Open nileshtrivedi opened 4 years ago
// Use the browser's built-in functionality to quickly and safely escape
// the string
function escapeHtml(str) {
var div = document.createElement('div');
div.appendChild(document.createTextNode(str));
return div.innerHTML;
}
This seems like a decent approach: http://shebang.mintern.net/foolproof-html-escaping-in-javascript/
Reopened as Firefox Store complains about the Function
constructor and unsafe assignment to innerHTML
.
Hmm, the innerHTML is actually a safe assignment since we're escaping all the variables. It's probably giving a warning because detecting a function instead of a string.
I'll check if there's a better approach to do things to get rid of these warnings.
BTW can we force publish even with these warnings? 🙈
Yes, Mozilla has approved the add-on in its current form. I had written a note about why our implementation is actually safe.
Inside the popup, we want to give an explanation, as well as the names and links of 1 or more alternatives. Current solution is to replace innerHTML but that can enable XSS attacks. Need to think of and implement a better approach.