Merge branch 'release/v3.0.3'

* release/v3.0.3:
  3.0.3
  Attempt to fix potential content page console.log code execution/injection
  Fix internal/allowed tab url checks
  Add trace logging level

DEVELOP.md

@@ -76,7 +76,8 @@ npm run --silent rebuild
   - Inspect the Talkie background page view to see console output.
 - It is possible to coarsely adjust the console logging level.
   - In the background page console, enter one of these logging level commands:
-    - `this.setLoggingLevel("DEBG");` (maximum logging, default for developers)
+    - `this.setLoggingLevel("TRAC");` (maximum logging)
+    - `this.setLoggingLevel("DEBG");` (default for developers)
     - `this.setLoggingLevel("INFO");`
     - `this.setLoggingLevel("WARN");` (default for normal usage)
     - `this.setLoggingLevel("ERRO");`

manifest.json

@@ -1,7 +1,7 @@
 {
   "manifest_version": 2,
-  "version": "3.0.2",
-  "version_name": "v3.0.2 Free (2017-04-30)",
+  "version": "3.0.3",
+  "version_name": "v3.0.3 Free (2017-05-02)",
   "applications": {
     "gecko": {
       "strict_min_version": "52.0"

package.json

@@ -1,7 +1,7 @@
 {
   "name": "talkie",
   "private": true,
-  "version": "3.0.2",
+  "version": "3.0.3",
   "description": "Text-to-speech (TTS) browser extension button.",
   "scripts": {
     "clean": "rimraf package/ && rimraf dist/ && rimraf web-ext-artifacts/ && rimraf lib/ && rimraf _locales/*/*.json~  _locales/*/messages.json  _locales/*/messages.premium.json",

src/background/background.js

@@ -24,6 +24,7 @@ import {
 } from "../shared/promise";
 
 import {
+    logTrace,
     logDebug,
     logInfo,
     logWarn,
@@ -298,6 +299,7 @@ function main() {
         .then(() => {
             window.broadcaster = () => broadcaster;
 
+            window.logTrace = (...args) => logTrace(...args);
             window.logDebug = (...args) => logDebug(...args);
             window.logInfo = (...args) => logInfo(...args);
             window.logWarn = (...args) => logWarn(...args);

src/frontend/dual-log.js

@@ -19,6 +19,7 @@ along with Talkie.  If not, see <https://www.gnu.org/licenses/>.
 */
 
 import {
+    logTrace,
     logDebug,
     logInfo,
     logWarn,
@@ -33,6 +34,7 @@ export default class DualLogger {
     constructor(localScriptName) {
         this.localScriptName = localScriptName;
 
+        this.dualLogTrace = this._generateLogger(logTrace, "logTrace");
         this.dualLogDebug = this._generateLogger(logDebug, "logDebug");
         this.dualLogInfo = this._generateLogger(logInfo, "logInfo");
         this.dualLogWarn = this._generateLogger(logWarn, "logWarn");

src/shared/broadcaster.js

@@ -19,7 +19,7 @@ along with Talkie.  If not, see <https://www.gnu.org/licenses/>.
 */
 
 import {
-    logDebug,
+    logTrace,
     logWarn,
     logError,
 } from "../shared/log";
@@ -114,12 +114,12 @@ export default class Broadcaster {
                     // NOTE: there was no matching action registered.
                     // throw new Error("There was no matching action: " + actionName);
 
-                    // logDebug("Skipping", "Sending message", actionName, actionData);
+                    logTrace("Skipping", "Sending message", actionName, actionData);
 
                     return undefined;
                 }
 
-                logDebug("Start", "Sending message", actionName, actionData);
+                logTrace("Start", "Sending message", actionName, actionData);
 
                 const listeningActionPromises = listeningActions.map((listeningAction) => {
                     return promiseTry(
@@ -148,7 +148,7 @@ export default class Broadcaster {
                         return undefined;
                     })
                     .then(() => {
-                        logDebug("Start", "Sending message", actionName, actionData);
+                        logTrace("Done", "Sending message", actionName, actionData);
 
                         return undefined;
                     })

src/shared/content-logger.js

@@ -21,7 +21,6 @@ along with Talkie.  If not, see <https://www.gnu.org/licenses/>.
 import {
     logInfo,
     logWarn,
-    variableToSafeConsoleLogString,
 } from "../shared/log";
 
 import {
@@ -37,17 +36,6 @@ export default class ContentLogger {
         this.executeLogToPageWithColorCode = "(function(){ try { console.log(%a); } catch (error) { console.error('Talkie', 'logToPageWithColor', error); } }());";
     }
 
-    _variableToSafeConsoleLogString(value) {
-        const str = variableToSafeConsoleLogString(value);
-
-        const friendlyStr = str
-            // NOTE: escaping for passing the string to be executed in the page content context.
-            .replace(/\\/g, "\\\\")
-            .replace(/\\\\"/g, "\\\"");
-
-        return friendlyStr;
-    }
-
     logToPage(...args) {
         return promiseTry(
             () => {
@@ -56,10 +44,9 @@ export default class ContentLogger {
                 const logValues = [
                     now,
                     this.configuration.extensionShortName,
-                    ...args.map((arg) => this._variableToSafeConsoleLogString(arg)),
+                    ...args,
                 ]
-                    // NOTE: quote each console.log() argument.
-                    .map((arg) => `"${arg}"`)
+                    .map((arg) => JSON.stringify(arg))
                     .join(", ");
 
                 const code = this.executeLogToPageCode.replace("%a", logValues);
@@ -85,13 +72,17 @@ export default class ContentLogger {
                 const now = new Date().toISOString();
 
                 // NOTE: create one long console.log() string argument, then add the color argument second.
-                const logValues = "\"" + [
+                const logValuesArrayAsString = [
                     now,
                     this.configuration.extensionShortName,
                     "%c",
-                    ...args.map((arg) => this._variableToSafeConsoleLogString(arg)),
+                    ...args,
                 ]
-                    .join(" ") + " " + "\", \"background: #007F41; color: #FFFFFF; padding: 0.3em;\"";
+                    .join(" ");
+
+                const logValues = JSON.stringify(logValuesArrayAsString)
+                    + ", "
+                    + JSON.stringify("background: #007F41; color: #FFFFFF; padding: 0.3em;");
 
                 const code = this.executeLogToPageWithColorCode.replace("%a", logValues);
 

src/shared/log.js

@@ -20,58 +20,13 @@ along with Talkie.  If not, see <https://www.gnu.org/licenses/>.
 
 const extensionShortName = browser.i18n.getMessage("extensionShortName");
 
-export const _variableToSafeConsoleLogStringReplacer = (/* eslint-disable no-unused-vars */key/* eslint-enable no-unused-vars */, value) => {
-    // NOTE: want to display if undefined was passed.
-    if (typeof value === "undefined") {
-        return "undefined";
-    }
-
-    // NOTE: want to display if a function was passed.
-    if (typeof value === "function") {
-        return "function";
-    }
-
-    // NOTE: should take care of all other cases best as it can.
-    // https://github.com/joelpurra/talkie/issues/6
-    return value;
-};
-
-export const variableToSafeConsoleLogString = (value) => {
-    // NOTE: want to display if undefined was passed.
-    if (typeof value === "undefined") {
-        return "undefined";
-    }
-
-    // NOTE: want to display if a function was passed.
-    if (typeof value === "function") {
-        return "function";
-    }
-
-    // NOTE: should take care of all other cases best as it can.
-    // https://github.com/joelpurra/talkie/issues/6
-    const json = JSON.stringify(value, _variableToSafeConsoleLogStringReplacer);
-
-    const friendlyJson = json
-        // NOTE: don't double-quote standalone strings, just to make output prettier.
-        .replace(/^"/, "")
-        .replace(/"$/, "")
-        // NOTE: line separator and paragraph separator encoding.
-        // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify#Issue_with_plain_JSON.stringify_for_use_as_JavaScript
-        .replace(/\u2028/g, "\\u2028")
-        .replace(/\u2029/g, "\\u2029")
-        // NOTE: there should be no newlines in the JSON, so this might be unncessary.
-        .replace(/\n/g, "\\\\n")
-        .replace(/\r/g, "\\\\r");
-
-    return friendlyJson;
-};
-
 // https://stackoverflow.com/questions/12830649/check-if-chrome-extension-installed-in-unpacked-mode
 // http://stackoverflow.com/a/20227975
 const isDevMode = () => !("update_url" in browser.runtime.getManifest());
 
 // NOTE: 0, 1, ...
 const loggingLevels = [
+    "TRAC",
     "DEBG",
     "INFO",
     "WARN",
@@ -145,8 +100,7 @@ const generateLogger = (loggingLevelName, consoleFunctioName) => {
             // NOTE: for chrome command line console debugging.
             // NOTE: has to be an array.
             loggingArgs = [
-                loggingArgs.map((loggingArg) => variableToSafeConsoleLogString(loggingArg))
-                    .join(" "),
+                JSON.stringify(loggingArgs),
             ];
         }
 
@@ -158,6 +112,7 @@ const generateLogger = (loggingLevelName, consoleFunctioName) => {
     return logger;
 };
 
+export const logTrace = generateLogger("TRAC", "log");
 export const logDebug = generateLogger("DEBG", "log");
 export const logInfo = generateLogger("INFO", "info");
 export const logWarn = generateLogger("WARN", "warn");

src/shared/tabs.js

@@ -83,19 +83,21 @@ export const isCurrentPageInternalToTalkie = () => promiseTry(
             if (tab) {
                 const url = tab.url;
 
-                if (typeof url === "string" && url.length > 0) {
-                    if (url.startsWith("chrome-extension://") && url.endsWith("/src/popup.html")) {
-                        return true;
-                    }
-
-                    return false;
+                if (
+                    typeof url === "string"
+                    && (
+                        url.startsWith(browser.runtime.getURL("/src/popup/popup.html"))
+                        || url.startsWith(browser.runtime.getURL("/src/options/options.html"))
+                        || url.startsWith(browser.runtime.getURL("/src/stay-alive/stay-alive.html"))
+                    )
+                ) {
+                    return true;
                 }
 
                 return false;
             }
 
-            // NOTE: no active tab probably means it's a very special page.
-            return true;
+            return false;
         })
 );
 
@@ -132,32 +134,28 @@ export const canTalkieRunInTab = () => promiseTry(
             if (tab) {
                 const url = tab.url;
 
-                if (typeof url === "string" && url.length > 0) {
-                    if (url.startsWith("chrome://")) {
-                        return false;
-                    }
-
-                    if (url.startsWith("vivaldi://")) {
-                        return false;
-                    }
-
-                    if (url.startsWith("chrome-extension://")) {
-                        return false;
-                    }
-
-                    if (url.startsWith("https://chrome.google.com/")) {
-                        return false;
-                    }
-
-                    if (url.startsWith("https://addons.mozilla.org/")) {
-                        return false;
-                    }
-
-                    if (url.startsWith("about:")) {
-                        return false;
+                if (typeof url === "string") {
+                    if (
+                        (
+                            // NOTE: whitelisting schemes.
+                            // TODO: can the list be extended?
+                            url.startsWith("http://")
+                            || url.startsWith("https://")
+                            || url.startsWith("ftp://")
+                            || url.startsWith("file:")
+                        )
+                        && !(
+                            // NOTE: blacklisting known (per-browser store) urls.
+                            // TODO: should the list be extended?
+                            // TODO: move to configuration.
+                            url.startsWith("https://chrome.google.com/")
+                            || url.startsWith("https://addons.mozilla.org/")
+                        )
+                    ) {
+                        return true;
                     }
 
-                    return true;
+                    return false;
                 }
 
                 return false;