I'm a happy user of Vex for a browser extension. When I submit a new version of my extension to the Firefox add-on store, I get these warnings:
Unsafe assignment to innerHTML
Warning: Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately sanitized. This can lead to security issues or fairly serious performance degradation.
It lists these instances:
vex/vex.min.js line 2 column 3333
vex/vex.min.js line 2 column 3447
vex/vex.combined.min.js line 2 column 3339
vex/vex.combined.min.js line 2 column 3453
vex/vex.combined.min.js line 2 column 7671
vex/vex.combined.min.js line 2 column 7785
Sorry it's for the minified version, but I suppose you can just grep through the codebase anyway.
The idea is that the extension is at risk of being taken off the store because of this sort of thing. My extension has been out for a year and a half now and I've never heard a peep from Mozilla about this, plus it's only a "warning", it doesn't stop you from uploading the version. So I doubt it's something I really need to worry about. Still, I thought it would be worth having on the issue tracker, as it may discourage people from using Vex in browser extensions.
I'm a happy user of Vex for a browser extension. When I submit a new version of my extension to the Firefox add-on store, I get these warnings:
It lists these instances:
Sorry it's for the minified version, but I suppose you can just grep through the codebase anyway.
The idea is that the extension is at risk of being taken off the store because of this sort of thing. My extension has been out for a year and a half now and I've never heard a peep from Mozilla about this, plus it's only a "warning", it doesn't stop you from uploading the version. So I doubt it's something I really need to worry about. Still, I thought it would be worth having on the issue tracker, as it may discourage people from using Vex in browser extensions.