L5: truncate token name and symbol to prevent UI abuse

Limit token name to 64 characters and symbol to 12 characters after fetching from the contract. Prevents malicious contracts from injecting excessively long strings into the UI.
2026-02-27 11:39:47 -08:00
parent a6195730d9
commit 330ddc8f05
2 changed files with 5 additions and 4 deletions
--- a/src/content/index.js
+++ b/src/content/index.js
@@ -24,10 +24,7 @@ storageApi.local.get("providerUUID", (res) => {
        uuid = crypto.randomUUID();
        storageApi.local.set({ providerUUID: uuid });
    }
-    window.postMessage(
-        { type: "AUTISTMASK_PROVIDER_UUID", uuid },
-        "*",
-    );
+    window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, "*");
 });

 // Relay requests from the page to the background script
--- a/src/shared/balances.js
+++ b/src/shared/balances.js
@@ -192,6 +192,10 @@ async function lookupTokenInfo(contractAddress, rpcUrl) {
        name = symbol;
    }

+    // Truncate name and symbol to prevent abuse via malicious contracts.
+    name = String(name).slice(0, 64);
+    symbol = String(symbol).slice(0, 12);
+
    log.infof("Token resolved:", symbol, "decimals", Number(decimals));
    return { name, symbol, decimals: Number(decimals) };
 }