"Unsafe assignment to innerHTML" with LinkeDOM


I am currently working on upgrading my extension Cast Kodi to MV3. The background must parse HTML, but DOMParser is not available in the service worker. So I use LinkeDOM as polyfill. Addons-linter reports three warnings : Unsafe assignment to innerHTML.

Do you think my extension will be accepted in addons.mozilla.org?

The LinkeDOM library is only useful for Chromium, but I don’t want to manage two versions of my code (or develop a process to generate two versions).

1 Like

Does the innerHTML assignment happen inside LinkeDOM or in your code?

The calls to innerHTML are in LinkeDOM.

I think LinkeDOM doesn’t interpret JavaScript. So there should be no risk to use this library.

I think the browser still interprets it, even if it comes through a library like LinkeDOM.

In general, the worry is code that adds unsanitized/unescaped inputs into .innerHTML as that opens it up for security risks.

If the content (eventually being the html parameter in those functions) comes from your extension, you could clean it up there (with for example DOMPurity).

I’ll also chat with the team next week to see if this is a use case our reviewers have experience with and can provide more details on what could be a good solution.

The goal of LinkeDOM is to provide an implementation of the DOM. The library doesn’t use the innerHTML method of the browser. It has its own implementation: