Hi everybody.
I wrote a userscript for Steam, and I try to get it approved on AMO, but currently it’s rejected because of “potentially unsanitized data”. The funny thing is that the data it loads is actually sanitized, at least if there would be any problems with it the user would get it anyway, I just break it down to smaller filterable parts.
Here are examples of JS that is in the loaded data:
new CEmoticonPopup([":bpheal:",":bphere:",":bpswim:",":tornbanner:",":csgoa:",":csgoanarchist:",":csgob:",":csgocross:",":csgoct:",":csgoglobe:",":csgogun:",":csgohelmet:",":csgoskull:",":csgostar:",":csgox:",":choke:",":fraud:",":orangelily:",":dwayneelf:",":happyelf:",":LIS_flower:",":excite:",":umbrella:",":koi:",":destiny:",":duel:",":might:",":happy_creep:",":P:",":TheD:",":Y:",":galley:",":barreloffun:",":sunspeed:",":rd_crown:",":rd_power:",":kitatus:",":kitatus_b:",":kitatus_g:",":kitatus_p:",":kitatus_r:",":kitatus_y:",":halloweener:",":Safe_House:",":photon:",":spacehelmet:",":swapperorb:",":moon:",":TheShark:",":steambored:",":steamfacepalm:",":steamhappy:",":steammocking:",":steamsad:",":steamsalty:"],$J('#emoticonbtn_564894a5e7052'),$J('#commentthread_UserReceivedNewGame_76561198045959858_1447595929_0_textarea'));
$J(function() {InitializeCommentThread("UserReceivedNewGame","UserReceivedNewGame_76561198045959858_1447595929_0",{"feature":"1447595929","feature2":0,"owner":"76561198045959858","total_count":0,"start":0,"pagesize":3,"has_upvoted":1,"upvotes":6,"votecountid":"vote_count_nowowns_76561198045959858","voteupid":"vote_up_nowowns_76561198045959858","commentcountid":"commentcount_nowowns_76561198045959858","subscribed":false,"newestfirstpagination":true},'http://steamcommunity.com/comment/UserReceivedNewGame/',28);});
// this global will contain the full set of screenshots to show
g_BlotterGalleries['gallery_402305544743065942'] = {};
g_BlotterGalleries['gallery_402305544743065942'].m_screenshotActive = '402305544743065942';
g_BlotterGalleries['gallery_402305544743065942'].shots = {};
// record another entry in the global screenshot array
g_BlotterGalleries['gallery_402305544743065942'].shots['402305544743065942'] = {"m_id":"402305544743065942","m_imageHeight":768,"m_imageWidth":1280,"m_caption":"\u0414\u043e\u043b\u0431\u0438\u043c \u043a\u043d\u043e\u043f\u043a\u0438 \u043d\u0430 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0435, \u0447\u0442\u043e \u0435\u0441\u0442\u044c \u0441\u0438\u043b\u044b)","m_commentCount":3,"m_baseurl":"http:\/\/images.akamai.steamusercontent.com\/ugc\/402305544743065942\/8FBFE243D09BAB1F849731623BC3D761CBC22EA6\/"
(the last one is cut).
So how can it be sanitized? If I simply take parameters from loaded JS and use them with local function calls? Or should I parse all JS and check for parameters’ length & contents too? Or it can’t be sanitized to AMO standards at all? I already know another way to do it, but I still want to figure it out, particularly to find out what AMO standards are in this regard.