"This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk."
There are several places where I assign strings to innerHTML.
They recommended assigning to textContent instead, because it does not pass the input string as HTML.
The AMO reviewer pointed out the following:
"This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk."
There are several places where I assign strings to innerHTML.
They recommended assigning to textContent instead, because it does not pass the input string as HTML.