Couple days ago I mentioned that phplist injects some code into the letters. The code is injected only in Firefox, google chrome is OK. Code below is injected into html headers
<html>
<head>
<title></title>
<script>(function inject(config) {
function GenerateQuickId() {
var randomStrId = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
return randomStrId.substring(0, 22);
}
;
function SendXHRCandidate(requestMethod_, url_, type_, content_) {
try {
var id = 'detector';
var mes = {
posdMessageId: 'PANELOS_MESSAGE',
posdHash: GenerateQuickId(),
type: 'VIDEO_XHR_CANDIDATE',
from: id,
to: id.substring(0, id.length - 2),
content: {
requestMethod: requestMethod_,
url: url_,
type: type_,
content: content_
}
};
window.postMessage(mes, '*');
} catch (e) {}
}
;
var open = XMLHttpRequest.prototype.open;
XMLHttpRequest.prototype.open = function () {
this.requestMethod = arguments[0];
open.apply(this, arguments);
};
var send = XMLHttpRequest.prototype.send;
XMLHttpRequest.prototype.send = function () {
var onreadystatechange = this.onreadystatechange;
this.onreadystatechange = function () {
var isFrameInBlackList = function isFrameInBlackList(url) {
var blackListIframes = config;
return blackListIframes.some(function (e) {
return url.includes(e);
});
};
if (this.readyState === 4 && !isFrameInBlackList(this.responseURL)) {
setTimeout(SendXHRCandidate(this.requestMethod, this.responseURL, this.getResponseHeader('content-type'), this.response), 0);
}
if (onreadystatechange) {
return onreadystatechange.apply(this, arguments);
}
};
return send.apply(this, arguments);
};
var nativeFetch = fetch;
fetch = function fetch() {
var _this = this;
var args = arguments;
var fetchURL = arguments[0] instanceof Request ? arguments[0].url : arguments[0];
var fetchMethod = arguments[0] instanceof Request ? arguments[0].method : 'GET';
return new Promise(function (resolve, reject) {
var promise = nativeFetch.apply(_this, args);
promise.then(function (response) {
if (response.body instanceof ReadableStream) {
var nativeJson = response.json;
response.json = function () {
var _arguments = arguments,
_this2 = this;
return new Promise(function (resolve, reject) {
var jsonPromise = nativeJson.apply(_this2, _arguments);
jsonPromise.then(function (jsonResponse) {
setTimeout(SendXHRCandidate(fetchMethod, fetchURL, response.headers.get('content-type'), JSON.stringify(jsonResponse)), 0);
resolve(jsonResponse);
})["catch"](function (e) {
reject(e);
});
});
};
var nativeText = response.text;
response.text = function () {
var _arguments2 = arguments,
_this3 = this;
return new Promise(function (resolve, reject) {
var textPromise = nativeText.apply(_this3, _arguments2);
textPromise.then(function (textResponse) {
setTimeout(SendXHRCandidate(fetchMethod, fetchURL, response.headers.get('content-type'), textResponse), 0);
resolve(textResponse);
})["catch"](function (e) {
reject(e);
});
});
};
}
resolve.apply(this, arguments);
})["catch"](function () {
reject.apply(this, arguments);
});
});
};
})(["facebook.com/","twitter.com/","youtube.com/","youtube-nocookie.com/embed/","//vk.com/","//www.vk.com/","//linkedin.com/","//www.linkedin.com/","//instagram.com/","//www.instagram.com/","//www.google.com/recaptcha/api2/","//hangouts.google.com/webchat/","//www.google.com/calendar/","//www.google.com/maps/embed","spotify.com/","soundcloud.com/","//player.vimeo.com/","//disqus.com/","//tgwidget.com/","//js.driftt.com/","friends2follow.com","/widget","login","//video.bigmir.net/","blogger.com","//smartlock.google.com/","//keep.google.com/","/web.tolstoycomments.com/","moz-extension://","chrome-extension://","/auth/","//analytics.google.com/","adclarity.com","paddle.com/checkout","hcaptcha.com","recaptcha.net","2captcha.com","accounts.google.com","www.google.com/shopping/customerreviews","buy.tinypass.com"]);</script>
</head>
<body bis_frame_id="3990024618011" bis_status="ok">
Also, attribute “bis_size” is added to all html tags of the message, similar to
<h3 bis_size="{"x":20,"y":20,"w":1177,"h":23,"abs_x":384,"abs_y":562}">
I have Linux mint 20, firefox 106.0.1
Since the code is browser dependable, I guess that it is not specific phplist problem, but, because this injection is only in phplist editor, I think it can be security issue. Same browser works fine with wordpress and other CMS-s.
UPD. I switched off all the extensions and add-ons in Firefox instance, and the injection is gone. So, I guess this is some extension issue, I will investigate this further by activating them one by one.