Hi, While I fully agree with you about the security problems of innerHTML, I'm very surprised of the performance issues. It is widely assumed that innerHTML (and his littke brother insertAdjacentHTML) is a lot faster than traditional DOM methods. And it makes me sad.
Also, your jsperf 3rd testcase fails and I don't really understand why... I'd love to check the differences between your testcases :) -- Julien Le 08/04/2013 14:14, Frederik Braun a écrit : > Hi all, > > this is -in fact- no news at all, but I just felt the urge to re-iterate > on the issue of innerHTML [1]: > Our team (security assurance) has recently performed security reviews of > all Gaia apps and went through a lot of JavaScript files that used > innerHTML to render text. > As of writing this text, gaia-master from github still contains hundreds > of innerHTML assignments [2]. > > While this is a huge performance loss[3] for all users, it also means > extra work for us: > We have to check all the innerHTML assignments to see if the right-hand > value might be influenced by user supplied data. If this is the case, an > attacker might use this to XSS or DoS a user's phone. > > To help remedy this state, I want to advocate the use of my tiny > html2dom[4] code snippet: The demo will show you how to convert a HTML > snippet into JavaScript code that uses DOM methods like createElement > and setAttribute. You can then use this generated code to replace your > current innerHTML assignments manually [5]. > > > tl;dr innerHTML is still slow and makes security reviews harder for us. > Please use DOM methods like document.createElement(). My tool might help > you [4]. Track your efforts as blockers against this bug [5]. > > > > Cheers, > Frederik > > > [1] Numerous people already mentioned this on the list. Thank you :) > [2] I used grep to search, counting 549 occurrences (271 without tests) > e.g., grep -rn innerHTML . | grep '\.js:' | egrep -v --count 'test' > [3] <http://jsperf.com/innerhtml-vs-appendchild-one> and > <http://jsperf.com/innerhtml-v-dom/4> > [4] Demo at http://freddyb.github.io/html2dom/ - click on Tutorial. > [5] Please use this bug > <https://bugzilla.mozilla.org/show_bug.cgi?id=832930> if you want to > join the effort of tracking and removing undesired instance of innerHTML > assignments. > _______________________________________________ > dev-gaia mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-gaia
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
