Now would be a great time to file good first bugs. New contributors could rewrite innerHTML and friends into code that uses safer alternatives.
On 02.02.2018 08:13, Kris Maglione wrote: > As of bug 1432966, any HTML injected into chrome-privileged documents[1] > is automatically sanitized to remove any possibility of script > execution. The sanitization is whitelist-based, and only allows a > limited set of HTML elements and attributes. All scripts, XUL nodes, or > privileged URLs will automatically be removed. This change has been > uplifted all the way to 58 release. > > If you're thinking about writing new code that injects HTML strings into > chrome-privileged documents, please think again. Unless it's extremely > simple, it probably won't be compatible with these changes (and will > also be rejected by our default ESLint rules). > > Existing HTML injection in chrome documents is being gradually removed. > Once that's done, the sanitization may be replaced with an outright > prohibition. > > > -Kris > > [1]: Using the usual HTML fragment creation methods such as `innerHTML`, > `outerHTML`, `insertAdjacentHTML`, and `createContextualFragment`. Not, > notably, when using document.write(). > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
