A toggle for svg

Bug reports and enhancement requests
Post Reply
informak98
Posts: 2
Joined: Fri Sep 10, 2021 9:37 pm

A toggle for svg

Post by informak98 » Fri Sep 10, 2021 9:41 pm

Is there a way to allowing enable/disable svg with noscript. I ask because it would be very useful in Tor browser in safest setting instead of changing safety setting we could use noscript to enable svg graphics for trusted sites.
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

barbaz
Senior Member
Posts: 10060
Joined: Sat Aug 03, 2013 5:45 pm

Re: A toggle for svg

Post by barbaz » Sat Sep 11, 2021 12:59 am

This is not currently a feature of NoScript. What security threat would this protect against?
*Always* check the changelogs BEFORE updating that important software!
-

informak98
Posts: 2
Joined: Fri Sep 10, 2021 9:37 pm

Re: A toggle for svg

Post by informak98 » Sat Sep 11, 2021 5:40 am

XSS attacks (which noscript already solves), HTML injection, Billion Laughs Attacks, DOS attacks, etc.
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

Asphyx
Posts: 14
Joined: Mon Oct 04, 2021 8:40 am

Re: A toggle for svg

Post by Asphyx » Mon Oct 25, 2021 9:27 am

I wrote a Userscript for a button to toggle SVG. Works fine but unfortunally, Torbrowser bundles this setting with NoScript-settings. When switch off SVG, all individual NoScript-settings are removed. :-(

Code: Select all

// buttonToggleSVG.uc.js

(function() {
   if (location != 'chrome://browser/content/browser.xhtml')
      return;
   try {
      CustomizableUI.createWidget({
         id: 'toolbar-button-svg',
         type: 'custom',
         defaultArea: CustomizableUI.AREA_NAVBAR,
         onBuild: function(aDocument) {
            var button = aDocument.createElementNS('http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul', 'toolbarbutton');
            var attributes = {
               id: 'toolbar-button-svg',
               class: 'toolbarbutton-1 chromeclass-toolbar-additional',
               removable: 'true',
               label: 'SVG ein-/ausschalten',             
               tooltiptext: Services.prefs.getBoolPref('svg.disabled') ?
                  'SVG ist ausgeschaltet' : 'SVG ist eingeschaltet',
               oncommand: '(' + onCommand.toString() + ')()'
            };
            for (var a in attributes) {
               button.setAttribute(a, attributes[a]);
            };
            function onCommand() {
               var isEnabled = !Services.prefs.getBoolPref('svg.disabled');
               Services.prefs.setBoolPref('svg.disabled', isEnabled);
               var windows = Services.wm.getEnumerator('navigator:browser');
               while (windows.hasMoreElements()) {
                  let button = windows.getNext().document.getElementById('toolbar-button-svg');
                  button.setAttribute('tooltiptext', isEnabled ? 'SVG ist ausgeschaltet' : 'SVG ist eingeschaltet')
               };
            };
            return button;
         }
      });
   } catch(e) { };

   var css =
      '#toolbar-button-svg[tooltiptext="SVG ist ausgeschaltet"] {list-style-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQBAMAAADt3eJSAAAAMFBMVEX8Bgf8jY78UVD819j8Ly/8cXH8sbD8/fsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgFoczAAAACXBIWXMAAAsSAAALEgHS3X78AAAAm0lEQVQIHQGQAG//AHd3d3d3d3d3AHEENFcwM0AXADAAEidgdAAHABASFUcUMEUHAFR3YQdSEDdnAFA3dgclVHd3ABAFcwNBJHEXADAAZwYGIjADAHYAV0UDJDADAHcwJyQHVHMDABdyV1BHEDMDACIQFxAnMEUDACAAN2BXdAADADQBdzAXc0AXAHd3d3d3d3d3AHd3d3d3d3d3al0faWEjzO4AAAAASUVORK5CYII=");}' +
      '#toolbar-button-svg[tooltiptext="SVG ist eingeschaltet"] {list-style-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQBAMAAADt3eJSAAAAMFBMVEUH/geO/o5Q/lDU/tQv/i+w/rBx/nH5/vkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACA6l3BAAAACXBIWXMAAAsSAAALEgHS3X78AAAAm0lEQVQIHQGQAG//AHd3d3d3d3d3AHEENGcwM0QXADAAEidQdAAHABASFkcUMEYHAGR3UQdiEDdXAGA3dQcmZHd3ABAGcwNBJHEXADAAVwUFIjADAHUAZ0YDJDADAHc0JyQHZHMDABdyZ2BHEDMDACIQFxAnMEYDACAAN1BndAADADQBdzAXc0AXAHd3d3d3d3d3AHd3d3d3d3d3hDEfwz+POEwAAAAASUVORK5CYII=");}';	  
   var stylesheet = document.createProcessingInstruction('xml-stylesheet', 'type="text/css" href="data:text/css;utf-8,' + encodeURIComponent(css) + '"');
   document.insertBefore(stylesheet, document.documentElement);
})();
Last edited by barbaz on Tue Nov 30, 2021 12:02 am, edited 1 time in total.
Reason: Add user script as sent by PM
--
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

barbaz
Senior Member
Posts: 10060
Joined: Sat Aug 03, 2013 5:45 pm

Re: A toggle for svg

Post by barbaz » Sun Nov 28, 2021 2:50 pm

Asphyx wrote:
Mon Oct 25, 2021 9:27 am
PS. Tried to insert the script here, but: "Ooops, something in your posting triggered my antispam filter...
Please use the "Back" button to modify your content and retry."
You could private message it to an active Support Team member and we can try to post it for you. PMs to forum staff are not spam-filtered, and the spam filter is more lenient on us.
*Always* check the changelogs BEFORE updating that important software!
-

Asphyx
Posts: 14
Joined: Mon Oct 04, 2021 8:40 am

Re: A toggle for svg

Post by Asphyx » Mon Nov 29, 2021 9:08 pm

As written in the other thread, I found a solution:
user_pref("extensions.torbutton.noscript_persist", true);

I'll send you the script for SVG
--
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

Post Reply