I submitted a Firefox extension that uses innerHtml
on content-script.js. The html content is hardcoded, with multiple levels of nested div
and span
tags, with id
class
... attributes, none script
or a
tag. The actual information is filled in in the code behind.
const myHtml = `..........`; let elm = document.createElement('div'); elm.id = 'injectedWrapper'; elm.innerHTML = myHtml;
However, AMO still complains about insideHtml, even if it comes from const
.
Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately sanitized.
I read the guide, but as of now, Firefox support still seems limited. I don't want to add extra js because it's a content script and worst of all it's a lot of createElement
but the whole thing makes no sense.
So is there anyway to sanitize the html content to make Firefox happy?
P粉4364105862023-09-09 23:13:31
Okay, I finally understand. This is an update for future reference.
The actual verification is done via addons-linter, which doesn't look smart enough to analyze the code.
This will fail:
const myHtml = '<div></div>'; elm.innerHtml = myHtml;
These will all work.
elm.innerHtml = '<div></div>' elm.innerHtml = '<div>'+'</div>' elm.innerHtml = `<div> </div>`