DOMSantize error message and add support to https://encrypted.google.com/

[andrenatal]

@g-k r?

[andrenatal]

Yep, we inject only text!!

On Tue, Mar 20, 2018, 2:28 PM Greg Guthe notifications@github.com wrote:

@g-k commented on this pull request.

In extension/content.js https://github.com/mozilla/speaktome/pull/258#discussion_r175928461:

   } else {

errorMsg = "Sorry, we encountered an error"; } loadAnimation(ERROR_ANIMATION, false); const copy = document.getElementById("stm-content");

• copy.innerHTML = <div id="stm-listening-text">${errorMsg}</div>
• const error = DOMPurify.sanitize(errorMsg);

Thanks @Rob--W https://github.com/rob--w good points!

@andrenatal https://github.com/andrenatal If we only insert text and don't need to inject HTML, then we can switch the places we're using DOMPurify to escape their input instead and use DOM APIs like textContent https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent instead of innerHTML. Let me know if that's the case and I'll make an issue and try to get around to patching it sooner than later.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mozilla/speaktome/pull/258#discussion_r175928461, or mute the thread https://github.com/notifications/unsubscribe-auth/AA7aTFJJIWWSfuj-suZixuH4ogi8WJMUks5tgXRegaJpZM4SxKDw .