add prevent-innerHTML scriptlet. #488 AG-40911

Squashed commit of the following:

commit 507a3bf
Merge: db89e1d 0a2db9b
Author: slvvko <v.leleka@adguard.com>
Date:   Tue Dec 16 10:46:07 2025 -0500

    merge parent branch into current one, resolve conflicts

commit db89e1d
Author: slvvko <v.leleka@adguard.com>
Date:   Tue Dec 16 02:14:57 2025 -0500

    prepare release 2.2.14

commit dc16428
Author: slvvko <v.leleka@adguard.com>
Date:   Tue Dec 16 02:13:17 2025 -0500

    add error handling for invalid selector

commit d9e1003
Author: slvvko <v.leleka@adguard.com>
Date:   Tue Dec 16 02:09:00 2025 -0500

    add getter replacement support for prevent-innerHTML

commit fb16caa
Author: slvvko <v.leleka@adguard.com>
Date:   Fri Dec 12 08:44:27 2025 -0500

    update agtree to 3.4.3

commit 8750bdf
Merge: 694f2d7 49f701a
Author: slvvko <v.leleka@adguard.com>
Date:   Fri Dec 12 08:41:23 2025 -0500

    merge parent branch into current one, resolve conflicts

commit 694f2d7
Author: slvvko <v.leleka@adguard.com>
Date:   Thu Dec 11 01:32:08 2025 -0500

    update compatibility-table.json

commit a05f8fd
Author: slvvko <v.leleka@adguard.com>
Date:   Thu Dec 11 01:19:04 2025 -0500

    add prevent-innerHTML scriptlet

Author: slvvko

CHANGELOG.md

@@ -10,16 +10,23 @@ The format is based on [Keep a Changelog], and this project adheres to [Semantic
 <!-- TODO: change `@added unknown` tag due to the actual version -->
 <!--       during new scriptlets or redirects releasing -->
 
-## Unreleased
+## [v2.2.14] - 2025-12-16
 
 ### Added
 
+- `prevent-innerHTML` scriptlet [#488].
 - Ability to configure observer timeout for `trusted-click-element` scriptlet
   with a new `observerTimeout` parameter [#400].
 - Support for `window.Fingerprint` variable in `fingerprintjs2` redirect (and
   scriptlet as well since it is an alias for redirect) [#541].
 
+### Changed
+
+- Updated [@adguard/agtree] to `3.4.3`.
+
+[v2.2.14]: https://github.com/AdguardTeam/Scriptlets/compare/v2.2.13...v2.2.14
 [#400]: https://github.com/AdguardTeam/Scriptlets/issues/400
+[#488]: https://github.com/AdguardTeam/Scriptlets/issues/488
 [#541]: https://github.com/AdguardTeam/Scriptlets/issues/541
 
 ## [v2.2.13] - 2025-11-25

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@adguard/scriptlets",
-    "version": "2.2.13",
+    "version": "2.2.14",
     "description": "AdGuard's JavaScript library of Scriptlets and Redirect resources",
     "type": "module",
     "scripts": {
@@ -64,7 +64,7 @@
         "neverBuiltDependencies": []
     },
     "dependencies": {
-        "@adguard/agtree": "^3.3.1",
+        "@adguard/agtree": "^3.4.3",
         "@types/trusted-types": "^2.0.7",
         "js-yaml": "^3.14.1"
     },

pnpm-lock.yaml

@@ -167,6 +167,10 @@
             "adg": "prevent-fetch",
             "ubo": "prevent-fetch.js (no-fetch-if.js)"
         },
+        {
+            "adg": "prevent-innerHTML",
+            "ubo": "prevent-innerHTML"
+        },
         {
             "adg": "prevent-xhr",
             "ubo": "prevent-xhr.js (no-xhr-if.js)"

scripts/compatibility-table.json

@@ -0,0 +1,165 @@
+import {
+    hit,
+    logMessage,
+    toRegExp,
+    parseMatchArg,
+} from '../helpers';
+import { type Source } from './scriptlets';
+
+/**
+ * @scriptlet prevent-innerHTML
+ *
+ * @description
+ * Conditionally prevents assignment to `innerHTML` property
+ * and can replace the value returned by the getter.
+ *
+ * Related UBO scriptlet:
+ * https://github.com/gorhill/uBlock/wiki/Resources-Library#prevent-innerhtmljs-
+ *
+ * ### Syntax
+ *
+ * ```text
+ * example.org#%#//scriptlet('prevent-innerHTML'[, selector[, pattern[, replacement]]])
+ * ```
+ *
+ * - `selector` — optional, CSS selector to match element. If not specified, matches all elements.
+ * - `pattern` — optional, string or regular expression to match against the assigned/returned value.
+ *   Prepend with `!` to invert the match. If not specified, matches all values.
+ * - `replacement` — optional, replacement value to return from getter when pattern matches.
+ *   If not specified, the getter returns the original value unchanged (setter-only mode).
+ *   If specified, enables getter manipulation mode. Possible values:
+ *     - empty string — `''`,
+ *     - custom text.
+ *
+ * ### Examples
+ *
+ * 1. Prevent any `innerHTML` assignment
+ *
+ *     ```adblock
+ *     example.org#%#//scriptlet('prevent-innerHTML')
+ *     ```
+ *
+ * 1. Prevent `innerHTML` assignment on elements matching selector
+ *
+ *     ```adblock
+ *     example.org#%#//scriptlet('prevent-innerHTML', '#ads')
+ *     ```
+ *
+ * 1. Prevent `innerHTML` assignment when the value contains "ad"
+ *
+ *     ```adblock
+ *     example.org#%#//scriptlet('prevent-innerHTML', '', 'ad')
+ *     ```
+ *
+ * 1. Prevent `innerHTML` assignment on specific element when value matches regex
+ *
+ *     ```adblock
+ *     example.org#%#//scriptlet('prevent-innerHTML', 'div.ads', '/banner|sponsor/')
+ *     ```
+ *
+ * 1. Prevent `innerHTML` assignment when value does NOT match pattern (inverted match)
+ *
+ *     ```adblock
+ *     example.org#%#//scriptlet('prevent-innerHTML', '', '!allowed-content')
+ *     ```
+ *
+ * 1. Replace innerHTML getter value with empty string when it contains "delete window"
+ *
+ *     ```adblock
+ *     example.org#%#//scriptlet('prevent-innerHTML', '', 'delete window', '')
+ *     ```
+ *
+ * 1. Replace innerHTML getter value with custom text when pattern matches
+ *
+ *     ```adblock
+ *     example.org#%#//scriptlet('prevent-innerHTML', 'div.code', '/evil-script/', 'safe-replacement')
+ *     ```
+ *
+ * @added v2.2.14.
+ */
+export function preventInnerHTML(source: Source, selector = '', pattern = '', replacement?: string): void {
+    const { isInvertedMatch, matchRegexp } = parseMatchArg(pattern);
+
+    const nativeDescriptor = Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML');
+    if (nativeDescriptor === undefined) {
+        return;
+    }
+
+    /**
+     * Determines whether the innerHTML assignment should be prevented.
+     *
+     * @param element Element being assigned to.
+     * @param value Value being assigned.
+     *
+     * @returns True if assignment should be prevented.
+     */
+    const shouldPrevent = (element: Element, value: string): boolean => {
+        if (selector !== '') {
+            if (typeof element.matches !== 'function') {
+                return false;
+            }
+
+            try {
+                if (element.matches(selector) === false) {
+                    return false;
+                }
+            } catch (e) {
+                // Invalid selector, do not prevent
+                logMessage(source, `prevent-innerHTML: invalid selector "${selector}"`, true);
+                return false;
+            }
+        }
+
+        const patternMatches = matchRegexp.test(String(value));
+
+        return isInvertedMatch ? !patternMatches : patternMatches;
+    };
+
+    Object.defineProperty(Element.prototype, 'innerHTML', {
+        configurable: true,
+        enumerable: true,
+        get() {
+            const value = nativeDescriptor.get
+                ? nativeDescriptor.get.call(this)
+                : nativeDescriptor.value;
+
+            // If replacement is specified, check if we should replace the getter value
+            if (replacement !== undefined && shouldPrevent(this, value)) {
+                hit(source);
+                logMessage(source, 'Replaced innerHTML getter value');
+                return replacement;
+            }
+
+            return value;
+        },
+        set(value: string) {
+            if (shouldPrevent(this, value)) {
+                hit(source);
+                logMessage(source, 'Prevented innerHTML assignment');
+                return;
+            }
+
+            if (nativeDescriptor.set) {
+                nativeDescriptor.set.call(this, value);
+            }
+        },
+    });
+}
+
+export const preventInnerHTMLNames = [
+    'prevent-innerHTML',
+    // aliases are needed for matching the related scriptlet converted into our syntax
+    'prevent-innerHTML.js',
+    'ubo-prevent-innerHTML.js',
+    'ubo-prevent-innerHTML',
+];
+
+// eslint-disable-next-line prefer-destructuring
+preventInnerHTML.primaryName = preventInnerHTMLNames[0];
+
+preventInnerHTML.injections = [
+    hit,
+    logMessage,
+    toRegExp,
+    parseMatchArg,
+];

src/scriptlets/prevent-innerHTML.ts

@@ -75,6 +75,7 @@ export { trustedDispatchEvent } from './trusted-dispatch-event';
 export { trustedReplaceOutboundText } from './trusted-replace-outbound-text';
 export { preventCanvas } from './prevent-canvas';
 export { trustedReplaceArgument } from './trusted-replace-argument';
+export { preventInnerHTML } from './prevent-innerHTML';
 // redirects as scriptlets
 // https://github.com/AdguardTeam/Scriptlets/issues/300
 export { AmazonApstag } from './amazon-apstag';

src/scriptlets/scriptlets-list.ts

@@ -75,6 +75,7 @@ export { trustedDispatchEventNames } from './trusted-dispatch-event';
 export { trustedReplaceOutboundTextNames } from './trusted-replace-outbound-text';
 export { preventCanvasNames } from './prevent-canvas';
 export { trustedReplaceArgumentNames } from './trusted-replace-argument';
+export { preventInnerHTMLNames } from './prevent-innerHTML';
 // redirects as scriptlets
 // https://github.com/AdguardTeam/Scriptlets/issues/300
 export { AmazonApstagNames } from './amazon-apstag';