[Greasemonkey] global storage script and security inquiry

Bill Donnelly donnelly at snowcrest.net
Fri Sep 2 22:25:14 EDT 2005


  I needed some "global storage" that persists across page reloads and
web sites for bookmarklet use, so I created a script that gives access
to the *GM_getValue() and GM_setValue()* functions. I don't know if
this is "bad", or not, security-wise, but I don't think it is. Let me know
if I've missed anything. Just in case, I'll allow each person to name the
functions their own names, rather than have them be known, so people
have less of a chance to "grab" them, or anything like that. Below is the
"script template", if you will. Just choose your own function names in
place of the *~GM~GS~Get~* and *~GM~GS~Set~* names.

I was also wondering, is the *GM_xmlhttpRequest* access the only real
security problem that Gm opens to the world?

That is, if that function and its functionality is the only real thing 
to worry
about someone grabbing control of to cause any type of bad thing to occur
on someone's computer, then I request that there be a way to turn it off.
A pref to disable that function's use. I don't use any scripts that use that
function, and I don't plan to, so I would like that anyway. It should just
pop up an alert that that function call was attempted.

/*Other than that, Gm has the same "security issues" that regular /
non-Gm Javascript has, doesn't it?*/

Here is a bookmarklet I use these functions in. (as example) It remembers a
regular expression that it offers as a default in a JS confirm() 
function call.
The Bm uses the user-supplied regex to grab image URL's from the
currently displayed page document and creates a document displaying all
of those images. I'll use it for other Bm's, too. And maybe for GmScript /
bookmarklet 'communication' and data transfer and exchange.

Eventually I'll make these available on my site. Right now they are in
alpha-beta test mode until I'm sure they are "okay", and such.

btw -- Since some GmScripts aren't being executed due to the problems
in Gm 0.5.2, I have temporarily gotten around the problem by turning
some of my most used and needed scripts into bookmarklets so I can
at least execute them manually when I need to. It's a good work-around.

------------------------------------------------------------------------

javascript:/* show regex URL images */ (function(){
function II(uu){var tt=uu.split('.'),ee=tt[tt.length-1].toLowerCase();
return {gif:1,jpg:1,jpeg:1,png:1,mng:1,bmp:1}[ee]}
function hE(ss){return ss.replace(/&/g,'&').replace(/>/g,'>').
replace(/</g,'&lt;').replace(/%22/g,'&quot;')}
try{srUi_def= *~GM~GS~Get~* 
(%22srUi_def%22,%22http://www.domain.tld/dir/.+\\.jpg%22);
var sIregex=prompt('Enter image URL regex:',srUi_def);
if(sIregex!==null){ *~GM~GS~Set~* (%22srUi_def%22,sIregex);var qq, ww;
if(frames.length>=2&&window.document.body.innerHTML.search(/<iframe/)==-1)
ww=frames[1];else ww=window;var rr=new RegExp(sIregex, 'gi');
hh=ww.document.getElementsByTagName('head')[0].innerHTML+ww.document.body.innerHTML;
var uu=hh.match(rr);if(uu===null){alert(%22No URL's found.%22)}
else{var ll=uu.length;try{var 
bu=ww.location.href.match(/(^.+\/\/.+\/).*$/)[1]}
catch(eErr){bu=ww.location.href;if(bu.substr(strlen(bu)-1)!=%22/%22)
bu=bu+%22/%22}var thedoc='<html><head><title>Show regex URL Images</title>
<base href=%22'+bu+'%22></head><body bgColor=%22black%22 text=%22white%22
 onLoad=%22setTimeout(\'focus()\',200)%22><p>&nbsp;</p><p>'+ll+
' regex URL\'s found in '+hE(ww.location.href)+':</p>
<div style=%22cursor: pointer; position: fixed; height: 22px; width: 57px;
 top: 7px; left: 400px; color: #000; background-color: #b9dfbb;
 text-align: center; font: button 14px/16px sans-serif; border: 1px 
outset #5bb560;%22
 onClick=%22window.close()%22>Close</div><hr>';
var ic=0;for(var ii=0;qq=uu[ii],ii<ll;++ii){if(((ii&63)==63)?
(confirm((ii+1)+' links processed out of '+ll+'\r\nContinue?')):true){
if(II(qq)){thedoc+='<p>'+' ('+hE(qq)+')<br><img src=%22'+hE(qq)+
'%22 border=1>';++ic}}else{ii=ll}}var zz=ww.open().document;
zz.write(thedoc+'<hr><p>'+ic+' regex URL images displayed out of '+ll+
' URL\'s from '+hE(ww.location.href)+'</p></body></html>');
zz.close()}}}catch(eErr){alert(%22Unexpected error in 'show regex URL 
images'
 bookmarklet: %22+eErr)}})()

------------------------------------------------------------------------

/*
   globalstore.user.js

   Greasemonkey user script.

   Author:   William Donnelly. Copyright (c) 2005. All right reserved. 
Etc...
   Contact:  snowcrest.net | donnelly
   See:      http://www.snowcrest.net/donnelly/gmscripts/

   Global Store - Global Values Get/Set.    (2005)
   Offer global values storage across page loads.

   Mostly for bookmarklet usage.

   Ver 1.0.0  Initial implementation. (9/2005)
*/

// userscript metadata follows...

// ==UserScript==
// @name          Global Store - Global Values Get/Set
// @namespace     http://www.snowcrest.net/donnelly/gmscripts/
// @description   Offer global values storage across page loads
// @include       *
// @exclude

// @Version       1.0.0
// @GmVersion     0.5.2
// @Author        William Donnelly
// @Email         snowcrest.net | donnelly
// ==/UserScript==

(function() {

   *~GM~GS~Get~* = function (psName, psDefault) {

      try {

         return GM_getValue (psName, psDefault);

      } catch (eErr) {
         alert ("Error using *~GM~GS~Get~* (\"" + psName + "\", \"" + 
psDefault +
            "\") ::> " + eErr);
      }

      return undefined;
   } // *~GM~GS~Get~*


   *~GM~GS~Set~* = function (psName, psValue) {

      try {

         GM_setValue (psName, psValue);

      } catch (eErr) {
         alert ("Error using *~GM~GS~Set~* (\"" + psName + "\", \"" + 
psValue +
            "\") ::> " + eErr);
      }

      return;
   } // *~GM~GS~Set~*

})();

-- 
Sometimes bad things happen to good people.
When that happens, those good people should
seek out and find some bad people.
And then do something bad to them.
Just to even things out.
It's only fair, after all.




More information about the Greasemonkey mailing list