以纯文本格式复制到剪贴板
[英]Copy to clipboard as plain text
问题描述
I'm using this code in background.js in a Chrome extension to copy text to the user's clipboard: 
我在Chrome扩展程序的background.js中使用此代码将文本复制到用户的剪贴板:
chrome.runtime.onMessage.addListener(
function(request, sender, sendResponse) {
if (request.command == "copy") {
executeCopy(request.text);
sendResponse({farewell: "copy request received"});
}
}
);
function executeCopy(text){
var copyDiv = document.createElement('div');
copyDiv.contentEditable = true;
document.body.appendChild(copyDiv);
copyDiv.innerHTML = text;
copyDiv.unselectable = "off";
copyDiv.focus();
document.execCommand('SelectAll');
document.execCommand("Copy", false, null);
document.body.removeChild(copyDiv);
}
It copies the text with formatting. 它使用格式复制文本。 How can I copy the text in plain text with no formatting? 如何以纯文本格式复制文本而不进行格式化?
1 个解决方案
解决方案1
15 已采纳 2014-08-12 22:30:44
Your question's code contains a common security issue known as XSS . 您的问题代码包含一个称为XSS的常见安全问题。 Because you take untrusted input and assign it to .innerHTML , you're allowing attackers to insert arbitrary HTML in the context of your document. 因为您接受不受信任的输入并将其分配给.innerHTML ,所以您允许攻击者在文档的上下文中插入任意HTML。
Fortunately, attackers cannot run scripts in the context of your extension because the extension's default Content security policy forbid inline scripts. 幸运的是,攻击者无法在您的扩展上下文中运行脚本,因为扩展的默认内容安全策略禁止内联脚本。 This CSP is enforced in Chrome extensions exactly because of situations like this, to prevent XSS vulnerabilities. 正是因为这种情况,才在Chrome扩展程序中强制执行此CSP,以防止XSS漏洞。
The correct way to convert HTML to text is via the DOMParser API. 将HTML转换为文本的正确方法是通过DOMParser API。 The following two functions show how to copy text as text, or for your case HTML as text: 以下两个函数显示如何将文本复制为文本,或将HTML作为文本复制:
// Copy text as text
function executeCopy(text) {
var input = document.createElement('textarea');
document.body.appendChild(input);
input.value = text;
input.focus();
input.select();
document.execCommand('Copy');
input.remove();
}
// Copy HTML as text (without HTML tags)
function executeCopy2(html) {
var doc = new DOMParser().parseFromString(html, 'text/html');
var text = doc.body.textContent;
return executeCopy(text);
}
Note that .textContent completely ignores HTML tags. 请注意.textContent完全忽略HTML标记。 If you want to interpret <br> s as line breaks, use the non-standard (but supported in Chrome) .innerText property instead of .textContent . 如果要将<br> s解释为换行符,请使用非标准(但在Chrome中受支持) .innerText属性而不是.textContent 。
Here are two of the many examples of how XSS could be abused using the executeCopy function from your question: 以下是使用问题中的executeCopy函数如何滥用XSS的众多示例中的两个:
// This does not only copy "Text", but also trigger a network request
// to example.com!
executeCopy('<img src="http://example.com/">Text');
// If you step through with a debugger, this will show an "alert" dialog
// (an arbitrary script supplied by the attacker!!)
debugger;
executeCopy('<iframe src="data:text/html,<script>alert(/XXS-ed!/);<\/script>"></iframe>');
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.