From 9308bc067ce364d862b6cd160a630e179474c2a9 Mon Sep 17 00:00:00 2001 From: tuanaiseo Date: Wed, 8 Apr 2026 06:12:39 +0700 Subject: [PATCH] fix(security): privileged api invoked via page-global `window.gm_ Multiple scripts call `window.GM_openInTab(...)` instead of the granted `GM_openInTab(...)`. If the page defines or overrides `window.GM_openInTab`, the userscript may execute attacker-controlled code or lose integrity of privileged actions. Affected files: GoogleTranslate-Beautification.user.js Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com> --- GoogleTranslate-Beautification.user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GoogleTranslate-Beautification.user.js b/GoogleTranslate-Beautification.user.js index b5f0e507c..f0ed0d99f 100644 --- a/GoogleTranslate-Beautification.user.js +++ b/GoogleTranslate-Beautification.user.js @@ -39,7 +39,7 @@ if (menu_streamline){menu_streamline_ = "√";}else{menu_streamline_ = "×";} menu_streamline_ID = GM_registerMenuCommand(`[ ${menu_streamline_} ] 精简美化`, function(){menu_switch(menu_streamline,'xiu2_menu_streamline','精简美化')}); - menu_feedBack_ID = GM_registerMenuCommand('反馈 & 建议', function () {window.GM_openInTab('https://github.com/XIU2/UserScript#xiu2userscript', {active: true,insert: true,setParent: true});}); + menu_feedBack_ID = GM_registerMenuCommand('反馈 & 建议', function () {GM_openInTab('https://github.com/XIU2/UserScript#xiu2userscript', {active: true,insert: true,setParent: true});}); } // 菜单开关