Hi all,
this is -in fact- no news at all, but I just felt the urge to re-iterate
on the issue of innerHTML [1]:
Our team (security assurance) has recently performed security reviews of
all Gaia apps and went through a lot of JavaScript files that used
innerHTML to render text.
As of writing this text, gaia-master from github still contains hundreds
of innerHTML assignments [2].
While this is a huge performance loss[3] for all users, it also means
extra work for us:
We have to check all the innerHTML assignments to see if the right-hand
value might be influenced by user supplied data. If this is the case, an
attacker might use this to XSS or DoS a user's phone.
To help remedy this state, I want to advocate the use of my tiny
html2dom[4] code snippet: The demo will show you how to convert a HTML
snippet into JavaScript code that uses DOM methods like createElement
and setAttribute. You can then use this generated code to replace your
current innerHTML assignments manually [5].
tl;dr innerHTML is still slow and makes security reviews harder for us.
Please use DOM methods like document.createElement(). My tool might help
you [4]. Track your efforts as blockers against this bug [5].
Cheers,
Frederik
[1] Numerous people already mentioned this on the list. Thank you :)
[2] I used grep to search, counting 549 occurrences (271 without tests)
e.g., grep -rn innerHTML . | grep '\.js:' | egrep -v --count 'test'
[3] <http://jsperf.com/innerhtml-vs-appendchild-one> and
<http://jsperf.com/innerhtml-v-dom/4>
[4] Demo at http://freddyb.github.io/html2dom/ - click on Tutorial.
[5] Please use this bug
<https://bugzilla.mozilla.org/show_bug.cgi?id=832930> if you want to
join the effort of tracking and removing undesired instance of innerHTML
assignments.
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
