Near miss on security issue - cross-site scripting in extension window

[pruby]

Hello,

I've just quickly reviewed this extension and identified an unsafe pattern in the popup construction. The names of blocked domains are injected in to the popup HTML without HTML-encoding them to prevent injection of Javascript or other HTML content.

I have not identified a working way to exploit this, however any of the following would have resulted in injection of arbitrary HTML in to the popup:

• Any URL scheme which does not use the :// notation being passed to the onBeforeRequest handler, based on the custom URL decoding routine ignoring this possibility.
• If punycode allowed ASCII characters to be redundantly encoded (I checked, it doesn't seem to).
• If Chrome passed protocol-relative or other incomplete URLs to the extension (it doesn't)

HTML-encoding content before injecting it in to the popup would remove the hazard that such a condition is introduced in future.

[AykutCevik]

Thank you for the submission @pruby. I will work on a fix for that.

[Gitoffthelawn]

I noticed the fix does not HTML-encode the content. Is the fix sufficient?