Will This Chrome Based Copy Paste Hack Work on FF Quantum?

Add-ons Add-on Support
#1

I’m looking at recreating a legacy add-on, and it means that I need to find a way to read the contents of the clipboard.

I am early in the process, and I came across the following code (link). The author posted a simplified version of the basic code to read in the value of the clipboard at Stack Overflow discussion, that seems relatively simple, and is contains well documented code.

Short version (code follows) is that it creates text box on the background page with a text box element, pastes the clipboard into there, and then reads the contents of the text box, which it assigns to a variable.

I have some questions:

  • Will this work in Firefox Quantum?
  • If yes, would this be invoked from the background script or a content script?
  • What is the best way to pass the variable between the two scripts?

I would note that I am working from a position of fairly profound ignorance here, so if I seem clueless, it is because I AM clueless.

Code follows:

bg = chrome.extension.getBackgroundPage();        // get the background page
bg.document.body.innerHTML= "";                   // clear the background page

// add a DIV, contentEditable=true, to accept the paste action
var helperdiv = bg.document.createElement("div");
document.body.appendChild(helperdiv);
helperdiv.contentEditable = true;

// focus the helper div's content
var range = document.createRange();
range.selectNode(helperdiv);
window.getSelection().removeAllRanges();
window.getSelection().addRange(range);
helperdiv.focus();    

// trigger the paste action
bg.document.execCommand("Paste");

// read the clipboard contents from the helperdiv
var clipboardContents = helperdiv.innerHTML;
#2

I am also fairly clueless, being only one webextension into my very short webextension-writing career, but that said, I’ll have a crack at answering your questions.

Found this on the webextension docs page:

Looks like you need to change ‘Paste’ to ‘paste’ in the execCommand call, but then it will work.

It’s very hard to say whether this should be in the background or content script without knowing what it is you are trying to do. That said, in my own extension, I found I was able to pass data between scripts without too much trouble using the browser.local.storage API and the messaging API. Both are well documented here:

One final thing - when I came to submit my extension to AMO, my initial submission was rejected due to use of innerHTML, which is unsafe unless used with fixed strings and can be considered in the same catogory as exec() or Perl backticks.

As in your case, my uses of innerHTML did not use fixed strings; your code could lead to anything being dumped into the page, including unexpected third-party nastiness. So you’ll need to find some replacement for it, likely based on what you are expecting to find in the clipboard and a DOM-based way of verifying that it is indeed that, whatever it is, and only that, before injecting it into the user’s browser.

Now hopefully someone who knows what they are doing will come along and correct us both on stuff :slight_smile:

#3

OK, for the security issue, would I need to sanitize the contents of the clipboard in some manner?

If so, is there a recommended sanitize library out there? (It looks like JSON.stringify() might do the trick)

Theoretically, this addon would only paste into in text boxes, which I would think is more secure. (I’m trying to duplicate bbCodeExtra)