sneak/AutistMask
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

L5: truncate token name and symbol to prevent UI abuse
All checks were successful
check / check (push) Successful in 22s
Details

Browse Source 
Limit token name to 64 characters and symbol to 12 characters after
fetching from the contract. Prevents malicious contracts from injecting
excessively long strings into the UI.
This commit is contained in:
clawbot
2026-02-27 11:39:47 -08:00
parent a6195730d9
commit 330ddc8f05
2 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/content/index.js
View File

@@ -24,10 +24,7 @@ storageApi.local.get("providerUUID", (res) => {
uuid = crypto.randomUUID(); uuid = crypto.randomUUID();
storageApi.local.set({ providerUUID: uuid }); storageApi.local.set({ providerUUID: uuid });
} }
window.postMessage( window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, "*");
{ type: "AUTISTMASK_PROVIDER_UUID", uuid },
"*",
);
}); });
// Relay requests from the page to the background script // Relay requests from the page to the background script

4
src/shared/balances.js
View File

@@ -192,6 +192,10 @@ async function lookupTokenInfo(contractAddress, rpcUrl) {
name = symbol; name = symbol;
} }
// Truncate name and symbol to prevent abuse via malicious contracts.
name = String(name).slice(0, 64);
symbol = String(symbol).slice(0, 12);
log.infof("Token resolved:", symbol, "decimals", Number(decimals)); log.infof("Token resolved:", symbol, "decimals", Number(decimals));
return { name, symbol, decimals: Number(decimals) }; return { name, symbol, decimals: Number(decimals) };
} }