mikehardy
commented
5 years ago I have audited the code and I don't believe we are using user input for any listener or script construction. We interpolate our 1-8 custom string counter into listener values in at least one place but that's it.
Respond to this review from AMO:
1) Generating script fragments such as event listener attributes from unsanitized string data is error prone and poses a major risk of security vulnerabilities. For more information, please see https://developer.mozilla.org/en-US/docs/XUL/School_tutorial/DOM_Building_and_HTML_Insertion#listeners