XSS vulnerability

[augustozanellato]

Hi!
Both this extension and firefox-fastread (which is based on this one) are vulnerable to XSS due to a mishandling of HTML entities, specifically the extension inject part of an element's .innerText in some HTML without encoding certain characters as entities, so for example if there's a <script> it becomes <script> after the extension processes the page.

See https://augustozanellato.github.io/FastReadXSS/poc.html for a PoC

[johnkershaw]

Set 'fraction of word to bold' to 0.3 to see this PoC in action (otherwise the onerror splits between o and n):

• 0 1 1 2 0.3

[Cveinnt]

Would a hackish solution, such as

function purify(unsafe_str) {
      return unsafe_str
        .replace(/&/g, "&")
        .replace(/</g, "&lt;")
        .replace(/>/g, "&gt;")
        .replace(/\"/g, "&quot;")
        .replace(/\'/g, "&#39;")
        .replace(/\//g, "&#x2F;");
    }

prevent XSS attack of this kind?

I tested this with the latest commit, and it seems to be a quick way around it.