I’ve had my add-on updates rejected because of this problem, trying to process unsanitized remote data.
Eventually I have been able to avoid that, but that was only possible because all of the remote data I use is pure text, not code, so I changed the source code to fetch the remote text and add it JUST as text nodes and text attributes (no onClick attributes) into the DOM after processing local static markup.
So far I don’t think that there will be any oher way of using any remote data in add-ons other than text alone, especially executable remote data:
Remote script injection.
Action: Reject
Add-ons can use data-only APIs, but should never download and execute
remote code, not even in the scope of a webpage. Any use of the <script> tag (like createElement(“script”)) needs to be carefully analyzed. Using remote PAC files is not allowed.
And
Remote code download or execution, custom update code.
Action: Reject
As explained in the validation section, no remote code execution is allowed.