Skip to content

Instantly share code, notes, and snippets.

@DigiTec
Created November 7, 2012 07:08
Show Gist options
  • Save DigiTec/4029947 to your computer and use it in GitHub Desktop.
Save DigiTec/4029947 to your computer and use it in GitHub Desktop.
Polyfills unsafe functions in WWA so you can inject any content you want without security exceptions
"use strict";
if (window.MSApp && window.MSApp.execUnsafeLocalFunction) {
(function () {
var _originalWrite = Document.prototype.write;
var _originalWriteln = Document.prototype.writeln;
Object.defineProperties(Document.prototype, {
write: {
value: function write() {
var targetDocument = this;
var targetArguments = arguments;
MSApp.execUnsafeLocalFunction(function () {
_originalWrite.apply(targetDocument, targetArguments);
});
}
},
writeln: {
value: function writeln() {
var targetDocument = this;
var targetArguments = arguments;
MSApp.execUnsafeLocalFunction(function () {
_originalWriteln.apply(targetDocument, targetArguments);
});
}
}
});
var _originalInnerHTML = Object.getOwnPropertyDescriptor(HTMLElement.prototype, "innerHTML");
var _originalOuterHTML = Object.getOwnPropertyDescriptor(HTMLElement.prototype, "outerHTML");
Object.defineProperties(HTMLElement.prototype, {
innerHTML: {
get: _originalInnerHTML.get,
set: function set_innerHTML(value) {
var targetElement = this;
MSApp.execUnsafeLocalFunction(function () {
_originalInnerHTML.set.call(targetElement, value);
});
}
},
outerHTML: {
get: _originalOuterHTML.get,
set: function set_outerHTML(value) {
var targetElement = this;
MSApp.execUnsafeLocalFunction(function () {
_originalOuterHTML.set.call(targetElement, value);
});
}
}
});
})();
}
@DigiTec
Copy link
Author

DigiTec commented Nov 7, 2012

Early in your WWA page load you'll want to import this script. It will poly-fill the document and element prototype objects with new versions of the function which wrap the native versions in unsafe function wrappers. This tells WWA to not worry about the injection and not to throw the exception. Consequently it also avoids the mandatory toStaticHTML call on the content. Even though we are adding layers the new code is much faster since it no longer has the overhead of making the HTML safe.

@DigiTec
Copy link
Author

DigiTec commented Nov 7, 2012

One thing to note about this feature. Having an implicit toStaticHTML at the injection points in your code can protect you from content which you don't control. If you decide to remove this implicit protection then you have to provide it yourself whenever you are working with untrusted content. I know for a fact that many of my games and other websites don't have untrusted content and so removing the protection makes porting to WWA a lot easier. But if you are unsure, you should either not use the poly-fill or you should do your own calls to toStaticHTML.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment