Commit graph

4931 commits

Author SHA1 Message Date
Imre Eilertsen
7e239db9a8
Added AdGuard's 2 newest !#if tokens. (#3938) 2025-05-13 12:38:33 -04:00
Raymond Hill
8cd6212867
Use custom blank page for embedded iframe in dashboard
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/3631#issuecomment-2870424577
2025-05-12 07:48:42 -04:00
Raymond Hill
e3a3026cac
Use custom blank page for embedded iframe in dashboard
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/3631#issuecomment-2870424577
2025-05-12 07:46:33 -04:00
Raymond Hill
2e7d0a07e7
[mv3] Add TODO comment 2025-05-11 10:36:21 -04:00
Raymond Hill
5c029b3532
Use color-scheme meta tag as suggested
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/3631
2025-05-11 10:17:17 -04:00
Raymond Hill
3650117b4f
Fix background color of navigation bar
Related commit:
b604524c2f
2025-05-11 09:41:34 -04:00
Raymond Hill
b604524c2f
Explicitly set background color according to state of prefers-color-scheme
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/3631
2025-05-11 09:30:34 -04:00
Raymond Hill
3292f128d2
[mv3] Mind discarded regex- or path-based entries when determining genericity
Related issue:
https://github.com/uBlockOrigin/uAssets/issues/28260
2025-05-11 07:32:32 -04:00
Raymond Hill
df9cd6c9a2
Import translation work from https://crowdin.com/project/ublock 2025-05-08 10:09:03 -04:00
Raymond Hill
3f59f94b60
Bring zapper look in line with uBO Lite's zapper 2025-05-02 08:56:30 -04:00
Raymond Hill
ea0c400c51
Revert "Allow user to change CodeMirror input style in "My filters""
This reverts commit cf7777e9fd.
2025-05-02 08:43:47 -04:00
Raymond Hill
1d1490523d
[mv3] Fix incorrect DNR priority for redirect/important filters 2025-04-30 08:50:45 -04:00
Raymond Hill
8df96e4718
Fix regression in parsing of AG's [domain=...] syntax
Related feedback:
https://github.com/uBlockOrigin/uBlock-issues/issues/3235#issuecomment-2836674712

Related commit:
8b696a691a (diff-848f3a5c8459fe07d1c65764e30b7c9471be77f9e9574674442319b831138024)
2025-04-28 17:43:44 -04:00
Raymond Hill
c2eee87029
Import translation work from https://crowdin.com/project/ublock 2025-04-27 10:55:12 -04:00
Raymond Hill
cf7777e9fd
Allow user to change CodeMirror input style in "My filters"
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/3613
2025-04-27 10:50:21 -04:00
Raymond Hill
0e5dec7fbb
[mv3] Separate EasyList, EasyPrivacy, PGL lists from uBlock filters
Additionally, remember `badfilter` filters across conversion of
filter lists to DNR rulesets.
2025-04-24 09:58:31 -04:00
Raymond Hill
59f4aca010
Exclude chrome: as valid openers for popup candidates
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/2227
2025-04-22 09:34:26 -04:00
Raymond Hill
8b964a8c54
Fetch diff patches from "reliable" servers only
Some CDN servers take too long to mirror updated resources,
potentially preventing diff-updating to work reliably as
intended.
2025-04-21 15:42:04 -04:00
Raymond Hill
8a14a8dc6b
Import translation work from https://crowdin.com/project/ublock 2025-04-19 14:02:32 -04:00
Raymond Hill
b5651417aa
[mv3] Merge Safari branch
Safari version of uBO Lite can now be built from master branch.

Related issue:
https://github.com/uBlockOrigin/uBOL-home/issues/327
2025-04-19 13:08:59 -04:00
Raymond Hill
eaedaf5b10
Fix regexes with potential catastrophic backtracking
The quoted email below was sent to ubo-security at raymondhill dot net:

=====
Dear Raymond,

I am writing to report a potential Regular Expression Denial of Service (ReDoS)
vulnerability in the 1p-filters.js script of uBlock Origin. The vulnerability
occurs due to the use of the regular expression /\s+$/, which is used to remove
trailing whitespace. This issue can lead to a denial of service when processing
strings with a large number of trailing spaces, potentially causing a browser to
freeze.

Affected file(s)

    js/1p-filters.js

Vulnerable pattern(s)

    Lines 131 and 167: /\s+$/

Description of the issue

The regular expression /\s+$/ is applied to remove trailing whitespace in user‑
provided content. However, when the content has a large number of spaces
(e.g., ~100,000), this pattern causes excessive backtracking in the regular
expression engine, resulting in performance degradation and UI freezing. This is
a classic ReDoS attack vector.

Steps to reproduce

1. Open the uBlock Origin dashboard and navigate to the My filters tab.
2. Run the following code in the browser's DevTools Console or as a bookmarklet.
3. Observe the UI freezing for several seconds or even longer, depending on the
   number of spaces used.

PoC (Proof of Concept)

/**
 * poc.js — triggers ReDoS in 1p-filters.js
 * Expected: <1 ms; Actual: several seconds – UI freeze
 */
(() => {
  const payload = " ".repeat(100000) + "!";  // 100,000 spaces + sentinel
  const run = () => {
    if (!window.cmEditor) {
      console.error("cmEditor not ready");
      return;
    }
    // Inject payload into the editor
    cmEditor.setValue(payload);

    console.time("ReDoS");
    // Call the vulnerable function (mirroring getEditorText)
    cmEditor.getValue().replace(/\s+$/, '');
    // Alternatively, simulate a realistic user flow:
    // document.querySelector('#userFiltersApply').click();
    console.timeEnd("ReDoS");
  };

  if (document.readyState === "complete") {
    run();
  } else {
    window.addEventListener("load", run, { once: true });
  }
})();

Impact

This issue can significantly degrade the user experience, causing the page to
become unresponsive. If an attacker can inject this malicious string into the
page (for example, through XSS or other attacks), it could lead to a denial of
service (DoS). This vulnerability can be triggered repeatedly, causing the
browser to hang indefinitely.

Suggested fix

The issue can be mitigated by replacing /\s+$/ with a more efficient solution,
such as a look‑behind assertion /(?<=\S)\s+$/ (available in modern browsers)
which ensures no backtracking occurs, or using trimEnd() for legacy support:

// Example of using look-behind:
cmEditor.setValue(text.replace(/(?<=\S)\s+$/, '') + '\n\n');

// Alternatively, using trimEnd():
cmEditor.setValue(text.trimEnd() + '\n\n');

Additional information

If required, I am happy to assist in testing or provide more information.
Please feel free to contact me for further clarification.

Best regards,
[redacted]
=====
2025-04-15 12:47:02 -04:00
Raymond Hill
9bf05023c1
Import translation work from https://crowdin.com/project/ublock 2025-04-13 09:16:54 -04:00
Raymond Hill
f51a4c79db
[mv3] Determine "genericity" on a per-cosmetic filter basis
Related issue:
https://github.com/uBlockOrigin/uBOL-home/issues/328
2025-04-13 09:02:12 -04:00
Raymond Hill
cac420a22d
Rename trusted-create-element to trusted-create-html
To avoid confusion with AG's own `trusted-create-element`, which has
a different syntax and a different purpose.
2025-04-13 07:34:36 -04:00
Raymond Hill
c15dc9d8ff
Fix scrollbars not following dark theme
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/3604
2025-04-12 15:51:36 -04:00
Raymond Hill
dfd42ebf5f
Improve noscript spoofing
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/2642
2025-04-12 15:20:18 -04:00
Raymond Hill
20dd606504
Add trusted-create-element scriptlet
As discussed with filter list maintainers.

* @scriptlet trusted-create-element
*
* @description
* Element(s) from a parsed HTML string are added as child element(s) to a
* specific parent element in the DOM.
*
* @param parent
* A CSS selector identifying the element to which created element(s) will be
* added.
*
* @param html
* An HTML string to be parsed using DOMParser, and which resulting elements
* are to be added as child element(s).
*
* @param duration
* Optional. If specified, the time in ms after which the added elements will
* be removed. No removal will occur if not specified.
2025-04-12 10:51:50 -04:00
Raymond Hill
ad2add4676
Code review 2025-04-12 08:08:12 -04:00
Raymond Hill
f25a437fd1
Code review re. scriptlets lookup
Possibly fixes a race condition at browser launch causing empty
scriptlets to be injected (and cached).
2025-04-11 18:20:51 -04:00
Raymond Hill
11e159fd31
[mv3] Discard regex- or path-based targets in static extended filters
There is no support yet for such filters in uBO Lite.
2025-04-11 09:49:03 -04:00
Raymond Hill
15e832da8a
Mind potential race condition when dynamically registering scriptlets
In Firefox, scriptlets are dynamically registered as content scripts
to ensure they execute in a timely manner.

The race condition could lead to scriptlet injection failing at
browser launch time in Firefox when the setting "Suspend network
activity until all filter lists are loaded" had been disabled[1],
even after forcing a page reload. Causing the filter lists to
reload would make the issue go away.

[1] Default is enabled in Firefox and it is strongly advised to NOT
    change this.
2025-04-11 09:35:38 -04:00
Raymond Hill
d0e303ca19
Fix regression in response header filtering
Related commit:
8b696a691a
2025-04-10 07:32:09 -04:00
Raymond Hill
9029d1d715
Fix regression in categorizing highly generic filters at load time
Related feedback:
https://github.com/uBlockOrigin/uBlock-issues/issues/3235#issuecomment-2790807915

Regression from:
8b696a691a
2025-04-09 18:23:01 -04:00
Raymond Hill
0fdcd44794
Import translation work from https://crowdin.com/project/ublock 2025-04-09 15:29:26 -04:00
Raymond Hill
f6f7333b5d
Code review for recent commit re path support in target
Related commit:
8b696a691a

1) There will always be a `/` at that point in the code path
2) The hostname will already be a match in that code path
2025-04-08 19:01:43 -04:00
Raymond Hill
eb7f23b173
Fix silly test
Related feedback:
https://github.com/uBlockOrigin/uBlock-issues/discussions/1755#discussioncomment-12769044

Related commit:
8b696a691a
2025-04-08 15:42:00 -04:00
Raymond Hill
2bb6999e3f
Fix undue unchecking of setting in "My filters"
Related feedback:
https://github.com/uBlockOrigin/uBlock-issues/discussions/2895#discussioncomment-12749154
2025-04-08 13:49:41 -04:00
Raymond Hill
8b696a691a
Add path support as target option in static extended filtering
Support for paths allows to narrow down specific static extended
filters to specific webpages on a given site.

Examples of usage:

example.com/toto##h1
/example\.com\/toto\d+/#@#h1
2025-04-08 11:20:27 -04:00
Raymond Hill
6b9968d804
Add logging information re. fetched assets 2025-04-03 12:11:57 -04:00
Raymond Hill
4ce26b63ff
Add trusted-prevent-fetch scriptlet
Related feedback:
https://github.com/uBlockOrigin/uBlock-discussions/discussions/915#discussioncomment-12077068
2025-04-03 11:59:00 -04:00
Raymond Hill
8632cd6072
Fix typo causing regression in uritransform=
Related feedback:
https://github.com/uBlockOrigin/uAssets/discussions/27802
2025-03-30 16:56:04 -04:00
Raymond Hill
9adedbc30e
Remove the need for parethesis for JSONPath filter selectors
As per official proposed standard:
https://www.rfc-editor.org/rfc/rfc9535.html#name-filter-selector
2025-03-30 13:57:04 -04:00
Raymond Hill
5587111d21
Add support for union syntax in JSONPath
This immediately useful to list maintainers.

Related commits:
- https://github.com/gorhill/uBlock/commit/d5fd1de150
- https://github.com/gorhill/uBlock/commit/b18daa53aa
- https://github.com/gorhill/uBlock/commit/caa25cdaf3
2025-03-30 12:36:37 -04:00
Raymond Hill
97e740bd2c
Code viewer shouldn't be maximizable
Related feedback:
https://github.com/uBlockOrigin/uBlock-issues/issues/3161#issuecomment-2764549781
2025-03-30 09:34:22 -04:00
Raymond Hill
b381ceda72
Mind other old constructs for scriptlets
Related feedback:
https://old.reddit.com/r/uBlockOrigin/comments/1jmcqhn/

Related commit:
https://github.com/gorhill/uBlock/commit/44c038b9a1
2025-03-29 09:54:41 -04:00
Raymond Hill
44c038b9a1
Fix for old scriptlet syntax
Related feedback:
https://old.reddit.com/r/uBlockOrigin/comments/1jmcqhn/
2025-03-29 09:06:07 -04:00
Raymond Hill
564f3f3442
English 2025-03-28 10:24:21 -04:00
Raymond Hill
caa25cdaf3
Add minimal in-code documentation for JSONPath 2025-03-28 10:20:21 -04:00
Raymond Hill
b18daa53aa
Add json-edit suite of scriptlets; extend replace= option
Scriptlets added:
- json-edit
- trusted-json-edit
- json-edit-xhr-response
- trusted-json-edit-xhr-response
- json-edit-fetch-response
- trusted-json-edit-fetch-response
- jsonl-edit-xhr-response
- trusted-jsonl-edit-xhr-response
- jsonl-edit-fetch-response
- trusted-jsonl-edit-fetch-response

These scriptlets are functionally similar to their `json-prune` counterpart,
except that they all use the new uBO-flavored JSONPath syntax, and the
`trusted-` versions allow to modify values instead of just removing them.

The `replace=` filter option has been extended to support applying
uBO-flavored JSONPath syntax to the response body. If the `replace=`
value starts with `json:` or `jsonl:`, the remaining of the value will
be interpreted as a JSONPath directive, which can be used to either
remove or modify property in a JSON document.
2025-03-28 09:51:38 -04:00
Raymond Hill
1ce00e4fda
Import translation work from https://crowdin.com/project/ublock 2025-03-27 22:51:48 -04:00