Closed erikvold closed 10 years ago
I have a tiny, non-innerHTML js template library that we could use instead, called html
We can start by using the escaped version, <%- %>
we should have been doing that from the beginning and underscore actually has some of the best escaping. We could also do some escaping when we retrieve the meta data to prevent from gathering it at all. Again I'm worried doing jQuery style DOM creation is going to make it harder for others to contribute.
We were rejected because of this:
"Your add-on creates DOM nodes from HTML strings containing unsanitized data, by assigning to
innerHTML
or through similar means. Aside from being inefficient, this is a major security risk. For more information, see https://developer.mozilla.org/en/XUL_School/DOM_Building_and_HTML_InsertionThis includes the use of
<%=
escapes in your underscore templates."So we need to replace the current template system.