All geek questions in one place

How to install the XUL key dynamically and reliably?

I am trying to create a key element dynamically for my boot plugin. I am currently creating a keyset element and adding it to document.getElementById('mainKeyset').parentNode using appendChild() , and then creating a key element ( myKey ) and adding it to keyset . I set the key id , modifiers and key attributes, and then myKey.addEventListener('command', function() {myFunction()}); to add a function to key . After that, I can successfully call myFunction() by doing myKey.doCommand() . However, when I click the modifiers and the key assigned in the key attributes, nothing happens.

I am trying to avoid setting the command and oncommand attributes because I know there is a security problem when setting oncommand dynamically, but maybe I need to use them somehow? I saw that he stated that the key cannot work without the oncommand command or command, so it may not be possible to create the key dynamically without installing one of them. My event listener works if I set oncommand to "void (0);" (following the example below here ). However, I don't know if something like this can go through the approval process for expanding the version of Mozilla.

+4
source share
1 answer

The statement about <key> elements requiring either the command attribute or oncommand is correct. Considering the code that runs the key handlers , it has an optimization that will ignore any <key> element that is either disabled or has neither the command nor the oncommand attribute, so the command event will not fire for these elements. I solve this by adding the oncommand attribute of the dummy text containing the JavaScript comment:

 key.setAttribute("oncommand", "//");

But void(0); great as attribute value, of course.

There will be no problem considering this. The potential security issue you heard about generates a dynamic oncommand value, for example:

 key.setAttribute("oncommand", "foo('" + bar + "')");

Depending on the value of bar (and especially when bar comes from a website) this can be very dangerous. However, you do not generate the attribute value dynamically; it is always void(0); in your case - so there are no problems.

+2
source

Source: https://habr.com/ru/post/1483022/

More articles:


All Articles