Document.prototype.write; | |
| var _originalWriteln = Document.prototype.writeln; | |
| Object.defineProperties(Document.prototype, { | |
| write: { | |
| value: function write() { | |
| var targetDocument = this; | |
| var targetArguments = arguments; | |
| MSApp.execUnsafeLocalFunction(function () { | |
| _originalWrite.apply(targetDocument, targetArguments); | |
| }); | |
| } | |
| }, | |
| writeln: { | |
| value: function writeln() { | |
| var targetDocument = this; | |
| var targetArguments = arguments; | |
| MSApp.execUnsafeLocalFunction(function () { | |
| _originalWriteln.apply(targetDocument, targetArguments); | |
| }); | |
| } | |
| } | |
| }); | |
| var _originalInnerHTML = Object.getOwnPropertyDescriptor(HTMLElement.prototype, "innerHTML"); | |
| var _originalOuterHTML = Object.getOwnPropertyDescriptor(HTMLElement.prototype, "outerHTML"); | |
| Object.defineProperties(HTMLElement.prototype, { | |
| innerHTML: { | |
| get: _originalInnerHTML.get, | |
| set: function set_innerHTML(value) { | |
| var targetElement = this; | |
| MSApp.execUnsafeLocalFunction(function () { | |
| _originalInnerHTML.set.call(targetElement, value); | |
| }); | |
| } | |
| }, | |
| outerHTML: { | |
| get: _originalOuterHTML.get, | |
| set: function set_outerHTML(value) { | |
| var targetElement = this; | |
| MSApp.execUnsafeLocalFunction(function () { | |
| _originalOuterHTML.set.call(targetElement, value); | |
| }); | |
| } | |
| } | |
| }); | |
| })(); | |
| } |
One thing to note about this feature. Having an implicit toStaticHTML at the injection points in your code can protect you from content which you don't control. If you decide to remove this implicit protection then you have to provide it yourself whenever you are working with untrusted content. I know for a fact that many of my games and other websites don't have untrusted content and so removing the protection makes porting to WWA a lot easier. But if you are unsure, you should either not use the poly-fill or you should do your own calls to toStaticHTML.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Early in your WWA page load you'll want to import this script. It will poly-fill the document and element prototype objects with new versions of the function which wrap the native versions in unsafe function wrappers. This tells WWA to not worry about the injection and not to throw the exception. Consequently it also avoids the mandatory toStaticHTML call on the content. Even though we are adding layers the new code is much faster since it no longer has the overhead of making the HTML safe.