WebExtensions - Review accepted sanitizing methods?

(Emmanuel Sellier) #1


I didn’t find any official answer on the need to sanitize HTML before DOM injection.
Since we cannot rely on the previous sanitizing methods used for a SDK based add-on, is it accepted (from a reviewer point of view) to use such libraries as DOMPurify (https://github.com/cure53/DOMPurify) ? or what is the standard method ?


(erosman) #2

Untouched DOMpurify is accepted
ref: https://github.com/mozilla/amo-validator/blob/master/validator/testcases/hashes-allowed.txt

However, there are issues that can still cause complications.

Generally speaking, problems start when remote content is injected using innerHTML (or similar method of converting strings to DOM e.g. outerHTML, insertAdjacentHTML, parseFromString, createContextualFragment, JQuery append/prepend/appendTo/html/before/after/insertBefore/insertAfter)

Inserting un-sanitized remote content is a security problem. For example, JavaScript can be passed as href/src/on** etc.
Addon should ensure such strings are not-executable (and not javascript:somefunction).

There are other security concerns with data itself when it is not even DOM.

It all depends on the situation. Personally, I have found that it is often possible to insert remote data safely without the need for external sanitizing library.

(Emmanuel Sellier) #3

Thanks for this answer ! I forgot to check if dompurify was on that list… shame on me.
In our case the remote-content is injected in iFrames with all required attributes to make it safer.
In french we say… “belt and brace” :slight_smile: