diff options
Diffstat (limited to 'content')
-rw-r--r-- | content/policy_enforcing.js | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/content/policy_enforcing.js b/content/policy_enforcing.js index f6f4081..0bbe3c6 100644 --- a/content/policy_enforcing.js +++ b/content/policy_enforcing.js @@ -174,9 +174,11 @@ function sanitize_element_urls(element) { let some_attr_blocked = false; - for (const attr of [...element.attributes || []] - .filter(attr => /^(href|src|data)$/i.test(attr.localName)) - .filter(attr => bad_url_reg.test(attr.value))) { + const bad_attrs = [...(element.attributes || [])] + .filter(attr => /^(href|src|data)$/i.test(attr.localName)) + .filter(attr => bad_url_reg.test(attr.value)); + + for (const attr of bad_attrs) { /* * Under some browsers (Mozilla) removing attributes doesn't stop their * javascript from executing, but replacing them does. For 'src' and |