Hello.
I have read a few topics on https://discourse.mozilla.org/c/add-ons/addons-mozilla-org and I have a few questions about the policy behind injecting html into DOM.
I do understand the dangers and why we should use .textContent and I do use it on a daily basis. However I’m working on an extension where using full HTML template would be more effective.
Here is what I’m gonna use to sanitize the user input:
https://jsfiddle.net/kpion/wfzqvtmd/
In short, I’m replacing all the < and > and friends with entities. With this:
sanitize (str) {
const replacements = {
'"': '"', '&': '&', "'": ''','<' : '<', '>': '>',
};
return str.toString().replace(/[\<\>\&\"\']/g, c => replacements[c]);
}
And then something like:
element.innerHTML = '<p>' + sanitize(userValue) + '</p>';
And the question is - is this fine and enough? I want to ask it before I’ll go fully with the code to avoid this :
Quote:
(…) why is the addon unlisted on AMO?
(…) Because Mozilla policy of forbidding assignment of innerHTML and custom DOM library. Changing them is not an easy task as many sites are affected and some with Geo Lock or require account. It will be hard for me to ensure (…)
Also, aside from this - I’m wondering, how using jquery solves this problem? With jquery.html(stuff) we can do as much harm as with any other lib using .innerHTML under the hoods , right? But really, this question isn’t important I’m just curious.