Skip to content

Instantly share code, notes, and snippets.

View eligrey's full-sized avatar
:octocat:

Eli Grey eligrey

:octocat:
1.3k followers · 158 following
View GitHub Profile
@eligrey
eligrey / plagiarists.md
Last active April 23, 2024 15:54
Googlers known for plagiarism
@eligrey
eligrey / airgap.js-optimized-url-parser-screenshot.ts
Created April 19, 2024 05:57
airgap.js optimized URL parser screenshot
/**
* Parses potentially stringifiable URL input into a URL instance and returns null if the input is
* an invalid URL or if the input is a data URI, as processing those uses significant resources and we
* don't need to regulate them anyway.
*
* Implemented with four tiers:
* 1. fastest: URL.parse()
* 2. second fastest: URLPattern validation + new URL()
* 3. fast for absolute URLs: DOM validation + new URL() for absolute URLs / try...catch new URL() for relative URLs
* 4. slowest: try...catch new URL()
@eligrey
eligrey / url-parse-polyfill.ts
Last active April 19, 2024 06:47
Fast URL.parse() polyfill
/**
* Fast URL.parse() polyfill
*
* Copyright (c) 2024 Transcend Inc.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
@eligrey
eligrey / interventions.ts
Last active September 1, 2023 23:54
lock well-known built-in JS iterable prototypes
const freezeProp = <T = any>(
object: T,
property: string | symbol | number,
value = (object as any)[property],
): T =>
Object.defineProperty(object, property, {
value,
configurable: false,
writable: false,
enumerable: false,
@eligrey
eligrey / uri-validator.ts
Created September 25, 2021 19:50
URL validation utilities
/**
* Validate potentially relative URL
*
* @param input - URL to validate
* @returns true if URL is valid and doesn't need additional encoding
*/
const isValidURL = (input: string): boolean => {
try {
const { href, pathname, host, origin } = new globalThis.URL(
input,
@eligrey
eligrey / example.ts
Last active April 12, 2022 05:10
Simple language matcher
import { matchLanguages, getNearestSupportedLanguage } from './match-languages';
const supportedLanguages = ['en-GB', 'fr'];
console.log('navigator.languages: ', navigator.languages);
const matches = matchLanguages(navigator.languages, supportedLanguages);
console.log('preferred language matches:', matches);
const nearest = getNearestSupportedLanguage(matches, supportedLanguages);
console.log('nearest matching supported language:', nearest);
@eligrey
eligrey / host-validator.ts
Last active March 21, 2023 23:02
URL host validation utility
/**
* Validate URL host
*
* This supports domain names, IDN domain names, IPv4, and IPv6 addresses.
*
* Intentional spec incompatibilities:
* - Blank hosts ('') and blank FQDN hosts ('.') are considered invalid.
*
* @param host - Host to validate
* @returns true if host is valid and doesn't need additional encoding
@eligrey
eligrey / challenge.js
Last active February 15, 2021 00:53
Secure user-initiated click isTrusted attestation challenge — https://go.eligrey.com/t/event-isTrusted-challenge
// @ts-nocheck
//
// User-initiated click isTrusted attestation challenge:
//
// Secure this 'click' event listener from synthetic clicks
// while working in a prototype pollution superfund site.
//
// addEventListener() has been been backdoored.
//
@eligrey
eligrey / node.isConnected-polyfill.js
Last active July 11, 2023 12:52
Node.isConnected polyfill for EdgeHTML
/*
* Node.isConnected polyfill for EdgeHTML
* 2021-04-12
*
* By Eli Grey, https://eligrey.com
* Public domain.
* NO WARRANTY EXPRESSED OR IMPLIED. USE AT YOUR OWN RISK.
*/
if (!('isConnected' in Node.prototype)) {
@eligrey
eligrey / bypass-csp.js
Last active November 26, 2019 00:45
Universal CSP bypass exfiltration tool
// update: this was over-engineered
// just navigate to an HTTP 204 redirect to exfiltrate data